From 16720fb5730a56512f3fa0a305e0f97c47f6d9b9 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Wed, 15 Jan 2020 12:37:06 +1300
Subject: [PATCH] ndr: Unsigned overflow in ndr_pull_advance

ndr_pull_advance was not checking for unsigned overflow, when checking
the length.

Credit to OSS-Fuzz
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
---
 librpc/ndr/ndr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
index d478eb69c01..2f72d255c3e 100644
--- a/librpc/ndr/ndr.c
+++ b/librpc/ndr/ndr.c
@@ -189,7 +189,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pop(struct ndr_pull *ndr)
 _PUBLIC_ enum ndr_err_code ndr_pull_advance(struct ndr_pull *ndr, uint32_t size)
 {
 	ndr->offset += size;
-	if (ndr->offset > ndr->data_size) {
+	if (ndr->offset > ndr->data_size || ndr->offset < size) {
 		return ndr_pull_error(ndr, NDR_ERR_BUFSIZE,
 				      "ndr_pull_advance by %u failed",
 				      size);
-- 
2.17.1