ndr_string: Do overflow checks in ndr_push/pull_charset

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Mar 28 16:08:16 CEST 2018 on sn-devel-144

diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 42ba3cfccc1a62c04b0e34cf02752a2daa1ca86d..cc3508616bbdea76ff3501a9a0d35d169a41c125 100644 (file)
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -588,6 +588,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_charset(struct ndr_pull *ndr, int ndr_flags,
                chset = CH_UTF16BE;
        }
 
+       if ((byte_mul != 0) && (length > UINT32_MAX/byte_mul)) {
+               return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, "length overflow");
+       }
        NDR_PULL_NEED_BYTES(ndr, length*byte_mul);
 
        if (!convert_string_talloc(ndr->current_mem_ctx, chset, CH_UNIX,
@@ -642,6 +645,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_charset(struct ndr_push *ndr, int ndr_flags,
                chset = CH_UTF16BE;
        }
 
+       if ((byte_mul != 0) && (length > SIZE_MAX/byte_mul)) {
+               return ndr_push_error(ndr, NDR_ERR_LENGTH, "length overflow");
+       }
        required = byte_mul * length;
        
        NDR_PUSH_NEED_BYTES(ndr, required);