diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-03-15 18:51:29 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2012-04-10 20:36:01 +0200 |
commit | c0894d92aeb527c150b0adec0a748ad3437f432c (patch) | |
tree | 0166f0d9a98127aea67c6a747caa0e4e1395faef /source3/librpc/gen_ndr/ndr_notify.c | |
parent | ffb8d8ed57700d7bb9b8f7b619b8f635dd0566f5 (diff) | |
download | samba-c0894d92aeb527c150b0adec0a748ad3437f432c.tar.gz |
rerun 'make samba3-idl'
metze
The last 12 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
(cherry picked from commit 9123504f2b6f9af458510721416cb25993959a31)
Diffstat (limited to 'source3/librpc/gen_ndr/ndr_notify.c')
-rw-r--r-- | source3/librpc/gen_ndr/ndr_notify.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/source3/librpc/gen_ndr/ndr_notify.c b/source3/librpc/gen_ndr/ndr_notify.c index d4ac42e9614..7e561de6a58 100644 --- a/source3/librpc/gen_ndr/ndr_notify.c +++ b/source3/librpc/gen_ndr/ndr_notify.c @@ -90,6 +90,7 @@ static enum ndr_err_code ndr_push_notify_depth(struct ndr_push *ndr, int ndr_fla static enum ndr_err_code ndr_pull_notify_depth(struct ndr_pull *ndr, int ndr_flags, struct notify_depth *r) { + uint32_t size_entries_0 = 0; uint32_t cntr_entries_0; TALLOC_CTX *_mem_save_entries_0; if (ndr_flags & NDR_SCALARS) { @@ -97,18 +98,20 @@ static enum ndr_err_code ndr_pull_notify_depth(struct ndr_pull *ndr, int ndr_fla NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask_subdir)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_entries)); - NDR_PULL_ALLOC_N(ndr, r->entries, r->num_entries); + size_entries_0 = r->num_entries; + NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_0); _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); - for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { + for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_SCALARS, &r->entries[cntr_entries_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); } if (ndr_flags & NDR_BUFFERS) { + size_entries_0 = r->num_entries; _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); - for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { + for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); @@ -157,23 +160,26 @@ _PUBLIC_ enum ndr_err_code ndr_push_notify_array(struct ndr_push *ndr, int ndr_f _PUBLIC_ enum ndr_err_code ndr_pull_notify_array(struct ndr_pull *ndr, int ndr_flags, struct notify_array *r) { + uint32_t size_depth_0 = 0; uint32_t cntr_depth_0; TALLOC_CTX *_mem_save_depth_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 8)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_depths)); - NDR_PULL_ALLOC_N(ndr, r->depth, r->num_depths); + size_depth_0 = r->num_depths; + NDR_PULL_ALLOC_N(ndr, r->depth, size_depth_0); _mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0); - for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) { + for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) { NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_SCALARS, &r->depth[cntr_depth_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0); } if (ndr_flags & NDR_BUFFERS) { + size_depth_0 = r->num_depths; _mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0); - for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) { + for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) { NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_BUFFERS, &r->depth[cntr_depth_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0); |