From 16720fb5730a56512f3fa0a305e0f97c47f6d9b9 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 15 Jan 2020 12:37:06 +1300 Subject: [PATCH] ndr: Unsigned overflow in ndr_pull_advance ndr_pull_advance was not checking for unsigned overflow, when checking the length. Credit to OSS-Fuzz BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236 Signed-off-by: Gary Lockyer --- librpc/ndr/ndr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c index d478eb69c01..2f72d255c3e 100644 --- a/librpc/ndr/ndr.c +++ b/librpc/ndr/ndr.c @@ -189,7 +189,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pop(struct ndr_pull *ndr) _PUBLIC_ enum ndr_err_code ndr_pull_advance(struct ndr_pull *ndr, uint32_t size) { ndr->offset += size; - if (ndr->offset > ndr->data_size) { + if (ndr->offset > ndr->data_size || ndr->offset < size) { return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, "ndr_pull_advance by %u failed", size); -- 2.17.1