[SCM] Samba Shared Repository - branch v3-4-test updated
Karolin Seeger
kseeger at samba.org
Tue Apr 10 12:37:54 MDT 2012
The branch, v3-4-test has been updated
via 209d28d WHATSNEW: Fix typo.
via cee9538 WHATSNEW: Start release notes for Samba 3.4.17.
via 390e8c2 VERSION: Bump version up to 3.4.17.
via c0894d9 rerun 'make samba3-idl'
via ffb8d8e pidl/NDR/Parser: also do range checks on the array size
via 9657f7c pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength()
via 4932437 pidl/NDR/Parser: use helper variables for array size and length
via 785e164 pidl/NDR/Parser: remember if we already know the array length
via 7b711ce pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
via 994308c pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength()
via 82b9fe2 pidl/NDR/Parser: simplify logic in DeclareArrayVariables*()
via 467845e pidl/NDR/Parser: declare all union helper variables in ParseUnionPull()
via b375838 pidl:NDR/Parser: fix range() for arrays
via a3dc832 pidl: allow foo being on the wire after [length_is(foo)] uint8 *buffer
via 779380d pidl: add support for [string] on fixed size arrays.
via 1cb51ea WHATSNEW: Prepare release notes for 3.4.16.
from 6f4316c WHATSNEW: Start release notes for 3.4.16.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test
- Log -----------------------------------------------------------------
commit 209d28d08f259697b39b041fa5605b7875017c79
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Apr 10 20:33:06 2012 +0200
WHATSNEW: Fix typo.
Karolin
(cherry picked from commit e93e5bdb41fb28f1af5e3b072ddfd2552e58fd0c)
commit cee953814fc52e7d3ea4d805b6516ade390b18bf
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Apr 10 20:32:16 2012 +0200
WHATSNEW: Start release notes for Samba 3.4.17.
Karolin
(cherry picked from commit de125e2aef6f9b465736fa5c9fac6286d7ed6a16)
commit 390e8c2d802f4f43784942eba1b6d0c6810494d0
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Apr 10 20:30:09 2012 +0200
VERSION: Bump version up to 3.4.17.
Karolin
(cherry picked from commit 5a68f1e8255318f3383b04ebc32ddd6e715cd54a)
commit c0894d92aeb527c150b0adec0a748ad3437f432c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 18:51:29 2012 +0100
rerun 'make samba3-idl'
metze
The last 12 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
(cherry picked from commit 9123504f2b6f9af458510721416cb25993959a31)
commit ffb8d8ed57700d7bb9b8f7b619b8f635dd0566f5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 17:03:05 2012 +0100
pidl/NDR/Parser: also do range checks on the array size
metze
(cherry picked from commit afaa5f66a8686d5f4e371b66e846249a30e1495f)
commit 9657f7c1e9aebece8480be20d804dd0fb284ed59
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:14:48 2012 +0100
pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength()
metze
(cherry picked from commit 04355f68753aeb85655b7cbd8677899db0c97764)
commit 4932437be109dee2be2b536392d9e7354962ac6f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:13:20 2012 +0100
pidl/NDR/Parser: use helper variables for array size and length
metze
(cherry picked from commit d84758a5c8ce428ac5a3a8cb2e5b8a0e0662ac27)
commit 785e1647d41232b1724cd4a4e82b71689f10113e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 15:07:08 2012 +0100
pidl/NDR/Parser: remember if we already know the array length
metze
(cherry picked from commit 3e89dbfa0dd0c8cd4bcec8ea868a401f9b132aa3)
commit 7b711ce91a01dae266e4acaa5ab6487109e1264f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:07:47 2012 +0100
pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
An anonymous researcher and Brian Gorenc (HP DVLabs) working
with HP's Zero Day Initiative program have found this and notified us.
metze
(cherry picked from commit 586c3fab85cde3bd6a5141fbba3bb5fcb6b67ab5)
commit 994308c556fbaf4943e0d9c71d0c1cea0ebb5fb5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:05:39 2012 +0100
pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength()
metze
(cherry picked from commit eb8240ecb0d82a8f9b3b7c7d317c57f1aff74296)
commit 82b9fe2cf41e93dd9d45383c08ea6e4fb934d35d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:12:04 2012 +0100
pidl/NDR/Parser: simplify logic in DeclareArrayVariables*()
metze
(cherry picked from commit 102e9956316bbbbac2b440bb75eb039b184a2886)
commit 467845e9a0cfc451ff24d6363babb87329d38406
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:09:51 2012 +0100
pidl/NDR/Parser: declare all union helper variables in ParseUnionPull()
metze
(cherry picked from commit 45245f10c3bd476bcb49be25bc56bb7811b85d3c)
commit b375838e12a4d8bd39e9ca077db27ab71e05b0ec
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 05:41:37 2010 +0200
pidl:NDR/Parser: fix range() for arrays
metze
(cherry picked from commit bea4948acb4bbee2fbf886adeb53edbc84de96da)
(cherry picked from commit b48e41cb5541bec34333f94fc21bcd6c47018869)
commit a3dc832aa0b77d639ef3cc5f2a208b8765acdb4c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 27 17:34:37 2009 +0200
pidl: allow foo being on the wire after [length_is(foo)] uint8 *buffer
metze
(cherry picked from commit 92791ce9a8439ac06a22afdbeb0d0fc66c32cb31)
(cherry picked from commit dd5faa13873fbdd92fa4ddd82dc69d34a73e4d1f)
commit 779380df6a9c79bd64045e7c5d0725b5953dc96f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 27 15:52:16 2009 +0200
pidl: add support for [string] on fixed size arrays.
