From 19cc587031d17c823718ad2074cc3a0161972224 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Mon, 25 Nov 2024 15:08:26 +0100
Subject: [PATCH] libndr: Add overflow check to ndr_push_subcontext_end()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Nov 25 15:36:07 UTC 2024 on atb-devel-224
---
 librpc/ndr/ndr.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
index 24db73d5001..b48c798cd75 100644
--- a/librpc/ndr/ndr.c
+++ b/librpc/ndr/ndr.c
@@ -936,6 +936,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_subcontext_end(struct ndr_push *ndr,
 		break;
 
 	case 2:
+		if (subndr->offset > UINT16_MAX) {
+			return ndr_push_error(
+				ndr,
+				NDR_ERR_BUFSIZE,
+				"Subcontext (PUSH) too large: %" PRIu32
+				" does not fit into 16 bits",
+				subndr->offset);
+		}
 		NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, subndr->offset));
 		break;