From: Andrew Tridgell <tridge@samba.org>
Date: Tue, 13 Mar 2007 04:37:09 +0000 (+0000)
Subject: r21813: fixed an integer overflow error in the ndr push code.
X-Git-Tag: samba-misc-tags/initial-v3-0-unstable~952
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b1c4cd25aac98ce6a9959e9708f72b0b65e20af;p=thirdparty%2Fsamba.git

r21813: fixed an integer overflow error in the ndr push code.

Jerry, you might like to consider this for 3.0.25
---

diff --git a/source/librpc/ndr/libndr.h b/source/librpc/ndr/libndr.h
index 3c2377f57fe..23e9e06bdd9 100644
--- a/source/librpc/ndr/libndr.h
+++ b/source/librpc/ndr/libndr.h
@@ -224,7 +224,7 @@ enum ndr_compression_alg {
 	} \
 } while(0)
 
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
 
 #define NDR_PUSH_ALIGN(ndr, n) do { \
 	if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \
diff --git a/source/librpc/ndr/ndr.c b/source/librpc/ndr/ndr.c
index 5b9eba478a0..ab73354540f 100644
--- a/source/librpc/ndr/ndr.c
+++ b/source/librpc/ndr/ndr.c
@@ -160,10 +160,17 @@ DATA_BLOB ndr_push_blob(struct ndr_push *ndr)
 
 
 /*
-  expand the available space in the buffer to 'size'
+  expand the available space in the buffer to ndr->offset + extra_size
 */
-NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
 {
+	uint32_t size = extra_size + ndr->offset;
+
+	if (size < ndr->offset) {
+		/* extra_size overflowed the offset */
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	if (ndr->alloc_size > size) {
 		return NT_STATUS_OK;
 	}