librpc ndr tests: Unsigned overflow in ndr_pull_advance

Check that uint32 overflow is handled correctly by ndr_pull_advance.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/tests/test_ndr.c

@@ -106,11 +106,37 @@ static void test_NDR_PULL_ALIGN(void **state)
 	assert_int_equal(NDR_ERR_BUFSIZE, err);
 }
 
+/*
+ * Test ndr_pull_advance integer overflow handling.
+ */
+static void test_ndr_pull_advance(void **state)
+{
+	struct ndr_pull ndr = {0};
+	enum ndr_err_code err;
+
+	ndr.data_size = UINT32_MAX;
+	ndr.offset = UINT32_MAX -1;
+
+	/*
+	 * This will not cause an overflow
+	 */
+	err = ndr_pull_advance(&ndr, 1);
+	assert_int_equal(NDR_ERR_SUCCESS, err);
+
+	/*
+	 * This will cause an overflow
+	 * and (offset + n) will be less than data_size
+	 */
+	err = ndr_pull_advance(&ndr, 2);
+	assert_int_equal(NDR_ERR_BUFSIZE, err);
+}
+
 int main(int argc, const char **argv)
 {
 	const struct CMUnitTest tests[] = {
 		cmocka_unit_test(test_NDR_PULL_NEED_BYTES),
 		cmocka_unit_test(test_NDR_PULL_ALIGN),
+		cmocka_unit_test(test_ndr_pull_advance),
 	};
 
 	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);

selftest/knownfail.d/bug-14236

@@ -1 +1,2 @@
 ^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ndr_compression
+^librpc.ndr.ndr.test_ndr_pull_advance