diff options
author | Stefan Metzmacher <metze@samba.org> | 2018-12-24 11:21:38 +0100 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2019-01-12 03:13:31 +0100 |
commit | a94c4e55b7347ce5a524eeed78db632c5a251f4d (patch) | |
tree | 20fc8396fea1e2275fe786b73b53a3c9071a1713 /librpc/rpc | |
parent | c919514d2d9b358a8bb1ab152d34c5345677ba78 (diff) | |
download | samba-a94c4e55b7347ce5a524eeed78db632c5a251f4d.tar.gz |
librpc: add SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET) protection
A lot of functions rely on having the 16 bytes dcerpc header to operate
on. This makes it more obvious and makes sure they can't be misused in
future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'librpc/rpc')
-rw-r--r-- | librpc/rpc/dcerpc_util.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c index e0479c2f36b..6bc97f7e7d8 100644 --- a/librpc/rpc/dcerpc_util.c +++ b/librpc/rpc/dcerpc_util.c @@ -34,6 +34,8 @@ decode */ void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v) { + SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET); + if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) { SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v); } else { @@ -43,6 +45,8 @@ void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v) uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob) { + SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET); + if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) { return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET); } else { @@ -52,6 +56,8 @@ uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob) void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v) { + SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET); + if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) { SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v); } else { @@ -61,6 +67,8 @@ void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v) uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob) { + SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET); + if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) { return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET); } else { @@ -70,6 +78,8 @@ uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob) uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob) { + SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET); + return blob->data[DCERPC_DREP_OFFSET]; } |