midl also supports this:
struct {
long l1;
[string] wchar_t str[16];
long l2;
};
Where the wire size of str is encoded like a length_is() header:
4-byte offset == 0;
4-byte array length;
The strings are zero terminated.
metze
(cherry picked from commit 7ccc9a6ef563cc855752b4e74152420b9be5af43)
(cherry picked from commit 75aeb61c38efe28503991834fb5181537cdffc68)
commit 1cb51ea4230c655057c157eba10462a2443727b6
Author: Karolin Seeger <kseeger at samba.org>
Date: Sat Apr 7 16:24:33 2012 +0200
WHATSNEW: Prepare release notes for 3.4.16.
Karolin
(cherry picked from commit 0cc91c98f6d311a92aa308e9fcbac252c96d590d)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 59 +-
librpc/gen_ndr/ndr_dfs.c | 840 ++++++++----
librpc/gen_ndr/ndr_drsblobs.c | 156 ++-
librpc/gen_ndr/ndr_drsuapi.c | 971 +++++++++-----
librpc/gen_ndr/ndr_dssetup.c | 36 +-
librpc/gen_ndr/ndr_echo.c | 54 +-
librpc/gen_ndr/ndr_epmapper.c | 54 +-
librpc/gen_ndr/ndr_eventlog.c | 79 +-
librpc/gen_ndr/ndr_krb5pac.c | 22 +-
librpc/gen_ndr/ndr_lsa.c | 276 +++--
librpc/gen_ndr/ndr_misc.c | 8 +-
librpc/gen_ndr/ndr_named_pipe_auth.c | 8 +-
librpc/gen_ndr/ndr_nbt.c | 78 +-
librpc/gen_ndr/ndr_netlogon.c | 1814 ++++++++++++++++---------
librpc/gen_ndr/ndr_ntsvcs.c | 112 +-
librpc/gen_ndr/ndr_samr.c | 182 ++-
librpc/gen_ndr/ndr_security.c | 18 +-
librpc/gen_ndr/ndr_spoolss.c | 2204 ++++++++++++++++++++----------
librpc/gen_ndr/ndr_srvsvc.c | 2178 +++++++++++++++++++-----------
librpc/gen_ndr/ndr_svcctl.c | 704 +++++++---
librpc/gen_ndr/ndr_winreg.c | 146 ++-
librpc/gen_ndr/ndr_wkssvc.c | 1378 ++++++++++++-------
librpc/gen_ndr/ndr_xattr.c | 26 +-
pidl/lib/Parse/Pidl/NDR.pm | 7 +
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 133 ++-
pidl/tests/ndr_string.pl | 110 ++-
source3/VERSION | 2 +-
source3/librpc/gen_ndr/ndr_libnetapi.c | 22 +-
source3/librpc/gen_ndr/ndr_messaging.c | 31 +-
source3/librpc/gen_ndr/ndr_notify.c | 18 +-
source3/librpc/gen_ndr/ndr_printcap.c | 33 +-
31 files changed, 7801 insertions(+), 3958 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 44819e0..41685fc 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,17 +1,19 @@
==============================
- Release Notes for Samba 3.4.16
- , 2011
+ Release Notes for Samba 3.4.17
+ , 2012
==============================
-This is the latest stable release of Samba 3.4.
+This is a security release in order to address
+CVE- ().
+o
-Changes since 3.4.15
+Changes since 3.4.16
--------------------
-o
+o Stefan Metzmacher <metze at samba.org>
######################################################################
@@ -38,6 +40,53 @@ Release notes for older versions follow:
----------------------------------------
==============================
+ Release Notes for Samba 3.4.16
+ April 10, 2012
+ ==============================
+
+
+This is a security release in order to address
+CVE-2012-1182 ("root" credential remote code execution).
