From: Gary Lockyer <gary@catalyst.net.nz>
Date: Wed, 22 Jan 2020 01:16:02 +0000 (+1300)
Subject: librpc ndr: NDR_PULL_ALIGN check for unsigned overflow
X-Git-Tag: ldb-2.1.1~151
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d05fb3ea772c3642624ec6e0fb4e8d099bcdb8e;p=thirdparty%2Fsamba.git

librpc ndr: NDR_PULL_ALIGN check for unsigned overflow

Handle uint32 overflow in NDR_PULL_ALIGN

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
index b7cccf3dfc5..c2c7e263049 100644
--- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h
@@ -331,6 +331,13 @@ enum ndr_compression_alg {
 		if (unlikely(ndr->flags & LIBNDR_FLAG_PAD_CHECK)) {	\
 			ndr_check_padding(ndr, n); \
 		} \
+		if(unlikely( \
+			((ndr->offset + (n-1)) & (~(n-1))) < ndr->offset)) {\
+			return ndr_pull_error( \
+				ndr, \
+				NDR_ERR_BUFSIZE, \
+				"Pull align (overflow) %u", (unsigned)n); \
+		} \
 		ndr->offset = (ndr->offset + (n-1)) & ~(n-1); \
 	} \
 	if (unlikely(ndr->offset > ndr->data_size)) {			\
diff --git a/selftest/knownfail.d/bug-14236 b/selftest/knownfail.d/bug-14236
index 343a7ec6f15..64b956997a6 100644
--- a/selftest/knownfail.d/bug-14236
+++ b/selftest/knownfail.d/bug-14236
@@ -1,2 +1 @@
 ^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ndr_compression
-^librpc.ndr.ndr.test_NDR_PULL_ALIGN