From 3fbdd3fa0164814b74409a11e67b3b708bb2a458 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 5 Sep 2011 16:41:21 +1000 Subject: ndr: range check on push of dom_sid blob this ensures we get an error if we try to push a dom_sid with too many sub_auths Pair-Programmed-With: Andrew Bartlett --- librpc/ndr/ndr_sec_helper.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'librpc') diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c index ff8588dad4a..984b6bd4aac 100644 --- a/librpc/ndr/ndr_sec_helper.c +++ b/librpc/ndr/ndr_sec_helper.c @@ -314,6 +314,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_dom_sid(struct ndr_push *ndr, int ndr_flags, NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->sid_rev_num)); NDR_CHECK(ndr_push_int8(ndr, NDR_SCALARS, r->num_auths)); NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6)); + if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) { + return ndr_push_error(ndr, NDR_ERR_RANGE, "value out of range"); + } for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < r->num_auths; cntr_sub_auths_0++) { NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->sub_auths[cntr_sub_auths_0])); } @@ -328,7 +331,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dom_sid(struct ndr_pull *ndr, int ndr_flags, NDR_CHECK(ndr_pull_align(ndr, 4)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num)); NDR_CHECK(ndr_pull_int8(ndr, NDR_SCALARS, &r->num_auths)); - if (r->num_auths < 0 || r->num_auths > 15) { + if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) { return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); } NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6)); -- cgit v1.2.1