1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3/rpc_client: Ensure max possible row buffer size is not exceeded

The max buf size of rows buffer should not exceed 0x00004000.
Ensuring this value is within limits means we can safely use
uint32_t offsets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit f487211706)
This commit is contained in:
Noel Power 2024-02-14 11:19:39 +00:00 committed by Jule Anger
parent 3e226dd1cd
commit 1ab3de6f46

View File

@ -1311,6 +1311,19 @@ enum ndr_err_code extract_rowsarray(
{
uint32_t i;
enum ndr_err_code err = NDR_ERR_SUCCESS;
/*
* limit check the size of rows_buf
* see MS-WSP 2.2.3.11 which describes the size
* of the rows buffer MUST not exceed 0x0004000 bytes.
* This limit will ensure we can safely check
* limits based on uint32_t offsets
*/
if (rows_buf->length > MAX_ROW_BUFF_SIZE) {
DBG_ERR("Buffer size 0x%zx exceeds 0x%x max buffer size\n",
rows_buf->length, MAX_ROW_BUFF_SIZE);
return NDR_ERR_BUFSIZE;
}
for (i = 0; i < rows; i++ ) {
struct wsp_cbasestoragevariant *cols =