pidl: Assert that python arrays will not overflow the C array

We do not write network services in Python, so this is not a security issue, but would cause
a crash or other odd behaviour if the length was changed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11430

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 7 insertions, 0 deletions

diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm b/pidl/lib/Parse/Pidl/Samba4/Python.pm
index a84c6f6ba1e..ad9ff88fd58 100644
--- a/pidl/lib/Parse/Pidl/Samba4/Python.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm
@@ -1223,6 +1223,13 @@ sub ConvertObjectFromPythonLevel($$$$$$$$)
 				$self->pidl("$var_name = talloc_array_ptrtype($mem_ctx, $var_name, PyList_GET_SIZE($py_var));");
 				$self->pidl("if (!$var_name) { $fail; }");
 				$self->pidl("talloc_set_name_const($var_name, \"ARRAY: $var_name\");");
+			} else {
+				$self->pidl("if (ARRAY_SIZE($var_name) != PyList_GET_SIZE($py_var)) {");
+				$self->indent;
+				$self->pidl("PyErr_Format(PyExc_TypeError, \"Expected list of type %s, length %zu, got %zd\", Py_TYPE($py_var)->tp_name, ARRAY_SIZE($var_name),  PyList_GET_SIZE($py_var));");
+				$self->pidl("$fail");
+				$self->deindent;
+				$self->pidl("}");
 			}
 			$self->pidl("for ($counter = 0; $counter < PyList_GET_SIZE($py_var); $counter++) {");
 			$self->indent;