[SCM] Samba Shared Repository - branch v3-5-test updated
Karolin Seeger
kseeger at samba.org
Tue Apr 10 12:31:17 MDT 2012
The branch, v3-5-test has been updated
via bbec0c2 WHATSNEW: Start release notes for Samba 3.5.15.
via c2e6603 VERSION: Bump version up to 3.5.15.
via 1216283 rerun 'make samba3-idl'
via 225bbba pidl/NDR/Parser: also do range checks on the array size
via b0621c6 pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength()
via 37e0886 pidl/NDR/Parser: use helper variables for array size and length
via 6944011 pidl/NDR/Parser: remember if we already know the array length
via 5aabf5c pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
via 2c182a6 pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength()
via a7f9c33 pidl/NDR/Parser: simplify logic in DeclareArrayVariables*()
via 7b6fa63 pidl/NDR/Parser: declare all union helper variables in ParseUnionPull()
via cd002a9 pidl:NDR/Parser: fix range() for arrays
via 22d4a37 WHATSNEW: Prepare release notes for 3.5.14.
from c352832 Fix bug 8314] - smbd crash with unknown user.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit bbec0c29c072c818646f0225ddd9918b2b890c1d
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Apr 10 20:26:01 2012 +0200
WHATSNEW: Start release notes for Samba 3.5.15.
Karolin
(cherry picked from commit 1cc0306c14624784a4efb3d224415279b0e49d3e)
commit c2e6603db7fafe411cd615618948905a5568cffc
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Apr 10 20:24:15 2012 +0200
VERSION: Bump version up to 3.5.15.
Karolin
(cherry picked from commit f6f954a821ff57b186895b057b3def9aa40c6e39)
commit 12162837d40b123e19fb92e3ac46d3e3d07ae6e1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 18:46:44 2012 +0100
rerun 'make samba3-idl'
metze
The last 10 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
(cherry picked from commit 566295fa13ff4a848fea517d41bc08aee87966ac)
commit 225bbba09101ebf65dbe97efcf494684b0bdcde6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 17:03:05 2012 +0100
pidl/NDR/Parser: also do range checks on the array size
metze
(cherry picked from commit 50be4262f6001f91ade4580c2d67b38c12730d77)
commit b0621c6f4f24ec99a6d8b2f41da1a1fe8ce1c5ac
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:14:48 2012 +0100
pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength()
metze
(cherry picked from commit 3b837d94e649e8cbc24ee3ea24a9bced60f9dda8)
commit 37e08868044d29f79205dbe20608f370d362bb3c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:13:20 2012 +0100
pidl/NDR/Parser: use helper variables for array size and length
metze
(cherry picked from commit a87211b32bfea3595627882a52c2e90bdcd3e9e8)
commit 6944011a503e981d8f3fec8c970480f699ddeff3
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 15:07:08 2012 +0100
pidl/NDR/Parser: remember if we already know the array length
metze
(cherry picked from commit 748615f74486076a023b498c723c0ebeff8a23bb)
commit 5aabf5cbb35769ac53febbe13953dc822a5d0bad
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:07:47 2012 +0100
pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
An anonymous researcher and Brian Gorenc (HP DVLabs) working
with HP's Zero Day Initiative program have found this and notified us.
metze
(cherry picked from commit 459c5b271a18a25873c1965b11642aa65ea2d220)
commit 2c182a6b89d79aa9ef9e0660a27e8389645424d2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:05:39 2012 +0100
pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength()
metze
(cherry picked from commit a67afd3489669afc711cf77a22740f8e1e91779e)
commit a7f9c3331c688116474aac5060df7ca2c2f49358
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:12:04 2012 +0100
pidl/NDR/Parser: simplify logic in DeclareArrayVariables*()
metze
(cherry picked from commit a74a8ed48f3a89d8f33ad1b1fca6533cc69aabf4)
commit 7b6fa638bd1121794af4ca12069329ca1399cd9d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:09:51 2012 +0100
pidl/NDR/Parser: declare all union helper variables in ParseUnionPull()
metze
(cherry picked from commit 31d668651edc6fca45d024283e211533a49c2c4e)
commit cd002a90231673518a257cac67630376559907a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 05:41:37 2010 +0200
pidl:NDR/Parser: fix range() for arrays
metze
(cherry picked from commit bea4948acb4bbee2fbf886adeb53edbc84de96da)
(cherry picked from commit 6c2860d4cfcbf5778e410f598bd2c19b6f0afa83)
commit 22d4a3781224e63ed249404318a19270ca7b1355
Author: Karolin Seeger <kseeger at samba.org>
Date: Sat Apr 7 15:57:14 2012 +0200
WHATSNEW: Prepare release notes for 3.5.14.
