diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-03-15 18:51:29 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2012-04-07 16:26:47 +0200 |
commit | 9123504f2b6f9af458510721416cb25993959a31 (patch) | |
tree | 4cca0b60a92e472aca8e5052b977665b538fe55a /librpc/gen_ndr/ndr_dssetup.c | |
parent | afaa5f66a8686d5f4e371b66e846249a30e1495f (diff) | |
download | samba-9123504f2b6f9af458510721416cb25993959a31.tar.gz |
rerun 'make samba3-idl'samba-3.4.16
metze
The last 12 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
Diffstat (limited to 'librpc/gen_ndr/ndr_dssetup.c')
-rw-r--r-- | librpc/gen_ndr/ndr_dssetup.c | 36 |
1 files changed, 24 insertions, 12 deletions
diff --git a/librpc/gen_ndr/ndr_dssetup.c b/librpc/gen_ndr/ndr_dssetup.c index 7ce80ddab2a..a65726da267 100644 --- a/librpc/gen_ndr/ndr_dssetup.c +++ b/librpc/gen_ndr/ndr_dssetup.c @@ -95,10 +95,16 @@ static enum ndr_err_code ndr_push_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_pull *ndr, int ndr_flags, struct dssetup_DsRolePrimaryDomInfoBasic *r) { uint32_t _ptr_domain; + uint32_t size_domain_1 = 0; + uint32_t length_domain_1 = 0; TALLOC_CTX *_mem_save_domain_0; uint32_t _ptr_dns_domain; + uint32_t size_dns_domain_1 = 0; + uint32_t length_dns_domain_1 = 0; TALLOC_CTX *_mem_save_dns_domain_0; uint32_t _ptr_forest; + uint32_t size_forest_1 = 0; + uint32_t length_forest_1 = 0; TALLOC_CTX *_mem_save_forest_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); @@ -130,11 +136,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); - if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); + size_domain_1 = ndr_get_array_size(ndr, &r->domain); + length_domain_1 = ndr_get_array_length(ndr, &r->domain); + if (length_domain_1 > size_domain_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); } if (r->dns_domain) { @@ -142,11 +150,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p NDR_PULL_SET_MEM_CTX(ndr, r->dns_domain, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_domain)); NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_domain)); - if (ndr_get_array_length(ndr, &r->dns_domain) > ndr_get_array_size(ndr, &r->dns_domain)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_domain), ndr_get_array_length(ndr, &r->dns_domain)); + size_dns_domain_1 = ndr_get_array_size(ndr, &r->dns_domain); + length_dns_domain_1 = ndr_get_array_length(ndr, &r->dns_domain); + if (length_dns_domain_1 > size_dns_domain_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_domain_1, length_dns_domain_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_domain), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain, ndr_get_array_length(ndr, &r->dns_domain), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_domain_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain, length_dns_domain_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_domain_0, 0); } if (r->forest) { @@ -154,11 +164,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p NDR_PULL_SET_MEM_CTX(ndr, r->forest, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->forest)); NDR_CHECK(ndr_pull_array_length(ndr, &r->forest)); - if (ndr_get_array_length(ndr, &r->forest) > ndr_get_array_size(ndr, &r->forest)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->forest), ndr_get_array_length(ndr, &r->forest)); + size_forest_1 = ndr_get_array_size(ndr, &r->forest); + length_forest_1 = ndr_get_array_length(ndr, &r->forest); + if (length_forest_1 > size_forest_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_forest_1, length_forest_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->forest), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest, ndr_get_array_length(ndr, &r->forest), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_forest_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest, length_forest_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_0, 0); } } |