ndr: range check on push of dom_sid blob

[kai/samba.git] / librpc / ndr / ndr_sec_helper.c

diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c
index ff8588dad4aa3a501cca5bb4948ad172a75caf63..984b6bd4aac69574752977950aa20a969bbf2423 100644 (file)
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@@ -314,6 +314,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_dom_sid(struct ndr_push *ndr, int ndr_flags,
                NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->sid_rev_num));
                NDR_CHECK(ndr_push_int8(ndr, NDR_SCALARS, r->num_auths));
                NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6));
+               if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) {
+                       return ndr_push_error(ndr, NDR_ERR_RANGE, "value out of range");
+               }
                for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < r->num_auths; cntr_sub_auths_0++) {
                        NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->sub_auths[cntr_sub_auths_0]));
                }
@@ -328,7 +331,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dom_sid(struct ndr_pull *ndr, int ndr_flags,
                NDR_CHECK(ndr_pull_align(ndr, 4));
                NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num));
                NDR_CHECK(ndr_pull_int8(ndr, NDR_SCALARS, &r->num_auths));
-               if (r->num_auths < 0 || r->num_auths > 15) {
+               if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) {
                        return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range");
                }
                NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6));