From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 30 Oct 2019 02:02:49 +0000 (+1300)
Subject: ndr_orpc: properly allocate empty DUALSTRINGARRAY
X-Git-Tag: ldb-2.1.0~657
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=536a84935ce7647f43528d6d376f6762c5e8eb78;p=thirdparty%2Fsamba.git

ndr_orpc: properly allocate empty DUALSTRINGARRAY

When there is no data we still need to allocate for the terminating NULL.

Found by Michael Hanselmann using Honggfuzz and an fuzzer for Samba's
NDR layer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13875

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/librpc/ndr/ndr_orpc.c b/librpc/ndr/ndr_orpc.c
index f24ddc5f826..01ba885d942 100644
--- a/librpc/ndr/ndr_orpc.c
+++ b/librpc/ndr/ndr_orpc.c
@@ -37,7 +37,7 @@ enum ndr_err_code ndr_pull_DUALSTRINGARRAY(struct ndr_pull *ndr, int ndr_flags,
 	NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &num_entries));
 	NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &security_offset));
 
-	ar->stringbindings = talloc_array(ndr, struct STRINGBINDING *, num_entries);
+	ar->stringbindings = talloc_array(ndr, struct STRINGBINDING *, 1);
 	ar->stringbindings[0] = NULL;
 
 	do {
@@ -56,7 +56,7 @@ enum ndr_err_code ndr_pull_DUALSTRINGARRAY(struct ndr_pull *ndr, int ndr_flags,
 	ar->stringbindings[towernum] = NULL;
 	towernum = 0;
 
-	ar->securitybindings = talloc_array(ndr, struct SECURITYBINDING *, num_entries);
+	ar->securitybindings = talloc_array(ndr, struct SECURITYBINDING *, 1);
 	ar->securitybindings[0] = NULL;
 
 	do {