The Samba-Bugzilla – Attachment 15734 Details for
Bug 14236
[FUZZING] Unsigned integer overflow in ndr_pull_advance
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch for V4-11
bug-14263-v4-11-01.patch (text/plain), 1.02 KB, created by
Gary Lockyer
on 2020-01-15 20:25:36 UTC
(
hide
)
Description:
Proposed patch for V4-11
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2020-01-15 20:25:36 UTC
Size:
1.02 KB
patch
obsolete
>From 16720fb5730a56512f3fa0a305e0f97c47f6d9b9 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 15 Jan 2020 12:37:06 +1300 >Subject: [PATCH] ndr: Unsigned overflow in ndr_pull_advance > >ndr_pull_advance was not checking for unsigned overflow, when checking >the length. > >Credit to OSS-Fuzz >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > librpc/ndr/ndr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c >index d478eb69c01..2f72d255c3e 100644 >--- a/librpc/ndr/ndr.c >+++ b/librpc/ndr/ndr.c >@@ -189,7 +189,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pop(struct ndr_pull *ndr) > _PUBLIC_ enum ndr_err_code ndr_pull_advance(struct ndr_pull *ndr, uint32_t size) > { > ndr->offset += size; >- if (ndr->offset > ndr->data_size) { >+ if (ndr->offset > ndr->data_size || ndr->offset < size) { > return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, > "ndr_pull_advance by %u failed", > size); >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gary
:
ci-passed+
Actions:
View
Attachments on
bug 14236
:
15732
|
15733
|
15734
|
15735
|
15754