diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-03-15 17:03:05 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2012-04-07 15:23:20 +0200 |
commit | 0b9d59d256a74594e89467e5ebe4e62c25c9572e (patch) | |
tree | 88cfb71b598aa259ee820eaf1f2aa469feb15a07 | |
parent | 3e0e6f56a671b40b21c37838ff292fe8902889bb (diff) | |
download | samba-0b9d59d256a74594e89467e5ebe4e62c25c9572e.tar.gz |
pidl/NDR/Parser: also do range checks on the array sizesamba-3.6.4
metze
The last 8 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
-rw-r--r-- | pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index b6fcc5b34ad..3676d6d077d 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -335,6 +335,20 @@ sub ParseArrayPullGetSize($$$$$$) $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;"); my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}"; + if (my $range = has_property($e, "range")) { + my ($low, $high) = split(/,/, $range, 2); + if ($low < 0) { + warning(0, "$low is invalid for the range of an array size"); + } + if ($low == 0) { + $self->pidl("if ($array_size > $high) {"); + } else { + $self->pidl("if ($array_size < $low || $array_size > $high) {"); + } + $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); + $self->pidl("}"); + } + return $array_size; } @@ -348,13 +362,14 @@ sub ParseArrayPullGetLength($$$$$$;$) $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); } - my $array_length = $array_size; - if ($l->{IS_VARYING}) { - my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; - $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); - $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; + if (not $l->{IS_VARYING}) { + return $array_size; } + my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; + $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); + my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; + if (my $range = has_property($e, "range")) { my ($low, $high) = split(/,/, $range, 2); if ($low < 0) { |