diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-03-15 13:07:47 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2012-04-10 20:35:44 +0200 |
commit | 7b711ce91a01dae266e4acaa5ab6487109e1264f (patch) | |
tree | 9fcfac200a9f639871cf068ab9ce27510a453a8e | |
parent | 994308c556fbaf4943e0d9c71d0c1cea0ebb5fb5 (diff) | |
download | samba-7b711ce91a01dae266e4acaa5ab6487109e1264f.tar.gz |
pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
An anonymous researcher and Brian Gorenc (HP DVLabs) working
with HP's Zero Day Initiative program have found this and notified us.
metze
(cherry picked from commit 586c3fab85cde3bd6a5141fbba3bb5fcb6b67ab5)
-rw-r--r-- | pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index f2d74013ea5..77223b63916 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -1111,14 +1111,10 @@ sub ParseElementPullLevel } } elsif ($l->{TYPE} eq "ARRAY" and not has_fast_array($e,$l) and not is_charset_array($e, $l)) { - my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); + my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; my $array_name = $var_name; - if ($l->{IS_VARYING}) { - $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; - } - if (my $range = has_property($e, "range")) { my ($low, $high) = split(/,/, $range, 2); if ($low < 0) { |