1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

librpc: Do not follow a NULL pointer when calculating the size of a union

Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2019-11-19 17:38:50 +13:00
parent 456cdb7fa3
commit 92a7c5a726
2 changed files with 5 additions and 1 deletions

View File

@ -1522,6 +1522,11 @@ _PUBLIC_ size_t ndr_size_union(const void *p, int flags, uint32_t level, ndr_pus
/* avoid recursion */ /* avoid recursion */
if (flags & LIBNDR_FLAG_NO_NDR_SIZE) return 0; if (flags & LIBNDR_FLAG_NO_NDR_SIZE) return 0;
/* Avoid following a NULL pointer */
if (p == NULL) {
return 0;
}
ndr = ndr_push_init_ctx(NULL); ndr = ndr_push_init_ctx(NULL);
if (!ndr) return 0; if (!ndr) return 0;
ndr->flags |= flags | LIBNDR_FLAG_NO_NDR_SIZE; ndr->flags |= flags | LIBNDR_FLAG_NO_NDR_SIZE;

View File

@ -1 +0,0 @@
^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_NULL_union_PAC_BUFFER