s3/rpc_client: Ensure max possible row buffer size is not exceeded

The max buf size of rows buffer should not exceed 0x00004000.
Ensuring this value is within limits means we can safely use
uint32_t offsets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit f487211706a74d516bf447ed393222b4c0dce7b0)

diff --git a/source3/rpc_client/wsp_cli.c b/source3/rpc_client/wsp_cli.c
index d8a9aca46ff00e229fd637f9f596b77cf86e4f16..39d1f7868d082e88320dfb6a6206250260e2d3ab 100644 (file)
--- a/source3/rpc_client/wsp_cli.c
+++ b/source3/rpc_client/wsp_cli.c
@@ -1311,6 +1311,19 @@ enum ndr_err_code extract_rowsarray(
 {
        uint32_t i;
        enum ndr_err_code err  = NDR_ERR_SUCCESS;
+       /*
+        * limit check the size of rows_buf
+        * see MS-WSP 2.2.3.11 which describes the size
+        * of the rows buffer MUST not exceed 0x0004000 bytes.
+        * This limit will ensure we can safely check
+        * limits based on uint32_t offsets
+        */
+
+       if (rows_buf->length > MAX_ROW_BUFF_SIZE) {
+               DBG_ERR("Buffer size 0x%zx exceeds 0x%x max buffer size\n",
+                       rows_buf->length, MAX_ROW_BUFF_SIZE);
+               return NDR_ERR_BUFSIZE;
+       }
 
        for (i = 0; i < rows; i++ ) {
                struct wsp_cbasestoragevariant *cols =