pidl/NDR/Parser: also do range checks on the array sizesamba-3.6.4

metze

The last 8 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).

1 files changed, 20 insertions, 5 deletions

diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index b6fcc5b34ad..3676d6d077d 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -335,6 +335,20 @@ sub ParseArrayPullGetSize($$$$$$)
 	$self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;");
 	my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}";
 
+	if (my $range = has_property($e, "range")) {
+		my ($low, $high) = split(/,/, $range, 2);
+		if ($low < 0) {
+			warning(0, "$low is invalid for the range of an array size");
+		}
+		if ($low == 0) {
+			$self->pidl("if ($array_size > $high) {");
+		} else {
+			$self->pidl("if ($array_size < $low || $array_size > $high) {");
+		}
+		$self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
+		$self->pidl("}");
+	}
+
 	return $array_size;
 }
 
@@ -348,13 +362,14 @@ sub ParseArrayPullGetLength($$$$$$;$)
 		$array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env);
 	}
 
-	my $array_length = $array_size;
-	if ($l->{IS_VARYING}) {
-		my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
-		$self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;");
-		$array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}";
+	if (not $l->{IS_VARYING}) {
+		return $array_size;
 	}
 
+	my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
+	$self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;");
+	my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}";
+
 	if (my $range = has_property($e, "range")) {
 		my ($low, $high) = split(/,/, $range, 2);
 		if ($low < 0) {