Karolin
(cherry picked from commit 6c417bf472b8069f2b9cdf639dc8baeb246b13e2)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 57 +-
librpc/gen_ndr/ndr_dcerpc.c | 42 +-
librpc/gen_ndr/ndr_dfs.c | 840 +++++++----
librpc/gen_ndr/ndr_drsblobs.c | 160 ++-
librpc/gen_ndr/ndr_drsuapi.c | 1031 +++++++++-----
librpc/gen_ndr/ndr_dssetup.c | 36 +-
librpc/gen_ndr/ndr_echo.c | 54 +-
librpc/gen_ndr/ndr_epmapper.c | 54 +-
librpc/gen_ndr/ndr_eventlog.c | 79 +-
librpc/gen_ndr/ndr_krb5pac.c | 22 +-
librpc/gen_ndr/ndr_lsa.c | 276 +++--
librpc/gen_ndr/ndr_misc.c | 8 +-
librpc/gen_ndr/ndr_named_pipe_auth.c | 122 ++-
librpc/gen_ndr/ndr_nbt.c | 78 +-
librpc/gen_ndr/ndr_netlogon.c | 1789 +++++++++++++++--------
librpc/gen_ndr/ndr_ntlmssp.c | 60 +-
librpc/gen_ndr/ndr_ntsvcs.c | 112 +-
librpc/gen_ndr/ndr_samr.c | 182 ++-
librpc/gen_ndr/ndr_schannel.c | 52 +-
librpc/gen_ndr/ndr_security.c | 18 +-
librpc/gen_ndr/ndr_spoolss.c | 2321 ++++++++++++++++++++----------
librpc/gen_ndr/ndr_srvsvc.c | 2178 ++++++++++++++++++----------
librpc/gen_ndr/ndr_svcctl.c | 704 +++++++---
librpc/gen_ndr/ndr_winreg.c | 158 ++-
librpc/gen_ndr/ndr_wkssvc.c | 1378 ++++++++++++------
librpc/gen_ndr/ndr_xattr.c | 32 +-
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 131 ++-
source3/VERSION | 2 +-
source3/librpc/gen_ndr/ndr_libnetapi.c | 22 +-
source3/librpc/gen_ndr/ndr_messaging.c | 31 +-
source3/librpc/gen_ndr/ndr_notify.c | 27 +-
source3/librpc/gen_ndr/ndr_perfcount.c | 34 +-
source3/librpc/gen_ndr/ndr_printcap.c | 59 +-
source3/librpc/gen_ndr/ndr_secrets.c | 4 +-
source3/librpc/gen_ndr/ndr_wbint.c | 222 ++-
35 files changed, 8183 insertions(+), 4192 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 391af0b..712748f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,20 +1,20 @@
==============================
- Release Notes for Samba 3.5.14
- , 2012
+ Release Notes for Samba 3.5.15
+ , 2012
==============================
This is the latest stable release of Samba 3.5.
-Major enhancements in Samba 3.5.14 include:
+Major enhancements in Samba 3.5.15 include:
o
-Changes since 3.5.13:
+Changes since 3.5.14:
---------------------
-o Jeremy Allison <jra at samba.org>
+o Stefan Metzmacher <metze at samba.org>
######################################################################
@@ -41,6 +41,53 @@ Release notes for older releases follow:
----------------------------------------
==============================
+ Release Notes for Samba 3.5.14
+ April 10, 2012
+ ==============================
+
+
+This is a security release in order to address
+CVE-2012-1182 ("root" credential remote code execution).
