This needs to be fixed in Samba3 as well. It might be exploitable (I
haven't confirmed one way or the other), so I think this should be
fixed for 3.0.25
} \
} while(0)
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
#define NDR_PUSH_ALIGN(ndr, n) do { \
if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \
/*
- expand the available space in the buffer to 'size'
+ expand the available space in the buffer to ndr->offset + extra_size
*/
-_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
{
+ uint32_t size = extra_size + ndr->offset;
+
+ if (size < ndr->offset) {
+ /* extra_size overflowed the offset */
+ return NT_STATUS_NO_MEMORY;
+ }
+
if (ndr->alloc_size > size) {
return NT_STATUS_OK;
}