diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-03-15 13:07:47 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2012-04-07 15:21:53 +0200 |
commit | 8e99484dec90690ec1e00c17580150278963e063 (patch) | |
tree | d7999788fb75d7c29616948131ce466dcac10aa1 | |
parent | dc9c68c8992db8225c93043757c4d33b8814c428 (diff) | |
download | samba-8e99484dec90690ec1e00c17580150278963e063.tar.gz |
pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
An anonymous researcher and Brian Gorenc (HP DVLabs) working
with HP's Zero Day Initiative program have found this and notified us.
metze
-rw-r--r-- | pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index e97c40052db..09ba7232c21 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -1120,14 +1120,10 @@ sub ParseElementPullLevel } } elsif ($l->{TYPE} eq "ARRAY" and not has_fast_array($e,$l) and not is_charset_array($e, $l)) { - my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); + my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; my $array_name = $var_name; - if ($l->{IS_VARYING}) { - $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; - } - if (my $range = has_property($e, "range")) { my ($low, $high) = split(/,/, $range, 2); if ($low < 0) { |