r21812: fixed an integer overflow error in the ndr push code.

This needs to be fixed in Samba3 as well. It might be exploitable (I
haven't confirmed one way or the other), so I think this should be
fixed for 3.0.25

diff --git a/source/librpc/ndr/libndr.h b/source/librpc/ndr/libndr.h
index eb0c970208f5aeb196f2dce4823875915824d495..e6bf7c04e2f86c8e61361f043c33774c0314a916 100644 (file)
--- a/source/librpc/ndr/libndr.h
+++ b/source/librpc/ndr/libndr.h
@@ -219,7 +219,7 @@ enum ndr_compression_alg {
        } \
 } while(0)
 
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
 
 #define NDR_PUSH_ALIGN(ndr, n) do { \
        if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \

diff --git a/source/librpc/ndr/ndr.c b/source/librpc/ndr/ndr.c
index cbd316f403050d81eb62ecc15f0ee7592741e9ed..d75292686374a432041ff101116a915943b5ef42 100644 (file)
--- a/source/librpc/ndr/ndr.c
+++ b/source/librpc/ndr/ndr.c
@@ -148,10 +148,17 @@ _PUBLIC_ DATA_BLOB ndr_push_blob(struct ndr_push *ndr)
 
 
 /*
-  expand the available space in the buffer to 'size'
+  expand the available space in the buffer to ndr->offset + extra_size
 */
-_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
 {
+       uint32_t size = extra_size + ndr->offset;
+
+       if (size < ndr->offset) {
+               /* extra_size overflowed the offset */
+               return NT_STATUS_NO_MEMORY;
+       }
+
        if (ndr->alloc_size > size) {
                return NT_STATUS_OK;
        }