ndrdump: check bounds when passed functions/structs by integer

The function or struct number should be >= 0 ans the underlying number it is compared to is uint32_t. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191 Signed-off-by: Andrew Bartlett <[email protected]> Signed-off-by: Douglas Bagnall <[email protected]> Pair-programmed-with: Douglas Bagnall <[email protected]> Autobuild-User(master): Douglas Bagnall <[email protected]> Autobuild-Date(master): Wed Nov 13 01:55:33 UTC 2019 on sn-devel-184
kounelios13 · Nov 13, 2019 · 01bb7cf · 01bb7cf
1 parent 3b9e983
commit 01bb7cf
Showing 1 changed file with 23 additions and 3 deletions.
diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c
@@ -31,9 +31,17 @@ static const struct ndr_interface_call *find_function(
 	const struct ndr_interface_table *p,
 	const char *function)
 {
-	int i;
+	unsigned int i;
 	if (isdigit(function[0])) {
-		i = strtol(function, NULL, 0);
+		char *eptr = NULL;
+		i = strtoul(function, &eptr, 0);
+		if (i >= p->num_calls
+		    || eptr == NULL
+		    || eptr[0] != '\0') {
+			printf("Function number '%s' not found\n",
+			       function);
+			exit(1);
+		}
 		return &p->calls[i];
 	}
 	for (i=0;i<p->num_calls;i++) {
@@ -57,7 +65,19 @@ static const struct ndr_interface_call *find_struct(
 	const char *struct_name,
 	struct ndr_interface_call *out_buffer)
 {
-	int i;
+	unsigned int i;
+	if (isdigit(struct_name[0])) {
+		char *eptr = NULL;
+		i = strtoul(struct_name, &eptr, 0);
+		if (i >= p->num_public_structs
+		    || eptr == NULL
+		    || eptr[0] != '\0') {
+			printf("Public structure number '%s' not found\n",
+			       struct_name);
+			exit(1);
+		}
+		return &p->calls[i];
+	}
 	for (i=0;i<p->num_public_structs;i++) {
 		if (strcmp(p->public_structs[i].name, struct_name) == 0) {
 			break;