The Samba-Bugzilla – Attachment 15732 Details for
Bug 14236
[FUZZING] Unsigned integer overflow in ndr_pull_advance
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch for master
bug-14263-master-01.patch (text/plain), 1.02 KB, created by
Gary Lockyer
on 2020-01-15 00:25:03 UTC
(
hide
)
Description:
Proposed patch for master
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2020-01-15 00:25:03 UTC
Size:
1.02 KB
patch
obsolete
>From 80920cb630a972bc54f1caea2a4c1d909041fc35 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 15 Jan 2020 12:37:06 +1300 >Subject: [PATCH] ndr: Unsigned overflow in ndr_pull_advance > >ndr_pull_advance was not checking for unsigned overflow, when checking >the length. > >Credit to OSS-Fuzz >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > librpc/ndr/ndr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c >index 2259a35b170..e3f5f93e016 100644 >--- a/librpc/ndr/ndr.c >+++ b/librpc/ndr/ndr.c >@@ -200,7 +200,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pop(struct ndr_pull *ndr) > _PUBLIC_ enum ndr_err_code ndr_pull_advance(struct ndr_pull *ndr, uint32_t size) > { > ndr->offset += size; >- if (ndr->offset > ndr->data_size) { >+ if (ndr->offset > ndr->data_size || ndr->offset < size) { > return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, > "ndr_pull_advance by %u failed", > size); >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gary
:
ci-passed+
Actions:
View
Attachments on
bug 14236
:
15732
|
15733
|
15734
|
15735
|
15754