From 01bb7cff023719705d7442ae497c52a3f797edf4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 12 Nov 2019 12:11:53 +1300 Subject: [PATCH] ndrdump: check bounds when passed functions/structs by integer The function or struct number should be >= 0 ans the underlying number it is compared to is uint32_t. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191 Signed-off-by: Andrew Bartlett Signed-off-by: Douglas Bagnall Pair-programmed-with: Douglas Bagnall Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Wed Nov 13 01:55:33 UTC 2019 on sn-devel-184 --- librpc/tools/ndrdump.c | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c index c18531c9b1e..4173f03098d 100644 --- a/librpc/tools/ndrdump.c +++ b/librpc/tools/ndrdump.c @@ -31,9 +31,17 @@ static const struct ndr_interface_call *find_function( const struct ndr_interface_table *p, const char *function) { - int i; + unsigned int i; if (isdigit(function[0])) { - i = strtol(function, NULL, 0); + char *eptr = NULL; + i = strtoul(function, &eptr, 0); + if (i >= p->num_calls + || eptr == NULL + || eptr[0] != '\0') { + printf("Function number '%s' not found\n", + function); + exit(1); + } return &p->calls[i]; } for (i=0;inum_calls;i++) { @@ -57,7 +65,19 @@ static const struct ndr_interface_call *find_struct( const char *struct_name, struct ndr_interface_call *out_buffer) { - int i; + unsigned int i; + if (isdigit(struct_name[0])) { + char *eptr = NULL; + i = strtoul(struct_name, &eptr, 0); + if (i >= p->num_public_structs + || eptr == NULL + || eptr[0] != '\0') { + printf("Public structure number '%s' not found\n", + struct_name); + exit(1); + } + return &p->calls[i]; + } for (i=0;inum_public_structs;i++) { if (strcmp(p->public_structs[i].name, struct_name) == 0) { break;