diff options
| author | Stefan Metzmacher <metze@samba.org> | 2012-03-15 18:51:29 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2012-04-07 16:26:47 +0200 |
| commit | 9123504f2b6f9af458510721416cb25993959a31 (patch) | |
| tree | 4cca0b60a92e472aca8e5052b977665b538fe55a /source3 | |
| parent | afaa5f66a8686d5f4e371b66e846249a30e1495f (diff) | |
| download | samba-9123504f2b6f9af458510721416cb25993959a31.tar.gz | |
rerun 'make samba3-idl'samba-3.4.16
metze
The last 12 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/librpc/gen_ndr/ndr_libnetapi.c | 22 | ||||
| -rw-r--r-- | source3/librpc/gen_ndr/ndr_messaging.c | 31 | ||||
| -rw-r--r-- | source3/librpc/gen_ndr/ndr_notify.c | 18 | ||||
| -rw-r--r-- | source3/librpc/gen_ndr/ndr_printcap.c | 33 |
4 files changed, 70 insertions, 34 deletions
diff --git a/source3/librpc/gen_ndr/ndr_libnetapi.c b/source3/librpc/gen_ndr/ndr_libnetapi.c index 25956bff85d..ab2298f9961 100644 --- a/source3/librpc/gen_ndr/ndr_libnetapi.c +++ b/source3/librpc/gen_ndr/ndr_libnetapi.c @@ -46,17 +46,21 @@ _PUBLIC_ enum ndr_err_code ndr_push_domsid(struct ndr_push *ndr, int ndr_flags, _PUBLIC_ enum ndr_err_code ndr_pull_domsid(struct ndr_pull *ndr, int ndr_flags, struct domsid *r) { + uint32_t size_id_auth_0 = 0; + uint32_t size_sub_auths_0 = 0; uint32_t cntr_sub_auths_0; TALLOC_CTX *_mem_save_sub_auths_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_auths)); - NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6)); - NDR_PULL_ALLOC_N(ndr, r->sub_auths, MAXSUBAUTHS); + size_id_auth_0 = 6; + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, size_id_auth_0)); + size_sub_auths_0 = MAXSUBAUTHS; + NDR_PULL_ALLOC_N(ndr, r->sub_auths, size_sub_auths_0); _mem_save_sub_auths_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->sub_auths, 0); - for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < MAXSUBAUTHS; cntr_sub_auths_0++) { + for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < size_sub_auths_0; cntr_sub_auths_0++) { NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sub_auths[cntr_sub_auths_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sub_auths_0, 0); @@ -4664,10 +4668,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_USER_INFO_21(struct ndr_push *ndr, int ndr_f _PUBLIC_ enum ndr_err_code ndr_pull_USER_INFO_21(struct ndr_pull *ndr, int ndr_flags, struct USER_INFO_21 *r) { + uint32_t size_usri21_password_0 = 0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 1)); - NDR_PULL_ALLOC_N(ndr, r->usri21_password, ENCRYPTED_PWLEN); - NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri21_password, ENCRYPTED_PWLEN)); + size_usri21_password_0 = ENCRYPTED_PWLEN; + NDR_PULL_ALLOC_N(ndr, r->usri21_password, size_usri21_password_0); + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri21_password, size_usri21_password_0)); } if (ndr_flags & NDR_BUFFERS) { } @@ -4721,13 +4727,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_USER_INFO_22(struct ndr_push *ndr, int ndr_f _PUBLIC_ enum ndr_err_code ndr_pull_USER_INFO_22(struct ndr_pull *ndr, int ndr_flags, struct USER_INFO_22 *r) { + uint32_t size_usri22_password_0 = 0; uint32_t _ptr_usri22_logon_hours; TALLOC_CTX *_mem_save_usri22_logon_hours_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->usri22_name)); - NDR_PULL_ALLOC_N(ndr, r->usri22_password, ENCRYPTED_PWLEN); - NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri22_password, ENCRYPTED_PWLEN)); + size_usri22_password_0 = ENCRYPTED_PWLEN; + NDR_PULL_ALLOC_N(ndr, r->usri22_password, size_usri22_password_0); + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri22_password, size_usri22_password_0)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->usri22_password_age)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->usri22_priv)); NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->usri22_home_dir)); diff --git a/source3/librpc/gen_ndr/ndr_messaging.c b/source3/librpc/gen_ndr/ndr_messaging.c index e1e95eef4ec..8eb778f6bc8 100644 --- a/source3/librpc/gen_ndr/ndr_messaging.c +++ b/source3/librpc/gen_ndr/ndr_messaging.c @@ -144,23 +144,26 @@ _PUBLIC_ enum ndr_err_code ndr_push_messaging_array(struct ndr_push *ndr, int nd _PUBLIC_ enum ndr_err_code ndr_pull_messaging_array(struct ndr_pull *ndr, int ndr_flags, struct messaging_array *r) { + uint32_t size_messages_0 = 0; uint32_t cntr_messages_0; TALLOC_CTX *_mem_save_messages_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_messages)); - NDR_PULL_ALLOC_N(ndr, r->messages, r->num_messages); + size_messages_0 = r->num_messages; + NDR_PULL_ALLOC_N(ndr, r->messages, size_messages_0); _mem_save_messages_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->messages, 