The branch, v3-5-stable has been updated via 566295f rerun 'make samba3-idl' via 50be426 pidl/NDR/Parser: also do range checks on the array size via 3b837d9 pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength() via a87211b pidl/NDR/Parser: use helper variables for array size and length via 748615f pidl/NDR/Parser: remember if we already know the array length via 459c5b2 pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182) via a67afd3 pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength() via a74a8ed pidl/NDR/Parser: simplify logic in DeclareArrayVariables*() via 31d6686 pidl/NDR/Parser: declare all union helper variables in ParseUnionPull() via 6c2860d pidl:NDR/Parser: fix range() for arrays via 6c417bf WHATSNEW: Prepare release notes for 3.5.14. from 8f46865 WHATSNEW: Start release notes for 3.5.14.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable - Log ----------------------------------------------------------------- commit 566295fa13ff4a848fea517d41bc08aee87966ac Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 18:46:44 2012 +0100 rerun 'make samba3-idl' metze The last 10 patches address bug #8815 (PIDL based autogenerated code allows overwriting beyond of allocated array; CVE-2012-1182). commit 50be4262f6001f91ade4580c2d67b38c12730d77 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 17:03:05 2012 +0100 pidl/NDR/Parser: also do range checks on the array size metze commit 3b837d94e649e8cbc24ee3ea24a9bced60f9dda8 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 13:14:48 2012 +0100 pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength() metze commit a87211b32bfea3595627882a52c2e90bdcd3e9e8 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 13:13:20 2012 +0100 pidl/NDR/Parser: use helper variables for array size and length metze commit 748615f74486076a023b498c723c0ebeff8a23bb Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 15:07:08 2012 +0100 pidl/NDR/Parser: remember if we already know the array length metze commit 459c5b271a18a25873c1965b11642aa65ea2d220 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 13:07:47 2012 +0100 pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182) An anonymous researcher and Brian Gorenc (HP DVLabs) working with HP's Zero Day Initiative program have found this and notified us. metze commit a67afd3489669afc711cf77a22740f8e1e91779e Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 13:05:39 2012 +0100 pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength() metze commit a74a8ed48f3a89d8f33ad1b1fca6533cc69aabf4 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 13:12:04 2012 +0100 pidl/NDR/Parser: simplify logic in DeclareArrayVariables*() metze commit 31d668651edc6fca45d024283e211533a49c2c4e Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 13:09:51 2012 +0100 pidl/NDR/Parser: declare all union helper variables in ParseUnionPull() metze commit 6c2860d4cfcbf5778e410f598bd2c19b6f0afa83 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Sep 21 05:41:37 2010 +0200 pidl:NDR/Parser: fix range() for arrays metze (cherry picked from commit bea4948acb4bbee2fbf886adeb53edbc84de96da) commit 6c417bf472b8069f2b9cdf639dc8baeb246b13e2 Author: Karolin Seeger <ksee...@samba.org> Date: Sat Apr 7 15:57:14 2012 +0200 WHATSNEW: Prepare release notes for 3.5.14. Karolin ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 15 +- librpc/gen_ndr/ndr_dcerpc.c | 42 +- librpc/gen_ndr/ndr_dfs.c | 840 +++++++---- librpc/gen_ndr/ndr_drsblobs.c | 160 ++- librpc/gen_ndr/ndr_drsuapi.c | 1031 +++++++++----- librpc/gen_ndr/ndr_dssetup.c | 36 +- librpc/gen_ndr/ndr_echo.c | 54 +- librpc/gen_ndr/ndr_epmapper.c | 54 +- librpc/gen_ndr/ndr_eventlog.c | 79 +- librpc/gen_ndr/ndr_krb5pac.c | 22 +- librpc/gen_ndr/ndr_lsa.c | 276 +++-- librpc/gen_ndr/ndr_misc.c | 8 +- librpc/gen_ndr/ndr_named_pipe_auth.c | 122 ++- librpc/gen_ndr/ndr_nbt.c | 78 +- librpc/gen_ndr/ndr_netlogon.c | 1789 +++++++++++++++-------- librpc/gen_ndr/ndr_ntlmssp.c | 60 +- librpc/gen_ndr/ndr_ntsvcs.c | 112 +- librpc/gen_ndr/ndr_samr.c | 182 ++- librpc/gen_ndr/ndr_schannel.c | 52 +- librpc/gen_ndr/ndr_security.c | 18 +- librpc/gen_ndr/ndr_spoolss.c | 2321 ++++++++++++++++++++---------- librpc/gen_ndr/ndr_srvsvc.c | 2178 ++++++++++++++++++---------- librpc/gen_ndr/ndr_svcctl.c | 704 +++++++--- librpc/gen_ndr/ndr_winreg.c | 158 ++- librpc/gen_ndr/ndr_wkssvc.c | 1378 ++++++++++++------ librpc/gen_ndr/ndr_xattr.c | 32 +- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 131 ++- source3/librpc/gen_ndr/ndr_libnetapi.c | 22 +- source3/librpc/gen_ndr/ndr_messaging.c | 31 +- source3/librpc/gen_ndr/ndr_notify.c | 27 +- source3/librpc/gen_ndr/ndr_perfcount.c | 34 +- source3/librpc/gen_ndr/ndr_printcap.c | 59 +- source3/librpc/gen_ndr/ndr_secrets.c | 4 +- source3/librpc/gen_ndr/ndr_wbint.c | 222 ++- 34 files changed, 8140 insertions(+), 4191 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 391af0b..6d5326d 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,20 +1,25 @@ ============================== Release Notes for Samba 3.5.14 - , 2012 + April 10, 2012 ============================== -This is the latest stable release of Samba 3.5. +This is a security release in order to address +CVE-2012-1182 ("root" credential remote code execution). -Major enhancements in Samba 3.5.14 include: +o CVE-2012-1182: + Samba 3.0.x to 3.6.3 are affected by a + vulnerability that allows remote code + execution as the "root" user. -o Changes since 3.5.13: --------------------- -o Jeremy Allison <j...@samba.org> +o Stefan Metzmacher <me...@samba.org> + *BUG 8815: PIDL based autogenerated code allows overwriting beyond of + allocated array (CVE-2012-1182). ###################################################################### diff --git a/librpc/gen_ndr/ndr_dcerpc.c b/librpc/gen_ndr/ndr_dcerpc.c index 37f6d54..bf0ae29 100644 --- a/librpc/gen_ndr/ndr_dcerpc.c +++ b/librpc/gen_ndr/ndr_dcerpc.c @@ -24,6 +24,7 @@ static enum ndr_err_code ndr_push_dcerpc_ctx_list(struct ndr_push *ndr, int ndr_ static enum ndr_err_code ndr_pull_dcerpc_ctx_list(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_ctx_list *r) { + uint32_t size_transfer_syntaxes_0 = 0; uint32_t cntr_transfer_syntaxes_0; TALLOC_CTX *_mem_save_transfer_syntaxes_0; if (ndr_flags & NDR_SCALARS) { @@ -31,10 +32,11 @@ static enum ndr_err_code ndr_pull_dcerpc_ctx_list(struct ndr_pull *ndr, int ndr_ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->context_id)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_transfer_syntaxes)); NDR_CHECK(ndr_pull_ndr_syntax_id(ndr, NDR_SCALARS, &r->abstract_syntax)); - NDR_PULL_ALLOC_N(ndr, r->transfer_syntaxes, r->num_transfer_syntaxes); + size_transfer_syntaxes_0 = r->num_transfer_syntaxes; + NDR_PULL_ALLOC_N(ndr, r->transfer_syntaxes, size_transfer_syntaxes_0); _mem_save_transfer_syntaxes_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->transfer_syntaxes, 0); - for (cntr_transfer_syntaxes_0 = 0; cntr_transfer_syntaxes_0 < r->num_transfer_syntaxes; cntr_transfer_syntaxes_0++) { + for (cntr_transfer_syntaxes_0 = 0; cntr_transfer_syntaxes_0 < size_transfer_syntaxes_0; cntr_transfer_syntaxes_0++) { NDR_CHECK(ndr_pull_ndr_syntax_id(ndr, NDR_SCALARS, &r->transfer_syntaxes[cntr_transfer_syntaxes_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transfer_syntaxes_0, 0); @@ -99,6 +101,7 @@ static enum ndr_err_code ndr_push_dcerpc_bind(struct ndr_push *ndr, int ndr_flag static enum ndr_err_code ndr_pull_dcerpc_bind(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind *r) { + uint32_t size_ctx_list_0 = 0; uint32_t cntr_ctx_list_0; TALLOC_CTX *_mem_save_ctx_list_0; if (ndr_flags & NDR_SCALARS) { @@ -107,10 +110,11 @@ static enum ndr_err_code ndr_pull_dcerpc_bind(struct ndr_pull *ndr, int ndr_flag NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->max_recv_frag)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->assoc_group_id)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_contexts)); - NDR_PULL_ALLOC_N(ndr, r->ctx_list, r->num_contexts); + size_ctx_list_0 = r->num_contexts; + NDR_PULL_ALLOC_N(ndr, r->ctx_list, size_ctx_list_0); _mem_save_ctx_list_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->ctx_list, 0); - for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < r->num_contexts; cntr_ctx_list_0++) { + for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < size_ctx_list_0; cntr_ctx_list_0++) { NDR_CHECK(ndr_pull_dcerpc_ctx_list(ndr, NDR_SCALARS, &r->ctx_list[cntr_ctx_list_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ctx_list_0, 0); @@ -406,6 +410,8 @@ static enum ndr_err_code ndr_push_dcerpc_bind_ack(struct ndr_push *ndr, int ndr_ static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_ack *r) { + uint32_t size_secondary_address_0 = 0; + uint32_t size_ctx_list_0 = 0; uint32_t cntr_ctx_list_0; TALLOC_CTX *_mem_save_ctx_list_0; if (ndr_flags & NDR_SCALARS) { @@ -414,7 +420,8 @@ static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->max_recv_frag)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->assoc_group_id)); NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->secondary_address_size)); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->secondary_address, r->secondary_address_size, sizeof(uint8_t), CH_DOS)); + size_secondary_address_0 = r->secondary_address_size; + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->secondary_address, size_secondary_address_0, sizeof(uint8_t), CH_DOS)); { uint32_t _flags_save_DATA_BLOB = ndr->flags; ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN4); @@ -422,10 +429,11 @@ static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_ ndr->flags = _flags_save_DATA_BLOB; } NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_results)); - NDR_PULL_ALLOC_N(ndr, r->ctx_list, r->num_results); + size_ctx_list_0 = r->num_results; + NDR_PULL_ALLOC_N(ndr, r->ctx_list, size_ctx_list_0); _mem_save_ctx_list_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->ctx_list, 0); - for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < r->num_results; cntr_ctx_list_0++) { + for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < size_ctx_list_0; cntr_ctx_list_0++) { NDR_CHECK(ndr_pull_dcerpc_ack_ctx(ndr, NDR_SCALARS, &r->ctx_list[cntr_ctx_list_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ctx_list_0, 0); @@ -486,15 +494,17 @@ static enum ndr_err_code ndr_push_dcerpc_bind_nak_versions(struct ndr_push *ndr, static enum ndr_err_code ndr_pull_dcerpc_bind_nak_versions(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_nak_versions *r) { + uint32_t size_versions_0 = 0; uint32_t cntr_versions_0; TALLOC_CTX *_mem_save_versions_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_versions)); - NDR_PULL_ALLOC_N(ndr, r->versions, r->num_versions); + size_versions_0 = r->num_versions; + NDR_PULL_ALLOC_N(ndr, r->versions, size_versions_0); _mem_save_versions_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->versions, 0); - for (cntr_versions_0 = 0; cntr_versions_0 < r->num_versions; cntr_versions_0++) { + for (cntr_versions_0 = 0; cntr_versions_0 < size_versions_0; cntr_versions_0++) { NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->versions[cntr_versions_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_versions_0, 0); @@ -1107,6 +1117,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_dcerpc_fack(struct ndr_push *ndr, int ndr_fl _PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_fack(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_fack *r) { + uint32_t size_selack_0 = 0; uint32_t cntr_selack_0; TALLOC_CTX *_mem_save_selack_0; if (ndr_flags & NDR_SCALARS) { @@ -1118,10 +1129,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_fack(struct ndr_pull *ndr, int ndr_fl NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_frag_size)); NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->serial_no)); NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->selack_size)); - NDR_PULL_ALLOC_N(ndr, r->selack, r->selack_size); + size_selack_0 = r->selack_size; + NDR_PULL_ALLOC_N(ndr, r->selack, size_selack_0); _mem_save_selack_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->selack, 0); - for (cntr_selack_0 = 0; cntr_selack_0 < r->selack_size; cntr_selack_0++) { + for (cntr_selack_0 = 0; cntr_selack_0 < size_selack_0; cntr_selack_0++) { NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->selack[cntr_selack_0])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_selack_0, 0); @@ -1753,13 +1765,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_ncacn_packet(struct ndr_push *ndr, int ndr_f _PUBLIC_ enum ndr_err_code ndr_pull_ncacn_packet(struct ndr_pull *ndr, int ndr_flags, struct ncacn_packet *r) { + uint32_t size_drep_0 = 0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers_minor)); NDR_CHECK(ndr_pull_dcerpc_pkt_type(ndr, NDR_SCALARS, &r->ptype)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->pfc_flags)); - NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, 4)); + size_drep_0 = 4; + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, size_drep_0)); NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->frag_length)); NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->auth_length)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->call_id)); @@ -1825,13 +1839,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_ncadg_packet(struct ndr_push *ndr, int ndr_f _PUBLIC_ enum ndr_err_code ndr_pull_ncadg_packet(struct ndr_pull *ndr, int ndr_flags, struct ncadg_packet *r) { + uint32_t size_drep_0 = 0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->ptype)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->pfc_flags)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->ncadg_flags)); - NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, 