librpc: Do not follow a NULL pointer when calculating the size of a structure

Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X fuzzer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
author: Andrew Bartlett <abartlet@samba.org> 2019-11-19 16:58:57 +1300
committer: Andrew Bartlett <abartlet@samba.org> 2019-12-12 02:30:40 +0000
commit: 362d70ff2fb6fb6265fce03da6b09dd4756dc604 (patch)
tree: fe558af19230cf5f97ab529b6b71e1a9756f5a6b /librpc
parent: 5eb560d25e9104dc02477a6bf819d0c37e8afb86 (diff)
download: samba-362d70ff2fb6fb6265fce03da6b09dd4756dc604.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
index 6cc53b6e03a..dc83cf35ffd 100644
--- a/librpc/ndr/ndr.c
+++ b/librpc/ndr/ndr.c
@@ -1492,6 +1492,11 @@ _PUBLIC_ size_t ndr_size_struct(const void *p, int flags, ndr_push_flags_fn_t pu
 	/* avoid recursion */
 	if (flags & LIBNDR_FLAG_NO_NDR_SIZE) return 0;
 
+	/* Avoid following a NULL pointer */
+	if (p == NULL) {
+		return 0;
+	}
+
 	ndr = ndr_push_init_ctx(NULL);
 	if (!ndr) return 0;
 	ndr->flags |= flags | LIBNDR_FLAG_NO_NDR_SIZE;
author	Andrew Bartlett <abartlet@samba.org>	2019-11-19 16:58:57 +1300
committer	Andrew Bartlett <abartlet@samba.org>	2019-12-12 02:30:40 +0000
commit	362d70ff2fb6fb6265fce03da6b09dd4756dc604 (patch)
tree	fe558af19230cf5f97ab529b6b71e1a9756f5a6b /librpc
parent	5eb560d25e9104dc02477a6bf819d0c37e8afb86 (diff)
download	samba-362d70ff2fb6fb6265fce03da6b09dd4756dc604.tar.gz