diff options
| author | Stefan Metzmacher <metze@samba.org> | 2012-03-15 18:51:29 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2012-04-07 16:26:47 +0200 |
| commit | 9123504f2b6f9af458510721416cb25993959a31 (patch) | |
| tree | 4cca0b60a92e472aca8e5052b977665b538fe55a /source3/librpc/gen_ndr/ndr_printcap.c | |
| parent | afaa5f66a8686d5f4e371b66e846249a30e1495f (diff) | |
| download | samba-53dd4732d3b6c01f39e20ce5c032f1194b4475f5.tar.gz | |
rerun 'make samba3-idl'samba-3.4.16
metze
The last 12 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
Diffstat (limited to 'source3/librpc/gen_ndr/ndr_printcap.c')
| -rw-r--r-- | source3/librpc/gen_ndr/ndr_printcap.c | 33 |
1 files changed, 22 insertions, 11 deletions
diff --git a/source3/librpc/gen_ndr/ndr_printcap.c b/source3/librpc/gen_ndr/ndr_printcap.c index b6c7ba6387a..6183237d18a 100644 --- a/source3/librpc/gen_ndr/ndr_printcap.c +++ b/source3/librpc/gen_ndr/ndr_printcap.c @@ -30,8 +30,12 @@ static enum ndr_err_code ndr_push_pcap_printer(struct ndr_push *ndr, int ndr_fla static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_flags, struct pcap_printer *r) { uint32_t _ptr_name; + uint32_t size_name_1 = 0; + uint32_t length_name_1 = 0; TALLOC_CTX *_mem_save_name_0; uint32_t _ptr_info; + uint32_t size_info_1 = 0; + uint32_t length_info_1 = 0; TALLOC_CTX *_mem_save_info_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); @@ -54,11 +58,13 @@ static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_fla NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); - if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); + size_name_1 = ndr_get_array_size(ndr, &r->name); + length_name_1 = ndr_get_array_length(ndr, &r->name); + if (length_name_1 > size_name_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint8_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint8_t), CH_UTF8)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); } if (r->info) { @@ -66,11 +72,13 @@ static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_fla NDR_PULL_SET_MEM_CTX(ndr, r->info, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->info)); NDR_CHECK(ndr_pull_array_length(ndr, &r->info)); - if (ndr_get_array_length(ndr, &r->info) > ndr_get_array_size(ndr, &r->info)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->info), ndr_get_array_length(ndr, &r->info)); + size_info_1 = ndr_get_array_size(ndr, &r->info); + length_info_1 = ndr_get_array_length(ndr, &r->info); + if (length_info_1 > size_info_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_info_1, length_info_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->info), sizeof(uint8_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->info, ndr_get_array_length(ndr, &r->info), sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_info_1, sizeof(uint8_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->info, length_info_1, sizeof(uint8_t), CH_UTF8)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); } } @@ -118,6 +126,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_pcap_data(struct ndr_push *ndr, int ndr_flag _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flags, struct pcap_data *r) { + uint32_t size_printers_0 = 0; uint32_t cntr_printers_0; TALLOC_CTX *_mem_save_printers_0; if (ndr_flags & NDR_SCALARS) { @@ -125,10 +134,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flag NDR_CHECK(ndr_pull_align(ndr, 4)); NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->status)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); - NDR_PULL_ALLOC_N(ndr, r->printers, ndr_get_array_size(ndr, &r->printers)); + size_printers_0 = ndr_get_array_size(ndr, &r->printers); + NDR_PULL_ALLOC_N(ndr, r->printers, size_printers_0); _mem_save_printers_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->printers, 0); - for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) { + for (cntr_printers_0 = 0; cntr_printers_0 < size_printers_0; cntr_printers_0++) { NDR_CHECK(ndr_pull_pcap_printer(ndr, NDR_SCALARS, &r->printers[cntr_printers_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printers_0, 0); @@ -137,9 +147,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flag } } if (ndr_flags & NDR_BUFFERS) { + size_printers_0 = ndr_get_array_size(ndr, &r->printers); _mem_save_printers_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->printers, 0); - for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) { + for (cntr_printers_0 = 0; cntr_printers_0 < size_printers_0; cntr_printers_0++) { NDR_CHECK(ndr_pull_pcap_printer(ndr, NDR_BUFFERS, &r->printers[cntr_printers_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printers_0, 0); |