From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 5 Jul 2023 22:50:05 +0000 (+1200)
Subject: librpc:ndr: Fix overflow in ndr_push_expand
X-Git-Tag: talloc-2.4.1~79
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47b6696dcdfe7c5cb6e58ac6586ba45d39c39cc6;p=thirdparty%2Fsamba.git

librpc:ndr: Fix overflow in ndr_push_expand

If ‘size’ was equal to UINT32_MAX, the expression ‘size+1’ could
overflow to zero.

This could result in inadequate memory being allocated, which could
cause ndr_pull_compression_xpress_huff_raw_chunk() to overflow memory
with zero bytes.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57728

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15415

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
index 44cf524867d..d187a0d0110 100644
--- a/librpc/ndr/ndr.c
+++ b/librpc/ndr/ndr.c
@@ -286,6 +286,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_expand(struct ndr_push *ndr, uint32_t extra_
 	}
 
 	ndr->alloc_size += NDR_BASE_MARSHALL_SIZE;
+	if (size == UINT32_MAX) {
+		return ndr_push_error(ndr, NDR_ERR_BUFSIZE, "Overflow in push_expand");
+	}
 	if (size+1 > ndr->alloc_size) {
 		ndr->alloc_size = size+1;
 	}