3)); + size_drep_0 = 3; + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, size_drep_0)); NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->serial_high)); NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->object)); NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->iface)); diff --git a/librpc/gen_ndr/ndr_dfs.c b/librpc/gen_ndr/ndr_dfs.c index 62f42ba..bbadbeb 100644 --- a/librpc/gen_ndr/ndr_dfs.c +++ b/librpc/gen_ndr/ndr_dfs.c @@ -81,6 +81,8 @@ static enum ndr_err_code ndr_push_dfs_Info1(struct ndr_push *ndr, int ndr_flags, static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info1 *r) { uint32_t _ptr_path; + uint32_t size_path_1 = 0; + uint32_t length_path_1 = 0; TALLOC_CTX *_mem_save_path_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 5)); @@ -98,11 +100,13 @@ static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); - if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); + size_path_1 = ndr_get_array_size(ndr, &r->path); + length_path_1 = ndr_get_array_length(ndr, &r->path); + if (length_path_1 > size_path_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); } } @@ -179,8 +183,12 @@ static enum ndr_err_code ndr_push_dfs_Info2(struct ndr_push *ndr, int ndr_flags, static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info2 *r) { uint32_t _ptr_path; + uint32_t size_path_1 = 0; + uint32_t length_path_1 = 0; TALLOC_CTX *_mem_save_path_0; uint32_t _ptr_comment; + uint32_t size_comment_1 = 0; + uint32_t length_comment_1 = 0; TALLOC_CTX *_mem_save_comment_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 5)); @@ -206,11 +214,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); - if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); + size_path_1 = ndr_get_array_size(ndr, &r->path); + length_path_1 = ndr_get_array_length(ndr, &r->path); + if (length_path_1 > size_path_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); } if (r->comment) { @@ -218,11 +228,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); - if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); + size_comment_1 = ndr_get_array_size(ndr, &r->comment); + length_comment_1 = ndr_get_array_length(ndr, &r->comment); + if (length_comment_1 > size_comment_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); } } @@ -303,8 +315,12 @@ static enum ndr_err_code ndr_push_dfs_StorageInfo(struct ndr_push *ndr, int ndr_ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_flags, struct dfs_StorageInfo *r) { uint32_t _ptr_server; + uint32_t size_server_1 = 0; + uint32_t length_server_1 = 0; TALLOC_CTX *_mem_save_server_0; uint32_t _ptr_share; + uint32_t size_share_1 = 0; + uint32_t length_share_1 = 0; TALLOC_CTX *_mem_save_share_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 5)); @@ -329,11 +345,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_ NDR_PULL_SET_MEM_CTX(ndr, r->server, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->server)); NDR_CHECK(ndr_pull_array_length(ndr, &r->server)); - if (ndr_get_array_length(ndr, &r->server) > ndr_get_array_size(ndr, &r->server)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server), ndr_get_array_length(ndr, &r->server)); + size_server_1 = ndr_get_array_size(ndr, &r->server); + length_server_1 = ndr_get_array_length(ndr, &r->server); + if (length_server_1 > size_server_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, length_server_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); } if (r->share) { @@ -341,11 +359,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_ NDR_PULL_SET_MEM_CTX(ndr, r->share, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->share)); NDR_CHECK(ndr_pull_array_length(ndr, &r->share)); - if (ndr_get_array_length(ndr, &r->share) > ndr_get_array_size(ndr, &r->share)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->share), ndr_get_array_length(ndr, &r->share)); + size_share_1 = ndr_get_array_size(ndr, &r->share); + length_share_1 = ndr_get_array_length(ndr, &r->share); + if (length_share_1 > size_share_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, length_share_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); } } @@ -413,10 +433,15 @@ static enum ndr_err_code ndr_push_dfs_Info3(struct ndr_push *ndr, int ndr_flags, static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info3 *r) { uint32_t _ptr_path; + uint32_t size_path_1 = 0; + uint32_t length_path_1 = 0; TALLOC_CTX *_mem_save_path_0; uint32_t _ptr_comment; + uint32_t size_comment_1 = 0; + uint32_t length_comment_1 = 0; TALLOC_CTX *_mem_save_comment_0; uint32_t _ptr_stores; + uint32_t size_stores_1 = 0; uint32_t cntr_stores_1; TALLOC_CTX *_mem_save_stores_0; TALLOC_CTX *_mem_save_stores_1; @@ -450,11 +475,13 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); - if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); + size_path_1 = ndr_get_array_size(ndr, &r->path); + length_path_1 = ndr_get_array_length(ndr, &r->path); + if (length_path_1 > size_path_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); } if (r->comment) { @@ -462,24 +489,27 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); - if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); + size_comment_1 = ndr_get_array_size(ndr, &r->comment); + length_comment_1 = ndr_get_array_length(ndr, &r->comment); + if (length_comment_1 > size_comment_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); } if (r->stores) { _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); - NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); + size_stores_1 = ndr_get_array_size(ndr, &r->stores); + NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); - for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { + for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); } - for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { + for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); @@ -572,10 +602,15 @@ static enum ndr_err_code ndr_push_dfs_Info4(struct ndr_push *ndr, int ndr_flags, static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info4 *r) { uint32_t _ptr_path; + uint32_t size_path_1 = 0; + uint32_t length_path_1 = 0; TALLOC_CTX *_mem_save_path_0; uint32_t _ptr_comment; + uint32_t size_comment_1 = 0; + uint32_t length_comment_1 = 0; TALLOC_CTX *_mem_save_comment_0; uint32_t _ptr_stores; + uint32_t size_stores_1 = 0; uint32_t cntr_stores_1; TALLOC_CTX *_mem_save_stores_0; TALLOC_CTX *_mem_save_stores_1; @@ -611,11 +646,13 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); - if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); + size_path_1 = ndr_get_array_size(ndr, &r->path); + length_path_1 = ndr_get_array_length(ndr, &r->path); + if (length_path_1 > size_path_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); } if (r->comment) { @@ -623,24 +660,27 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); - if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); + size_comment_1 = ndr_get_array_size(ndr, &r->comment); + length_comment_1 = ndr_get_array_length(ndr, &r->comment); + if (length_comment_1 > size_comment_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); } if (r->stores) { _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); - NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); + size_stores_1 = ndr_get_array_size(ndr, &r->stores); + NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); - for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { + for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); } - for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { + for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); } NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); @@ -752,8 +792,12 @@ static enum ndr_err_code ndr_push_dfs_Info5(struct ndr_push *ndr, int ndr_flags, static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info5 *r) { uint32_t _ptr_path; + uint32_t size_path_1 = 0; + uint32_t length_path_1 = 0; TALLOC_CTX *_mem_save_path_0; uint32_t _ptr_comment; + uint32_t size_comment_1 = 0; + uint32_t length_comment_1 = 0; TALLOC_CTX *_mem_save_comment_0; if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 5)); @@ -783,11 +827,13 @@ static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); - if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); + size_path_1 = ndr_get_array_size(ndr, &r->path); + length_path_1 = ndr_get_array_length(ndr, &r->path); + if (length_path_1 > size_path_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); } - NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); - NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); + NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); } if (r->comment) { @@ -795,11 +841,13 @@ static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); - if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { - return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); + size_comment_1 = ndr_get_array_size(ndr, &r->comment); + length_comment_1 = ndr_get_array_length(ndr, &r->comment); + if (length_comment_1 > size_comment_1) { + return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); -- Samba Shared Repository