ndr_orpc: properly allocate empty DUALSTRINGARRAY

When there is no data we still need to allocate for the terminating NULL.

Found by Michael Hanselmann using Honggfuzz and an fuzzer for Samba's
NDR layer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13875

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/librpc/ndr/ndr_orpc.c b/librpc/ndr/ndr_orpc.c
index f24ddc5f826d3a21ad314c029504ac2d177f5d9b..01ba885d94250a9c8805b8554228a5173eacee0c 100644 (file)
--- a/librpc/ndr/ndr_orpc.c
+++ b/librpc/ndr/ndr_orpc.c
@@ -37,7 +37,7 @@ enum ndr_err_code ndr_pull_DUALSTRINGARRAY(struct ndr_pull *ndr, int ndr_flags,
        NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &num_entries));
        NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &security_offset));
 
-       ar->stringbindings = talloc_array(ndr, struct STRINGBINDING *, num_entries);
+       ar->stringbindings = talloc_array(ndr, struct STRINGBINDING *, 1);
        ar->stringbindings[0] = NULL;
 
        do {
@@ -56,7 +56,7 @@ enum ndr_err_code ndr_pull_DUALSTRINGARRAY(struct ndr_pull *ndr, int ndr_flags,
        ar->stringbindings[towernum] = NULL;
        towernum = 0;
 
-       ar->securitybindings = talloc_array(ndr, struct SECURITYBINDING *, num_entries);
+       ar->securitybindings = talloc_array(ndr, struct SECURITYBINDING *, 1);
        ar->securitybindings[0] = NULL;
 
        do {