From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 15 Aug 2023 00:38:35 +0000 (+1200)
Subject: librpc:ndr: Avoid overflow in size calculation
X-Git-Tag: tevent-0.16.0~638
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f78cc3b11ccc8a1e35c99168df92de5918b53ad;p=thirdparty%2Fsamba.git

librpc:ndr: Avoid overflow in size calculation

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 0a9d7ab8b9b..0aec7b66cb5 100644
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -660,6 +660,14 @@ _PUBLIC_ enum ndr_err_code ndr_check_string_terminator(struct ndr_pull *ndr, uin
 	uint32_t i;
 	uint32_t save_offset;
 
+	if (count == 0) {
+		return NDR_ERR_RANGE;
+	}
+
+	if (element_size && count - 1 > UINT32_MAX / element_size) {
+		return NDR_ERR_RANGE;
+	}
+
 	save_offset = ndr->offset;
 	NDR_CHECK(ndr_pull_advance(ndr, (count - 1) * element_size));
 	NDR_PULL_NEED_BYTES(ndr, element_size);