From 9123504f2b6f9af458510721416cb25993959a31 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 15 Mar 2012 18:51:29 +0100
Subject: rerun 'make samba3-idl'

metze

The last 12 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
---
 source3/librpc/gen_ndr/ndr_printcap.c | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

(limited to 'source3/librpc/gen_ndr/ndr_printcap.c')

diff --git a/source3/librpc/gen_ndr/ndr_printcap.c b/source3/librpc/gen_ndr/ndr_printcap.c
index b6c7ba6387a..6183237d18a 100644
--- a/source3/librpc/gen_ndr/ndr_printcap.c
+++ b/source3/librpc/gen_ndr/ndr_printcap.c
@@ -30,8 +30,12 @@ static enum ndr_err_code ndr_push_pcap_printer(struct ndr_push *ndr, int ndr_fla
 static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_flags, struct pcap_printer *r)
 {
 	uint32_t _ptr_name;
+	uint32_t size_name_1 = 0;
+	uint32_t length_name_1 = 0;
 	TALLOC_CTX *_mem_save_name_0;
 	uint32_t _ptr_info;
+	uint32_t size_info_1 = 0;
+	uint32_t length_info_1 = 0;
 	TALLOC_CTX *_mem_save_info_0;
 	if (ndr_flags & NDR_SCALARS) {
 		NDR_CHECK(ndr_pull_align(ndr, 4));
@@ -54,11 +58,13 @@ static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_fla
 			NDR_PULL_SET_MEM_CTX(ndr, r->name, 0);
 			NDR_CHECK(ndr_pull_array_size(ndr, &r->name));
 			NDR_CHECK(ndr_pull_array_length(ndr, &r->name));
-			if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) {
-				return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name));
+			size_name_1 = ndr_get_array_size(ndr, &r->name);
+			length_name_1 = ndr_get_array_length(ndr, &r->name);
+			if (length_name_1 > size_name_1) {
+				return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1);
 			}
-			NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t)));
-			NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8));
+			NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint8_t)));
+			NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint8_t), CH_UTF8));
 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0);
 		}
 		if (r->info) {
@@ -66,11 +72,13 @@ static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_fla
 			NDR_PULL_SET_MEM_CTX(ndr, r->info, 0);
 			NDR_CHECK(ndr_pull_array_size(ndr, &r->info));
 			NDR_CHECK(ndr_pull_array_length(ndr, &r->info));
-			if (ndr_get_array_length(ndr, &r->info) > ndr_get_array_size(ndr, &r->info)) {
-				return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->info), ndr_get_array_length(ndr, &r->info));
+			size_info_1 = ndr_get_array_size(ndr, &r->info);
+			length_info_1 = ndr_get_array_length(ndr, &r->info);
+			if (length_info_1 > size_info_1) {
+				return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_info_1, length_info_1);
 			}
-			NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->info), sizeof(uint8_t)));
-			NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->info, ndr_get_array_length(ndr, &r->info), sizeof(uint8_t), CH_UTF8));
+			NDR_CHECK(ndr_check_string_terminator(ndr, length_info_1, sizeof(uint8_t)));
+			NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->info, length_info_1, sizeof(uint8_t), CH_UTF8));
 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0);
 		}
 	}
@@ -118,6 +126,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_pcap_data(struct ndr_push *ndr, int ndr_flag
 
 _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flags, struct pcap_data *r)
 {
+	uint32_t size_printers_0 = 0;
 	uint32_t cntr_printers_0;
 	TALLOC_CTX *_mem_save_printers_0;
 	if (ndr_flags & NDR_SCALARS) {
@@ -125,10 +134,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flag
 		NDR_CHECK(ndr_pull_align(ndr, 4));
 		NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->status));
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count));
-		NDR_PULL_ALLOC_N(ndr, r->printers, ndr_get_array_size(ndr, &r->printers));
+		size_printers_0 = ndr_get_array_size(ndr, &r->printers);
+		NDR_PULL_ALLOC_N(ndr, r->printers, size_printers_0);
 		_mem_save_printers_0 = NDR_PULL_GET_MEM_CTX(ndr);
 		NDR_PULL_SET_MEM_CTX(ndr, r->printers, 0);
-		for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) {
+		for (cntr_printers_0 = 0; cntr_printers_0 < size_printers_0; cntr_printers_0++) {
 			NDR_CHECK(ndr_pull_pcap_printer(ndr, NDR_SCALARS, &r->printers[cntr_printers_0]));
 		}
 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printers_0, 0);
@@ -137,9 +147,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flag
 		}
 	}
 	if (ndr_flags & NDR_BUFFERS) {
+		size_printers_0 = ndr_get_array_size(ndr, &r->printers);
 		_mem_save_printers_0 = NDR_PULL_GET_MEM_CTX(ndr);
 		NDR_PULL_SET_MEM_CTX(ndr, r->printers, 0);
-		for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) {
+		for (cntr_printers_0 = 0; cntr_printers_0 < size_printers_0; cntr_printers_0++) {
 			NDR_CHECK(ndr_pull_pcap_printer(ndr, NDR_BUFFERS, &r->printers[cntr_printers_0]));
 		}
 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printers_0, 0);
-- 
cgit v1.2.1