+
+o CVE-2012-1182:
+ Samba 3.0.x to 3.6.3 are affected by a
+ vulnerability that allows remote code
+ execution as the "root" user.
+
+
+Changes since 3.5.13:
+---------------------
+
+
+o Stefan Metzmacher <metze at samba.org>
+ *BUG 8815: PIDL based autogenerated code allows overwriting beyond of
+ allocated array (CVE-2012-1182).
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.5 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
Release Notes for Samba 3.5.13
March 12, 2012
==============================
diff --git a/librpc/gen_ndr/ndr_dcerpc.c b/librpc/gen_ndr/ndr_dcerpc.c
index 37f6d54..bf0ae29 100644
--- a/librpc/gen_ndr/ndr_dcerpc.c
+++ b/librpc/gen_ndr/ndr_dcerpc.c
@@ -24,6 +24,7 @@ static enum ndr_err_code ndr_push_dcerpc_ctx_list(struct ndr_push *ndr, int ndr_
static enum ndr_err_code ndr_pull_dcerpc_ctx_list(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_ctx_list *r)
{
+ uint32_t size_transfer_syntaxes_0 = 0;
uint32_t cntr_transfer_syntaxes_0;
TALLOC_CTX *_mem_save_transfer_syntaxes_0;
if (ndr_flags & NDR_SCALARS) {
@@ -31,10 +32,11 @@ static enum ndr_err_code ndr_pull_dcerpc_ctx_list(struct ndr_pull *ndr, int ndr_
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->context_id));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_transfer_syntaxes));
NDR_CHECK(ndr_pull_ndr_syntax_id(ndr, NDR_SCALARS, &r->abstract_syntax));
- NDR_PULL_ALLOC_N(ndr, r->transfer_syntaxes, r->num_transfer_syntaxes);
+ size_transfer_syntaxes_0 = r->num_transfer_syntaxes;
+ NDR_PULL_ALLOC_N(ndr, r->transfer_syntaxes, size_transfer_syntaxes_0);
_mem_save_transfer_syntaxes_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->transfer_syntaxes, 0);
- for (cntr_transfer_syntaxes_0 = 0; cntr_transfer_syntaxes_0 < r->num_transfer_syntaxes; cntr_transfer_syntaxes_0++) {
+ for (cntr_transfer_syntaxes_0 = 0; cntr_transfer_syntaxes_0 < size_transfer_syntaxes_0; cntr_transfer_syntaxes_0++) {
NDR_CHECK(ndr_pull_ndr_syntax_id(ndr, NDR_SCALARS, &r->transfer_syntaxes[cntr_transfer_syntaxes_0]));
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transfer_syntaxes_0, 0);
@@ -99,6 +101,7 @@ static enum ndr_err_code ndr_push_dcerpc_bind(struct ndr_push *ndr, int ndr_flag
static enum ndr_err_code ndr_pull_dcerpc_bind(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind *r)
{
+ uint32_t size_ctx_list_0 = 0;
uint32_t cntr_ctx_list_0;
TALLOC_CTX *_mem_save_ctx_list_0;
if (ndr_flags & NDR_SCALARS) {
@@ -107,10 +110,11 @@ static enum ndr_err_code ndr_pull_dcerpc_bind(struct ndr_pull *ndr, int ndr_flag
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->max_recv_frag));
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->assoc_group_id));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_contexts));
- NDR_PULL_ALLOC_N(ndr, r->ctx_list, r->num_contexts);
+ size_ctx_list_0 = r->num_contexts;
+ NDR_PULL_ALLOC_N(ndr, r->ctx_list, size_ctx_list_0);
_mem_save_ctx_list_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->ctx_list, 0);
- for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < r->num_contexts; cntr_ctx_list_0++) {
+ for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < size_ctx_list_0; cntr_ctx_list_0++) {
NDR_CHECK(ndr_pull_dcerpc_ctx_list(ndr, NDR_SCALARS, &r->ctx_list[cntr_ctx_list_0]));
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ctx_list_0, 0);
@@ -406,6 +410,8 @@ static enum ndr_err_code ndr_push_dcerpc_bind_ack(struct ndr_push *ndr, int ndr_
static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_ack *r)
{
+ uint32_t size_secondary_address_0 = 0;
+ uint32_t size_ctx_list_0 = 0;
uint32_t cntr_ctx_list_0;
TALLOC_CTX *_mem_save_ctx_list_0;
if (ndr_flags & NDR_SCALARS) {
@@ -414,7 +420,8 @@ static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->max_recv_frag));
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->assoc_group_id));
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->secondary_address_size));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->secondary_address, r->secondary_address_size, sizeof(uint8_t), CH_DOS));
+ size_secondary_address_0 = r->secondary_address_size;
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->secondary_address, size_secondary_address_0, sizeof(uint8_t), CH_DOS));
{
uint32_t _flags_save_DATA_BLOB = ndr->flags;
ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN4);
@@ -422,10 +429,11 @@ static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_
ndr->flags = _flags_save_DATA_BLOB;
}
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_results));
- NDR_PULL_ALLOC_N(ndr, r->ctx_list, r->num_results);
+ size_ctx_list_0 = r->num_results;
+ NDR_PULL_ALLOC_N(ndr, r->ctx_list, size_ctx_list_0);
_mem_save_ctx_list_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->ctx_list, 0);
- for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < r->num_results; cntr_ctx_list_0++) {
+ for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < size_ctx_list_0; cntr_ctx_list_0++) {
NDR_CHECK(ndr_pull_dcerpc_ack_ctx(ndr, NDR_SCALARS, &r->ctx_list[cntr_ctx_list_0]));
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ctx_list_0, 0);
@@ -486,15 +494,17 @@ static enum ndr_err_code ndr_push_dcerpc_bind_nak_versions(struct ndr_push *ndr,
static enum ndr_err_code ndr_pull_dcerpc_bind_nak_versions(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_nak_versions *r)
{
+ uint32_t size_versions_0 = 0;
uint32_t cntr_versions_0;
TALLOC_CTX *_mem_save_versions_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 4));
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_versions));
- NDR_PULL_ALLOC_N(ndr, r->versions, r->num_versions);
+ size_versions_0 = r->num_versions;
+ NDR_PULL_ALLOC_N(ndr, r->versions, size_versions_0);
_mem_save_versions_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->versions, 0);
- for (cntr_versions_0 = 0; cntr_versions_0 < r->num_versions; cntr_versions_0++) {
+ for (cntr_versions_0 = 0; cntr_versions_0 < size_versions_0; cntr_versions_0++) {
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->versions[cntr_versions_0]));
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_versions_0, 0);
@@ -1107,6 +1117,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_dcerpc_fack(struct ndr_push *ndr, int ndr_fl
_PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_fack(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_fack *r)
{
+ uint32_t size_selack_0 = 0;
uint32_t cntr_selack_0;
TALLOC_CTX *_mem_save_selack_0;
if (ndr_flags & NDR_SCALARS) {
@@ -1118,10 +1129,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_fack(struct ndr_pull *ndr, int ndr_fl
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_frag_size));
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->serial_no));
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->selack_size));
- NDR_PULL_ALLOC_N(ndr, r->selack, r->selack_size);
+ size_selack_0 = r->selack_size;
+ NDR_PULL_ALLOC_N(ndr, r->selack, size_selack_0);
_mem_save_selack_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->selack, 0);
- for (cntr_selack_0 = 0; cntr_selack_0 < r->selack_size; cntr_selack_0++) {
+ for (cntr_selack_0 = 0; cntr_selack_0 < size_selack_0; cntr_selack_0++) {
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->selack[cntr_selack_0]));
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_selack_0, 0);
@@ -1753,13 +1765,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_ncacn_packet(struct ndr_push *ndr, int ndr_f
_PUBLIC_ enum ndr_err_code ndr_pull_ncacn_packet(struct ndr_pull *ndr, int ndr_flags, struct ncacn_packet *r)
{
+ uint32_t size_drep_0 = 0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 4));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers_minor));
NDR_CHECK(ndr_pull_dcerpc_pkt_type(ndr, NDR_SCALARS, &r->ptype));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->pfc_flags));
- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, 4));
+ size_drep_0 = 4;
+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, size_drep_0));
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->frag_length));
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->auth_length));
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->call_id));
@@ -1825,13 +1839,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_ncadg_packet(struct ndr_push *ndr, int ndr_f
_PUBLIC_ enum ndr_err_code ndr_pull_ncadg_packet(struct ndr_pull *ndr, int ndr_flags, struct ncadg_packet *r)
{
+ uint32_t size_drep_0 = 0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 4));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->ptype));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->pfc_flags));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->ncadg_flags));
- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, 3));
+ size_drep_0 = 3;
+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, size_drep_0));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->serial_high));
NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->object));
NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->iface));
diff --git a/librpc/gen_ndr/ndr_dfs.c b/librpc/gen_ndr/ndr_dfs.c
index 62f42ba..bbadbeb 100644
--- a/librpc/gen_ndr/ndr_dfs.c
+++ b/librpc/gen_ndr/ndr_dfs.c
@@ -81,6 +81,8 @@ static enum ndr_err_code ndr_push_dfs_Info1(struct ndr_push *ndr, int ndr_flags,
static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info1 *r)
{
uint32_t _ptr_path;
+ uint32_t size_path_1 = 0;
+ uint32_t length_path_1 = 0;
TALLOC_CTX *_mem_save_path_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 5));
@@ -98,11 +100,13 @@ static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->path, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->path));
NDR_CHECK(ndr_pull_array_length(ndr, &r->path));
- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path));
+ size_path_1 = ndr_get_array_size(ndr, &r->path);
+ length_path_1 = ndr_get_array_length(ndr, &r->path);
+ if (length_path_1 > size_path_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0);
}
}
@@ -179,8 +183,12 @@ static enum ndr_err_code ndr_push_dfs_Info2(struct ndr_push *ndr, int ndr_flags,
static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info2 *r)
{
uint32_t _ptr_path;
+ uint32_t size_path_1 = 0;
+ uint32_t length_path_1 = 0;
TALLOC_CTX *_mem_save_path_0;
uint32_t _ptr_comment;
+ uint32_t size_comment_1 = 0;
+ uint32_t length_comment_1 = 0;
TALLOC_CTX *_mem_save_comment_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 5));
@@ -206,11 +214,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->path, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->path));
NDR_CHECK(ndr_pull_array_length(ndr, &r->path));
- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path));
+ size_path_1 = ndr_get_array_size(ndr, &r->path);
+ length_path_1 = ndr_get_array_length(ndr, &r->path);
+ if (length_path_1 > size_path_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0);
}
if (r->comment) {
@@ -218,11 +228,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->comment));
NDR_CHECK(ndr_pull_array_length(ndr, &r->comment));
- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment));
+ size_comment_1 = ndr_get_array_size(ndr, &r->comment);
+ length_comment_1 = ndr_get_array_length(ndr, &r->comment);
+ if (length_comment_1 > size_comment_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0);
}
}
@@ -303,8 +315,12 @@ static enum ndr_err_code ndr_push_dfs_StorageInfo(struct ndr_push *ndr, int ndr_
static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_flags, struct dfs_StorageInfo *r)
{
uint32_t _ptr_server;
+ uint32_t size_server_1 = 0;
+ uint32_t length_server_1 = 0;
TALLOC_CTX *_mem_save_server_0;
uint32_t _ptr_share;
+ uint32_t size_share_1 = 0;
+ uint32_t length_share_1 = 0;
TALLOC_CTX *_mem_save_share_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 5));
@@ -329,11 +345,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_
NDR_PULL_SET_MEM_CTX(ndr, r->server, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->server));
NDR_CHECK(ndr_pull_array_length(ndr, &r->server));
- if (ndr_get_array_length(ndr, &r->server) > ndr_get_array_size(ndr, &r->server)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server), ndr_get_array_length(ndr, &r->server));
+ size_server_1 = ndr_get_array_size(ndr, &r->server);
+ length_server_1 = ndr_get_array_length(ndr, &r->server);
+ if (length_server_1 > size_server_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, length_server_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0);
}
if (r->share) {
@@ -341,11 +359,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_
NDR_PULL_SET_MEM_CTX(ndr, r->share, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->share));
NDR_CHECK(ndr_pull_array_length(ndr, &r->share));
- if (ndr_get_array_length(ndr, &r->share) > ndr_get_array_size(ndr, &r->share)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->share), ndr_get_array_length(ndr, &r->share));
