summaryrefslogtreecommitdiff
path: root/librpc
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2018-12-24 11:21:38 +0100
committerJeremy Allison <jra@samba.org>2019-01-12 03:13:31 +0100
commita94c4e55b7347ce5a524eeed78db632c5a251f4d (patch)
tree20fc8396fea1e2275fe786b73b53a3c9071a1713 /librpc
parentc919514d2d9b358a8bb1ab152d34c5345677ba78 (diff)
downloadsamba-a94c4e55b7347ce5a524eeed78db632c5a251f4d.tar.gz
librpc: add SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET) protection
A lot of functions rely on having the 16 bytes dcerpc header to operate on. This makes it more obvious and makes sure they can't be misused in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'librpc')
-rw-r--r--librpc/rpc/dcerpc_util.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index e0479c2f36b..6bc97f7e7d8 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -34,6 +34,8 @@
decode */
void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
{
+ SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
+
if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
} else {
@@ -43,6 +45,8 @@ void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
{
+ SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
+
if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
} else {
@@ -52,6 +56,8 @@ uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
{
+ SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
+
if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
} else {
@@ -61,6 +67,8 @@ void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
{
+ SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
+
if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
} else {
@@ -70,6 +78,8 @@ uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
{
+ SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
+
return blob->data[DCERPC_DREP_OFFSET];
}
View Lorry Controller Status