diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-03-15 13:07:47 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2012-04-07 16:26:07 +0200 |
commit | 586c3fab85cde3bd6a5141fbba3bb5fcb6b67ab5 (patch) | |
tree | 86d0a0c5ae680e14f38015e0d09bd999c39523b8 /pidl/lib/Parse/Pidl | |
parent | eb8240ecb0d82a8f9b3b7c7d317c57f1aff74296 (diff) | |
download | samba-586c3fab85cde3bd6a5141fbba3bb5fcb6b67ab5.tar.gz |
pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
An anonymous researcher and Brian Gorenc (HP DVLabs) working
with HP's Zero Day Initiative program have found this and notified us.
metze
Diffstat (limited to 'pidl/lib/Parse/Pidl')
-rw-r--r-- | pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index f2d74013ea5..77223b63916 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -1111,14 +1111,10 @@ sub ParseElementPullLevel } } elsif ($l->{TYPE} eq "ARRAY" and not has_fast_array($e,$l) and not is_charset_array($e, $l)) { - my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); + my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; my $array_name = $var_name; - if ($l->{IS_VARYING}) { - $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; - } - if (my $range = has_property($e, "range")) { my ($low, $high) = split(/,/, $range, 2); if ($low < 0) { |