+ size_share_1 = ndr_get_array_size(ndr, &r->share);
+ length_share_1 = ndr_get_array_length(ndr, &r->share);
+ if (length_share_1 > size_share_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, length_share_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0);
}
}
@@ -413,10 +433,15 @@ static enum ndr_err_code ndr_push_dfs_Info3(struct ndr_push *ndr, int ndr_flags,
static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info3 *r)
{
uint32_t _ptr_path;
+ uint32_t size_path_1 = 0;
+ uint32_t length_path_1 = 0;
TALLOC_CTX *_mem_save_path_0;
uint32_t _ptr_comment;
+ uint32_t size_comment_1 = 0;
+ uint32_t length_comment_1 = 0;
TALLOC_CTX *_mem_save_comment_0;
uint32_t _ptr_stores;
+ uint32_t size_stores_1 = 0;
uint32_t cntr_stores_1;
TALLOC_CTX *_mem_save_stores_0;
TALLOC_CTX *_mem_save_stores_1;
@@ -450,11 +475,13 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->path, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->path));
NDR_CHECK(ndr_pull_array_length(ndr, &r->path));
- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path));
+ size_path_1 = ndr_get_array_size(ndr, &r->path);
+ length_path_1 = ndr_get_array_length(ndr, &r->path);
+ if (length_path_1 > size_path_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0);
}
if (r->comment) {
@@ -462,24 +489,27 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->comment));
NDR_CHECK(ndr_pull_array_length(ndr, &r->comment));
- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment));
+ size_comment_1 = ndr_get_array_size(ndr, &r->comment);
+ length_comment_1 = ndr_get_array_length(ndr, &r->comment);
+ if (length_comment_1 > size_comment_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0);
}
if (r->stores) {
_mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->stores));
- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores));
+ size_stores_1 = ndr_get_array_size(ndr, &r->stores);
+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1);
_mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0);
- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) {
+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) {
NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1]));
}
- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) {
+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) {
NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1]));
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0);
@@ -572,10 +602,15 @@ static enum ndr_err_code ndr_push_dfs_Info4(struct ndr_push *ndr, int ndr_flags,
static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info4 *r)
{
uint32_t _ptr_path;
+ uint32_t size_path_1 = 0;
+ uint32_t length_path_1 = 0;
TALLOC_CTX *_mem_save_path_0;
uint32_t _ptr_comment;
+ uint32_t size_comment_1 = 0;
+ uint32_t length_comment_1 = 0;
TALLOC_CTX *_mem_save_comment_0;
uint32_t _ptr_stores;
+ uint32_t size_stores_1 = 0;
uint32_t cntr_stores_1;
TALLOC_CTX *_mem_save_stores_0;
TALLOC_CTX *_mem_save_stores_1;
@@ -611,11 +646,13 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->path, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->path));
NDR_CHECK(ndr_pull_array_length(ndr, &r->path));
- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path));
+ size_path_1 = ndr_get_array_size(ndr, &r->path);
+ length_path_1 = ndr_get_array_length(ndr, &r->path);
+ if (length_path_1 > size_path_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0);
}
if (r->comment) {
@@ -623,24 +660,27 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->comment));
NDR_CHECK(ndr_pull_array_length(ndr, &r->comment));
- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment));
+ size_comment_1 = ndr_get_array_size(ndr, &r->comment);
+ length_comment_1 = ndr_get_array_length(ndr, &r->comment);
+ if (length_comment_1 > size_comment_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0);
}
if (r->stores) {
_mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->stores));
- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores));
+ size_stores_1 = ndr_get_array_size(ndr, &r->stores);
+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1);
_mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0);
- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list