From 80920cb630a972bc54f1caea2a4c1d909041fc35 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 15 Jan 2020 12:37:06 +1300 Subject: [PATCH] ndr: Unsigned overflow in ndr_pull_advance ndr_pull_advance was not checking for unsigned overflow, when checking the length. Credit to OSS-Fuzz BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236 Signed-off-by: Gary Lockyer --- librpc/ndr/ndr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c index 2259a35b170..e3f5f93e016 100644 --- a/librpc/ndr/ndr.c +++ b/librpc/ndr/ndr.c @@ -200,7 +200,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pop(struct ndr_pull *ndr) _PUBLIC_ enum ndr_err_code ndr_pull_advance(struct ndr_pull *ndr, uint32_t size) { ndr->offset += size; - if (ndr->offset > ndr->data_size) { + if (ndr->offset > ndr->data_size || ndr->offset < size) { return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, "ndr_pull_advance by %u failed", size); -- 2.17.1