diff options
| author | Gary Lockyer <gary@catalyst.net.nz> | 2020-01-27 10:06:55 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2020-02-07 08:53:40 +0000 |
| commit | d1277f4d02701ac77f8538af353479b52aa81157 (patch) | |
| tree | 4adbcdf80fb5fcd5007205d07562d10527a1b2b2 /librpc | |
| parent | 6d05fb3ea772c3642624ec6e0fb4e8d099bcdb8e (diff) | |
| download | samba-d1277f4d02701ac77f8538af353479b52aa81157.tar.gz | |
librpc ndr tests: Unsigned overflow in ndr_pull_advance
Check that uint32 overflow is handled correctly by ndr_pull_advance.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'librpc')
| -rw-r--r-- | librpc/tests/test_ndr.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/librpc/tests/test_ndr.c b/librpc/tests/test_ndr.c index a2a3834385d..316c54368a0 100644 --- a/librpc/tests/test_ndr.c +++ b/librpc/tests/test_ndr.c @@ -106,11 +106,37 @@ static void test_NDR_PULL_ALIGN(void **state) assert_int_equal(NDR_ERR_BUFSIZE, err); } +/* + * Test ndr_pull_advance integer overflow handling. + */ +static void test_ndr_pull_advance(void **state) +{ + struct ndr_pull ndr = {0}; + enum ndr_err_code err; + + ndr.data_size = UINT32_MAX; + ndr.offset = UINT32_MAX -1; + + /* + * This will not cause an overflow + */ + err = ndr_pull_advance(&ndr, 1); + assert_int_equal(NDR_ERR_SUCCESS, err); + + /* + * This will cause an overflow + * and (offset + n) will be less than data_size + */ + err = ndr_pull_advance(&ndr, 2); + assert_int_equal(NDR_ERR_BUFSIZE, err); +} + int main(int argc, const char **argv) { const struct CMUnitTest tests[] = { cmocka_unit_test(test_NDR_PULL_NEED_BYTES), cmocka_unit_test(test_NDR_PULL_ALIGN), + cmocka_unit_test(test_ndr_pull_advance), }; cmocka_set_message_output(CM_OUTPUT_SUBUNIT); |