diff options
author | Stefan Metzmacher <metze@samba.org> | 2020-07-31 11:27:25 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2021-07-08 09:30:40 +0000 |
commit | 8cce23acb9f9bdde8bff3c3a7ffa83361e3a64a6 (patch) | |
tree | 6503f7de82dfeb7199bc014cf6274bed940d6fb7 /librpc | |
parent | cf1baa8be90a3f141d07da430146f06cbd2d1e09 (diff) | |
download | samba-8cce23acb9f9bdde8bff3c3a7ffa83361e3a64a6.tar.gz |
witness.idl: fix length calculation for witness_IPaddrInfoList
If r->num is 0, we should not dereference r->addr.
Using ndr_size_witness_IPaddrInfoList() also make this much simpler
and avoids the magic 12.
Credit Oss-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22175
REF: https://oss-fuzz.com/testcase-detail/5686294157197312
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14452
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Diffstat (limited to 'librpc')
-rw-r--r-- | librpc/idl/witness.idl | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/librpc/idl/witness.idl b/librpc/idl/witness.idl index e230a5ea709..652c0e9cb65 100644 --- a/librpc/idl/witness.idl +++ b/librpc/idl/witness.idl @@ -98,14 +98,14 @@ interface witness WITNESS_IPADDR_OFFLINE = 0x10 } witness_IPaddrInfo_flags; - typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN),gensize] struct { + typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN)] struct { witness_IPaddrInfo_flags flags; [flag(NDR_BIG_ENDIAN)] ipv4address ipv4; [flag(NDR_BIG_ENDIAN)] ipv6address ipv6; } witness_IPaddrInfo; - typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN)] struct { - [value(12+(r->num*ndr_size_witness_IPaddrInfo(r->addr, ndr->flags)))] uint32 length; + typedef [public,flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN),gensize] struct { + [value(ndr_size_witness_IPaddrInfoList(r, ndr->flags))] uint32 length; [value(0)] uint32 reserved; uint32 num; witness_IPaddrInfo addr[num]; |