r21813: fixed an integer overflow error in the ndr push code.

Jerry, you might like to consider this for 3.0.25
(This used to be commit 4b1c4cd25aac98ce6a9959e9708f72b0b65e20af)

diff --git a/source3/librpc/ndr/libndr.h b/source3/librpc/ndr/libndr.h
index 3c2377f57fe6907c0c3fe348ada76f21f7a93703..23e9e06bdd909b636ca668b5cef9493bc1edc1c5 100644 (file)
--- a/source3/librpc/ndr/libndr.h
+++ b/source3/librpc/ndr/libndr.h
@@ -224,7 +224,7 @@ enum ndr_compression_alg {
        } \
 } while(0)
 
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
 
 #define NDR_PUSH_ALIGN(ndr, n) do { \
        if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \

diff --git a/source3/librpc/ndr/ndr.c b/source3/librpc/ndr/ndr.c
index 5b9eba478a0719fbaae8ede90790347c0ba01682..ab73354540f9914ae917d49c50aaf3ea5a9495e5 100644 (file)
--- a/source3/librpc/ndr/ndr.c
+++ b/source3/librpc/ndr/ndr.c
@@ -160,10 +160,17 @@ DATA_BLOB ndr_push_blob(struct ndr_push *ndr)
 
 
 /*
-  expand the available space in the buffer to 'size'
+  expand the available space in the buffer to ndr->offset + extra_size
 */
-NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
 {
+       uint32_t size = extra_size + ndr->offset;
+
+       if (size < ndr->offset) {
+               /* extra_size overflowed the offset */
+               return NT_STATUS_NO_MEMORY;
+       }
+
        if (ndr->alloc_size > size) {
                return NT_STATUS_OK;
        }