0); - for (cntr_messages_0 = 0; cntr_messages_0 < r->num_messages; cntr_messages_0++) { + for (cntr_messages_0 = 0; cntr_messages_0 < size_messages_0; cntr_messages_0++) { NDR_CHECK(ndr_pull_messaging_rec(ndr, NDR_SCALARS, &r->messages[cntr_messages_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_messages_0, 0); } if (ndr_flags & NDR_BUFFERS) { + size_messages_0 = r->num_messages; _mem_save_messages_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->messages, 0); - for (cntr_messages_0 = 0; cntr_messages_0 < r->num_messages; cntr_messages_0++) { + for (cntr_messages_0 = 0; cntr_messages_0 < size_messages_0; cntr_messages_0++) { NDR_CHECK(ndr_pull_messaging_rec(ndr, NDR_BUFFERS, &r->messages[cntr_messages_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_messages_0, 0); @@ -213,27 +216,35 @@ _PUBLIC_ enum ndr_err_code ndr_push_dbwrap_tdb2_changes(struct ndr_push *ndr, in _PUBLIC_ enum ndr_err_code ndr_pull_dbwrap_tdb2_changes(struct ndr_pull *ndr, int ndr_flags, struct dbwrap_tdb2_changes *r) { + uint32_t size_magic_string_0 = 0; + uint32_t size_name_0 = 0; + uint32_t length_name_0 = 0; + uint32_t size_keys_0 = 0; uint32_t cntr_keys_0; TALLOC_CTX *_mem_save_keys_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic_string, 4, sizeof(uint8_t), CH_DOS)); + size_magic_string_0 = 4; + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic_string, size_magic_string_0, sizeof(uint8_t), CH_DOS)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic_version)); NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); - if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); + size_name_0 = ndr_get_array_size(ndr, &r->name); + length_name_0 = ndr_get_array_length(ndr, &r->name); + if (length_name_0 > size_name_0) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_0, length_name_0); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_name_0, sizeof(uint8_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_0, sizeof(uint8_t), CH_UTF8)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->old_seqnum)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->new_seqnum)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_changes)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_keys)); - NDR_PULL_ALLOC_N(ndr, r->keys, r->num_keys); + size_keys_0 = r->num_keys; + NDR_PULL_ALLOC_N(ndr, r->keys, size_keys_0); _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); - for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { + for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->keys[cntr_keys_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); diff --git a/source3/librpc/gen_ndr/ndr_notify.c b/source3/librpc/gen_ndr/ndr_notify.c index d4ac42e9614..7e561de6a58 100644 --- a/source3/librpc/gen_ndr/ndr_notify.c +++ b/source3/librpc/gen_ndr/ndr_notify.c @@ -90,6 +90,7 @@ static enum ndr_err_code ndr_push_notify_depth(struct ndr_push *ndr, int ndr_fla static enum ndr_err_code ndr_pull_notify_depth(struct ndr_pull *ndr, int ndr_flags, struct notify_depth *r) { + uint32_t size_entries_0 = 0; uint32_t cntr_entries_0; TALLOC_CTX *_mem_save_entries_0; if (ndr_flags & NDR_SCALARS) { @@ -97,18 +98,20 @@ static enum ndr_err_code ndr_pull_notify_depth(struct ndr_pull *ndr, int ndr_fla NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask_subdir)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_entries)); - NDR_PULL_ALLOC_N(ndr, r->entries, r->num_entries); + size_entries_0 = r->num_entries; + NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_0); _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); - for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { + for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_SCALARS, &r->entries[cntr_entries_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); } if (ndr_flags & NDR_BUFFERS) { + size_entries_0 = r->num_entries; _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); - for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { + for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); @@ -157,23 +160,26 @@ _PUBLIC_ enum ndr_err_code ndr_push_notify_array(struct ndr_push *ndr, int ndr_f _PUBLIC_ enum ndr_err_code ndr_pull_notify_array(struct ndr_pull *ndr, int ndr_flags, struct notify_array *r) { + uint32_t size_depth_0 = 0; uint32_t cntr_depth_0; TALLOC_CTX *_mem_save_depth_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 8)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_depths)); - NDR_PULL_ALLOC_N(ndr, r->depth, r->num_depths); + size_depth_0 = r->num_depths; + NDR_PULL_ALLOC_N(ndr, r->depth, size_depth_0); _mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0); - for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) { + for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) { NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_SCALARS, &r->depth[cntr_depth_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0); } if (ndr_flags & NDR_BUFFERS) { + size_depth_0 = r->num_depths; _mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0); - for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) { + for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) { NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_BUFFERS, &r->depth[cntr_depth_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0); diff --git a/source3/librpc/gen_ndr/ndr_printcap.c b/source3/librpc/gen_ndr/ndr_printcap.c index b6c7ba6387a..6183237d18a 100644 --- a/source3/librpc/gen_ndr/ndr_printcap.c +++ b/source3/librpc/gen_ndr/ndr_printcap.c @@ -30,8 +30,12 @@ static enum ndr_err_code ndr_push_pcap_printer(struct ndr_push *ndr, int ndr_fla static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_flags, struct pcap_printer *r) { uint32_t _ptr_name; + uint32_t size_name_1 = 0; + uint32_t length_name_1 = 0; TALLOC_CTX *_mem_save_name_0; uint32_t _ptr_info; + uint32_t size_info_1 = 0; + uint32_t length_info_1 = 0; TALLOC_CTX *_mem_save_info_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); @@ -54,11 +58,13 @@ static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_fla NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); - if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); + size_name_1 = ndr_get_array_size(ndr, &r->name); + length_name_1 = ndr_get_array_length(ndr, &r->name); + if (length_name_1 > size_name_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint8_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint8_t), CH_UTF8)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); } if (r->info) { @@ -66,11 +72,13 @@ static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_fla NDR_PULL_SET_MEM_CTX(ndr, r->info, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->info)); NDR_CHECK(ndr_pull_array_length(ndr, &r->info)); - if (ndr_get_array_length(ndr, &r->info) > ndr_get_array_size(ndr, &r->info)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->info), ndr_get_array_length(ndr, &r->info)); + size_info_1 = ndr_get_array_size(ndr, &r->info); + length_info_1 = ndr_get_array_length(ndr, &r->info); + if (length_info_1 > size_info_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_info_1, length_info_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->info), sizeof(uint8_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->info, ndr_get_array_length(ndr, &r->info), sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_info_1, sizeof(uint8_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->info, length_info_1, sizeof(uint8_t), CH_UTF8)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); } } @@ -118,6 +126,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_pcap_data(struct ndr_push *ndr, int ndr_flag _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flags, struct pcap_data *r) { + uint32_t size_printers_0 = 0; uint32_t cntr_printers_0; TALLOC_CTX *_mem_save_printers_0; if (ndr_flags & NDR_SCALARS) { @@ -125,10 +134,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flag NDR_CHECK(ndr_pull_align(ndr, 4)); NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->status)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); - NDR_PULL_ALLOC_N(ndr, r->printers, ndr_get_array_size(ndr, &r->printers)); + size_printers_0 = ndr_get_array_size(ndr, &r->printers); + NDR_PULL_ALLOC_N(ndr, r->printers, size_printers_0); _mem_save_printers_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->printers, 0); - for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) { + for (cntr_printers_0 = 0; cntr_printers_0 < size_printers_0; cntr_printers_0++) { NDR_CHECK(ndr_pull_pcap_printer(ndr, NDR_SCALARS, &r->printers[cntr_printers_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printers_0, 0); @@ -137,9 +147,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flag } } if (ndr_flags & NDR_BUFFERS) { + size_printers_0 = ndr_get_array_size(ndr, &r->printers); _mem_save_printers_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->printers, 0); - for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) { + for (cntr_printers_0 = 0; cntr_printers_0 < size_printers_0; cntr_printers_0++) { NDR_CHECK(ndr_pull_pcap_printer(ndr, NDR_BUFFERS, &r->printers[cntr_printers_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printers_0, 0); |