git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ae6927e)
librpc ndr tests: uint32 overflow in NDR_PULL_ALIGN
authorGary Lockyer <gary@catalyst.net.nz>
Fri, 24 Jan 2020 02:21:47 +0000 (15:21 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Fri, 7 Feb 2020 08:53:40 +0000 (08:53 +0000)
Check that uint32 overflow is handled correctly by NDR_NEED_BYTES.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
librpc/tests/test_ndr.c patch | blob | history
selftest/knownfail.d/bug-14236 patch | blob | history

diff --git a/librpc/tests/test_ndr.c b/librpc/tests/test_ndr.c
index 1c074d71023e5722f585c8c03e66976535fa3ec5..a2a3834385d39e559ab45bef2ec92bbd63a7a1e5 100644 (file)
--- a/librpc/tests/test_ndr.c
+++ b/librpc/tests/test_ndr.c
@@ -73,10 +73,44 @@ static void test_NDR_PULL_NEED_BYTES(void **state)
        assert_int_equal(NDR_ERR_BUFSIZE, err);
 }
 
+/*
+ * Test NDR_PULL_ALIGN integer overflow handling.
+ */
+static enum ndr_err_code wrap_NDR_PULL_ALIGN(
+       struct ndr_pull *ndr,
+       uint32_t bytes) {
+
+       NDR_PULL_ALIGN(ndr, bytes);
+       return NDR_ERR_SUCCESS;
+}
+
+static void test_NDR_PULL_ALIGN(void **state)
+{
+       struct ndr_pull ndr = {0};
+       enum ndr_err_code err;
+
+       ndr.data_size = UINT32_MAX;
+       ndr.offset = UINT32_MAX -1;
+
+       /*
+        * This will not cause an overflow
+        */
+       err = wrap_NDR_PULL_ALIGN(&ndr, 2);
+       assert_int_equal(NDR_ERR_SUCCESS, err);
+
+       /*
+        * This will cause an overflow
+        * and (offset + n) will be less than data_size
+        */
+       err = wrap_NDR_PULL_ALIGN(&ndr, 4);
+       assert_int_equal(NDR_ERR_BUFSIZE, err);
+}
+
 int main(int argc, const char **argv)
 {
        const struct CMUnitTest tests[] = {
                cmocka_unit_test(test_NDR_PULL_NEED_BYTES),
+               cmocka_unit_test(test_NDR_PULL_ALIGN),
        };
 
        cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
diff --git a/selftest/knownfail.d/bug-14236 b/selftest/knownfail.d/bug-14236
index 64b956997a6f467726a1a03f64c6f3850668b81e..343a7ec6f15c05f4426c88576d657183bafd6f5c 100644 (file)
--- a/selftest/knownfail.d/bug-14236
+++ b/selftest/knownfail.d/bug-14236
@@ -1 +1,2 @@
 ^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ndr_compression
+^librpc.ndr.ndr.test_NDR_PULL_ALIGN
Work in progress branches