From d1277f4d02701ac77f8538af353479b52aa81157 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Mon, 27 Jan 2020 10:06:55 +1300 Subject: [PATCH] librpc ndr tests: Unsigned overflow in ndr_pull_advance Check that uint32 overflow is handled correctly by ndr_pull_advance. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236 Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett --- librpc/tests/test_ndr.c | 26 ++++++++++++++++++++++++++ selftest/knownfail.d/bug-14236 | 1 + 2 files changed, 27 insertions(+) diff --git a/librpc/tests/test_ndr.c b/librpc/tests/test_ndr.c index a2a3834385d..316c54368a0 100644 --- a/librpc/tests/test_ndr.c +++ b/librpc/tests/test_ndr.c @@ -106,11 +106,37 @@ static void test_NDR_PULL_ALIGN(void **state) assert_int_equal(NDR_ERR_BUFSIZE, err); } +/* + * Test ndr_pull_advance integer overflow handling. + */ +static void test_ndr_pull_advance(void **state) +{ + struct ndr_pull ndr = {0}; + enum ndr_err_code err; + + ndr.data_size = UINT32_MAX; + ndr.offset = UINT32_MAX -1; + + /* + * This will not cause an overflow + */ + err = ndr_pull_advance(&ndr, 1); + assert_int_equal(NDR_ERR_SUCCESS, err); + + /* + * This will cause an overflow + * and (offset + n) will be less than data_size + */ + err = ndr_pull_advance(&ndr, 2); + assert_int_equal(NDR_ERR_BUFSIZE, err); +} + int main(int argc, const char **argv) { const struct CMUnitTest tests[] = { cmocka_unit_test(test_NDR_PULL_NEED_BYTES), cmocka_unit_test(test_NDR_PULL_ALIGN), + cmocka_unit_test(test_ndr_pull_advance), }; cmocka_set_message_output(CM_OUTPUT_SUBUNIT); diff --git a/selftest/knownfail.d/bug-14236 b/selftest/knownfail.d/bug-14236 index 64b956997a6..3c36d148ba7 100644 --- a/selftest/knownfail.d/bug-14236 +++ b/selftest/knownfail.d/bug-14236 @@ -1 +1,2 @@ ^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ndr_compression +^librpc.ndr.ndr.test_ndr_pull_advance