From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 10 Jul 2023 02:42:23 +0000 (+1200)
Subject: ndr_string: Add overflow check in ndr_pull_charset_to_null()
X-Git-Tag: tevent-0.16.0~1234
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a2604bfb301879bbaa4747a2d6196b10c0ef3c3;p=thirdparty%2Fsamba.git

ndr_string: Add overflow check in ndr_pull_charset_to_null()

This matches ndr_pull_charset().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index b2f965c9d43..783e11be334 100644
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -722,6 +722,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_charset_to_null(struct ndr_pull *ndr, int nd
 		chset = CH_UTF16BE;
 	}
 
+	if ((byte_mul != 0) && (length > UINT32_MAX/byte_mul)) {
+		return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, "length overflow");
+	}
 	NDR_PULL_NEED_BYTES(ndr, length*byte_mul);
 
 	str_len = ndr_string_n_length(ndr->data+ndr->offset, length, byte_mul);