Handle uint32 overflow in NDR_PULL_ALIGN
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
if (unlikely(ndr->flags & LIBNDR_FLAG_PAD_CHECK)) { \
ndr_check_padding(ndr, n); \
} \
+ if(unlikely( \
+ ((ndr->offset + (n-1)) & (~(n-1))) < ndr->offset)) {\
+ return ndr_pull_error( \
+ ndr, \
+ NDR_ERR_BUFSIZE, \
+ "Pull align (overflow) %u", (unsigned)n); \
+ } \
ndr->offset = (ndr->offset + (n-1)) & ~(n-1); \
} \
if (unlikely(ndr->offset > ndr->data_size)) { \
^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ndr_compression
-^librpc.ndr.ndr.test_NDR_PULL_ALIGN
git.samba.org / metze / samba / wip.git / commitdiff