ndrdump: check bounds when passed functions/structs by integer

The function or struct number should be >= 0 ans the underlying
number it is compared to is uint32_t.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Nov 13 01:55:33 UTC 2019 on sn-devel-184

diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c
index c18531c9b1e96edc8c5ffcc996f370ba402fe301..4173f03098d8c15ef32912521a1c1e1e63a25f76 100644 (file)
--- a/librpc/tools/ndrdump.c
+++ b/librpc/tools/ndrdump.c
@@ -31,9 +31,17 @@ static const struct ndr_interface_call *find_function(
        const struct ndr_interface_table *p,
        const char *function)
 {
-       int i;
+       unsigned int i;
        if (isdigit(function[0])) {
-               i = strtol(function, NULL, 0);
+               char *eptr = NULL;
+               i = strtoul(function, &eptr, 0);
+               if (i >= p->num_calls
+                   || eptr == NULL
+                   || eptr[0] != '\0') {
+                       printf("Function number '%s' not found\n",
+                              function);
+                       exit(1);
+               }
                return &p->calls[i];
        }
        for (i=0;i<p->num_calls;i++) {
@@ -57,7 +65,19 @@ static const struct ndr_interface_call *find_struct(
        const char *struct_name,
        struct ndr_interface_call *out_buffer)
 {
-       int i;
+       unsigned int i;
+       if (isdigit(struct_name[0])) {
+               char *eptr = NULL;
+               i = strtoul(struct_name, &eptr, 0);
+               if (i >= p->num_public_structs
+                   || eptr == NULL
+                   || eptr[0] != '\0') {
+                       printf("Public structure number '%s' not found\n",
+                              struct_name);
+                       exit(1);
+               }
+               return &p->calls[i];
+       }
        for (i=0;i<p->num_public_structs;i++) {
                if (strcmp(p->public_structs[i].name, struct_name) == 0) {
                        break;