mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3/rpc_client: Ensure max possible row buffer size is not exceeded
The max buf size of rows buffer should not exceed 0x00004000.
Ensuring this value is within limits means we can safely use
uint32_t offsets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit f487211706
)
This commit is contained in:
parent
3e226dd1cd
commit
1ab3de6f46
@ -1311,6 +1311,19 @@ enum ndr_err_code extract_rowsarray(
|
||||
{
|
||||
uint32_t i;
|
||||
enum ndr_err_code err = NDR_ERR_SUCCESS;
|
||||
/*
|
||||
* limit check the size of rows_buf
|
||||
* see MS-WSP 2.2.3.11 which describes the size
|
||||
* of the rows buffer MUST not exceed 0x0004000 bytes.
|
||||
* This limit will ensure we can safely check
|
||||
* limits based on uint32_t offsets
|
||||
*/
|
||||
|
||||
if (rows_buf->length > MAX_ROW_BUFF_SIZE) {
|
||||
DBG_ERR("Buffer size 0x%zx exceeds 0x%x max buffer size\n",
|
||||
rows_buf->length, MAX_ROW_BUFF_SIZE);
|
||||
return NDR_ERR_BUFSIZE;
|
||||
}
|
||||
|
||||
for (i = 0; i < rows; i++ ) {
|
||||
struct wsp_cbasestoragevariant *cols =
|
||||
|
Loading…
Reference in New Issue
Block a user