From: Gary Lockyer <gary@catalyst.net.nz>
Date: Fri, 24 Jan 2020 02:21:47 +0000 (+1300)
Subject: librpc ndr tests: uint32 overflow in NDR_PULL_ALIGN
X-Git-Tag: ldb-2.1.1~152
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46edde8647810790141a685cea5d139c0784eab0;p=thirdparty%2Fsamba.git

librpc ndr tests: uint32 overflow in NDR_PULL_ALIGN

Check that uint32 overflow is handled correctly by NDR_NEED_BYTES.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/librpc/tests/test_ndr.c b/librpc/tests/test_ndr.c
index 1c074d71023..a2a3834385d 100644
--- a/librpc/tests/test_ndr.c
+++ b/librpc/tests/test_ndr.c
@@ -73,10 +73,44 @@ static void test_NDR_PULL_NEED_BYTES(void **state)
 	assert_int_equal(NDR_ERR_BUFSIZE, err);
 }
 
+/*
+ * Test NDR_PULL_ALIGN integer overflow handling.
+ */
+static enum ndr_err_code wrap_NDR_PULL_ALIGN(
+	struct ndr_pull *ndr,
+	uint32_t bytes) {
+
+	NDR_PULL_ALIGN(ndr, bytes);
+	return NDR_ERR_SUCCESS;
+}
+
+static void test_NDR_PULL_ALIGN(void **state)
+{
+	struct ndr_pull ndr = {0};
+	enum ndr_err_code err;
+
+	ndr.data_size = UINT32_MAX;
+	ndr.offset = UINT32_MAX -1;
+
+	/*
+	 * This will not cause an overflow
+	 */
+	err = wrap_NDR_PULL_ALIGN(&ndr, 2);
+	assert_int_equal(NDR_ERR_SUCCESS, err);
+
+	/*
+	 * This will cause an overflow
+	 * and (offset + n) will be less than data_size
+	 */
+	err = wrap_NDR_PULL_ALIGN(&ndr, 4);
+	assert_int_equal(NDR_ERR_BUFSIZE, err);
+}
+
 int main(int argc, const char **argv)
 {
 	const struct CMUnitTest tests[] = {
 		cmocka_unit_test(test_NDR_PULL_NEED_BYTES),
+		cmocka_unit_test(test_NDR_PULL_ALIGN),
 	};
 
 	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
diff --git a/selftest/knownfail.d/bug-14236 b/selftest/knownfail.d/bug-14236
index 64b956997a6..343a7ec6f15 100644
--- a/selftest/knownfail.d/bug-14236
+++ b/selftest/knownfail.d/bug-14236
@@ -1 +1,2 @@
 ^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ndr_compression
+^librpc.ndr.ndr.test_NDR_PULL_ALIGN