diff options
author | Volker Lendecke <vl@samba.org> | 2018-03-26 12:02:01 +0200 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2018-03-28 16:08:16 +0200 |
commit | 1cd0fe90cf642de4ab4d03819f87a13c20bd2805 (patch) | |
tree | d5ac56071bbf0ab9aee9451d78483f4a39adf993 /librpc/ndr | |
parent | 360804ed4f7d3ab7375ba68885fed4584ef0a438 (diff) | |
download | samba-1cd0fe90cf642de4ab4d03819f87a13c20bd2805.tar.gz |
ndr_string: Do overflow checks in ndr_push/pull_charset
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Mar 28 16:08:16 CEST 2018 on sn-devel-144
Diffstat (limited to 'librpc/ndr')
-rw-r--r-- | librpc/ndr/ndr_string.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c index 42ba3cfccc1..cc3508616bb 100644 --- a/librpc/ndr/ndr_string.c +++ b/librpc/ndr/ndr_string.c @@ -588,6 +588,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_charset(struct ndr_pull *ndr, int ndr_flags, chset = CH_UTF16BE; } + if ((byte_mul != 0) && (length > UINT32_MAX/byte_mul)) { + return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, "length overflow"); + } NDR_PULL_NEED_BYTES(ndr, length*byte_mul); if (!convert_string_talloc(ndr->current_mem_ctx, chset, CH_UNIX, @@ -642,6 +645,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_charset(struct ndr_push *ndr, int ndr_flags, chset = CH_UTF16BE; } + if ((byte_mul != 0) && (length > SIZE_MAX/byte_mul)) { + return ndr_push_error(ndr, NDR_ERR_LENGTH, "length overflow"); + } required = byte_mul * length; NDR_PUSH_NEED_BYTES(ndr, required); |