diff options
| author | Gary Lockyer <gary@catalyst.net.nz> | 2020-02-07 15:18:45 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2020-02-27 02:29:20 +0000 |
| commit | 575d39048e3b4f619d65d65303ac809c40c5d495 (patch) | |
| tree | 8e375c41d7d4386490442bbf398c16c095d24425 /librpc | |
| parent | 2ba2ce40f9cf00e3fd898c6dddf84d571028a00f (diff) | |
| download | samba-575d39048e3b4f619d65d65303ac809c40c5d495.tar.gz | |
idl: limit recurion on recursive elements
Limit the max_recursion on self recursive definitions in the idl to
20,000. This value is hopefully large eneough to not impact normal
operation, but small eneough to prevent stack over flow issues.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Feb 27 02:29:21 UTC 2020 on sn-devel-184
Diffstat (limited to 'librpc')
| -rw-r--r-- | librpc/idl/drsblobs.idl | 2 | ||||
| -rw-r--r-- | librpc/idl/drsuapi.idl | 12 | ||||
| -rw-r--r-- | librpc/idl/ioctl.idl | 2 |
3 files changed, 10 insertions, 6 deletions
diff --git a/librpc/idl/drsblobs.idl b/librpc/idl/drsblobs.idl index 072546a4369..b096b671c80 100644 --- a/librpc/idl/drsblobs.idl +++ b/librpc/idl/drsblobs.idl @@ -579,7 +579,7 @@ interface drsblobs { } ExtendedErrorParam; typedef [public] struct { - ExtendedErrorInfo *next; + [max_recursion(20000)] ExtendedErrorInfo *next; ExtendedErrorComputerName computer_name; hyper pid; NTTIME time; diff --git a/librpc/idl/drsuapi.idl b/librpc/idl/drsuapi.idl index 04725276121..db00eb8639e 100644 --- a/librpc/idl/drsuapi.idl +++ b/librpc/idl/drsuapi.idl @@ -690,7 +690,8 @@ interface drsuapi } drsuapi_DsReplicaMetaDataCtr; typedef [public,noprint] struct { - drsuapi_DsReplicaObjectListItemEx *next_object; + [max_recursion(20000)] + drsuapi_DsReplicaObjectListItemEx *next_object; drsuapi_DsReplicaObject object; boolean32 is_nc_prefix; GUID *parent_object_guid; @@ -1308,7 +1309,8 @@ interface drsuapi /*****************/ /* Function 0x11 */ typedef [public,noprint] struct { - drsuapi_DsReplicaObjectListItem *next_object; + [max_recursion(20000)] + drsuapi_DsReplicaObjectListItem *next_object; drsuapi_DsReplicaObject object; } drsuapi_DsReplicaObjectListItem; @@ -1408,7 +1410,8 @@ interface drsuapi } drsuapi_DsAddEntry_AttrErr_V1; typedef [noprint] struct { - drsuapi_DsAddEntry_AttrErrListItem_V1 *next; + [max_recursion(20000)] + drsuapi_DsAddEntry_AttrErrListItem_V1 *next; drsuapi_DsAddEntry_AttrErr_V1 err_data; } drsuapi_DsAddEntry_AttrErrListItem_V1; @@ -1464,7 +1467,8 @@ interface drsuapi drsuapi_DsAddEntry_RefType ref_type; uint16 addr_list_count; drsuapi_DsaAddressListItem_V1 *addr_list; - drsuapi_DsAddEntry_RefErrListItem_V1 *next; + [max_recursion(20000)] + drsuapi_DsAddEntry_RefErrListItem_V1 *next; boolean32 is_choice_set; drsuapi_DsAddEntry_ChoiceType choice; } drsuapi_DsAddEntry_RefErrListItem_V1; diff --git a/librpc/idl/ioctl.idl b/librpc/idl/ioctl.idl index ba68fbcb8f6..390e8562f69 100644 --- a/librpc/idl/ioctl.idl +++ b/librpc/idl/ioctl.idl @@ -151,7 +151,7 @@ interface netinterface } fsctl_sockaddr_storage; typedef [public,relative_base,noprint] struct { - [relative] fsctl_net_iface_info *next; + [relative,max_recursion(20000)] fsctl_net_iface_info *next; uint32 ifindex; fsctl_net_iface_capability capability; [value(0)] uint32 reserved; |