From: Andrew Bartlett Date: Mon, 11 Nov 2019 23:11:53 +0000 (+1300) Subject: ndrdump: check bounds when passed functions/structs by integer X-Git-Tag: talloc-2.3.1~61 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=01bb7cff023719705d7442ae497c52a3f797edf4;p=thirdparty%2Fsamba.git ndrdump: check bounds when passed functions/structs by integer The function or struct number should be >= 0 ans the underlying number it is compared to is uint32_t. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191 Signed-off-by: Andrew Bartlett Signed-off-by: Douglas Bagnall Pair-programmed-with: Douglas Bagnall Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Wed Nov 13 01:55:33 UTC 2019 on sn-devel-184 --- diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c index c18531c9b1e..4173f03098d 100644 --- a/librpc/tools/ndrdump.c +++ b/librpc/tools/ndrdump.c @@ -31,9 +31,17 @@ static const struct ndr_interface_call *find_function( const struct ndr_interface_table *p, const char *function) { - int i; + unsigned int i; if (isdigit(function[0])) { - i = strtol(function, NULL, 0); + char *eptr = NULL; + i = strtoul(function, &eptr, 0); + if (i >= p->num_calls + || eptr == NULL + || eptr[0] != '\0') { + printf("Function number '%s' not found\n", + function); + exit(1); + } return &p->calls[i]; } for (i=0;inum_calls;i++) { @@ -57,7 +65,19 @@ static const struct ndr_interface_call *find_struct( const char *struct_name, struct ndr_interface_call *out_buffer) { - int i; + unsigned int i; + if (isdigit(struct_name[0])) { + char *eptr = NULL; + i = strtoul(struct_name, &eptr, 0); + if (i >= p->num_public_structs + || eptr == NULL + || eptr[0] != '\0') { + printf("Public structure number '%s' not found\n", + struct_name); + exit(1); + } + return &p->calls[i]; + } for (i=0;inum_public_structs;i++) { if (strcmp(p->public_structs[i].name, struct_name) == 0) { break;