+
+o CVE-2012-1182:
+ Samba 3.0.x to 3.6.3 are affected by a
+ vulnerability that allows remote code
+ execution as the "root" user.
+
+
+Changes since 3.4.15
+--------------------
+
+
+o Stefan Metzmacher <metze at samba.org>
+ *BUG 8815: PIDL based autogenerated code allows overwriting beyond of
+ allocated array (CVE-2012-1182).
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
Release Notes for Samba 3.4.15
August 23, 2011
==============================
diff --git a/librpc/gen_ndr/ndr_dfs.c b/librpc/gen_ndr/ndr_dfs.c
index 6e36cb3..87130cc 100644
--- a/librpc/gen_ndr/ndr_dfs.c
+++ b/librpc/gen_ndr/ndr_dfs.c
@@ -78,6 +78,8 @@ static enum ndr_err_code ndr_push_dfs_Info1(struct ndr_push *ndr, int ndr_flags,
static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info1 *r)
{
uint32_t _ptr_path;
+ uint32_t size_path_1 = 0;
+ uint32_t length_path_1 = 0;
TALLOC_CTX *_mem_save_path_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 4));
@@ -94,11 +96,13 @@ static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->path, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->path));
NDR_CHECK(ndr_pull_array_length(ndr, &r->path));
- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path));
+ size_path_1 = ndr_get_array_size(ndr, &r->path);
+ length_path_1 = ndr_get_array_length(ndr, &r->path);
+ if (length_path_1 > size_path_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0);
}
}
@@ -174,8 +178,12 @@ static enum ndr_err_code ndr_push_dfs_Info2(struct ndr_push *ndr, int ndr_flags,
static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info2 *r)
{
uint32_t _ptr_path;
+ uint32_t size_path_1 = 0;
+ uint32_t length_path_1 = 0;
TALLOC_CTX *_mem_save_path_0;
uint32_t _ptr_comment;
+ uint32_t size_comment_1 = 0;
+ uint32_t length_comment_1 = 0;
TALLOC_CTX *_mem_save_comment_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 4));
@@ -200,11 +208,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->path, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->path));
NDR_CHECK(ndr_pull_array_length(ndr, &r->path));
- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path));
+ size_path_1 = ndr_get_array_size(ndr, &r->path);
+ length_path_1 = ndr_get_array_length(ndr, &r->path);
+ if (length_path_1 > size_path_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0);
}
if (r->comment) {
@@ -212,11 +222,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->comment));
NDR_CHECK(ndr_pull_array_length(ndr, &r->comment));
- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment));
+ size_comment_1 = ndr_get_array_size(ndr, &r->comment);
+ length_comment_1 = ndr_get_array_length(ndr, &r->comment);
+ if (length_comment_1 > size_comment_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0);
}
}
@@ -296,8 +308,12 @@ static enum ndr_err_code ndr_push_dfs_StorageInfo(struct ndr_push *ndr, int ndr_
static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_flags, struct dfs_StorageInfo *r)
{
uint32_t _ptr_server;
+ uint32_t size_server_1 = 0;
+ uint32_t length_server_1 = 0;
TALLOC_CTX *_mem_save_server_0;
uint32_t _ptr_share;
+ uint32_t size_share_1 = 0;
+ uint32_t length_share_1 = 0;
TALLOC_CTX *_mem_save_share_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 4));
@@ -321,11 +337,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_
NDR_PULL_SET_MEM_CTX(ndr, r->server, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->server));
NDR_CHECK(ndr_pull_array_length(ndr, &r->server));
- if (ndr_get_array_length(ndr, &r->server) > ndr_get_array_size(ndr, &r->server)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server), ndr_get_array_length(ndr, &r->server));
+ size_server_1 = ndr_get_array_size(ndr, &r->server);
+ length_server_1 = ndr_get_array_length(ndr, &r->server);
+ if (length_server_1 > size_server_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, length_server_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0);
}
if (r->share) {
@@ -333,11 +351,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_
NDR_PULL_SET_MEM_CTX(ndr, r->share, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->share));
NDR_CHECK(ndr_pull_array_length(ndr, &r->share));
- if (ndr_get_array_length(ndr, &r->share) > ndr_get_array_size(ndr, &r->share)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->share), ndr_get_array_length(ndr, &r->share));
+ size_share_1 = ndr_get_array_size(ndr, &r->share);
+ length_share_1 = ndr_get_array_length(ndr, &r->share);
+ if (length_share_1 > size_share_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, length_share_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0);
}
}
@@ -404,10 +424,15 @@ static enum ndr_err_code ndr_push_dfs_Info3(struct ndr_push *ndr, int ndr_flags,
static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info3 *r)
{
uint32_t _ptr_path;
+ uint32_t size_path_1 = 0;
+ uint32_t length_path_1 = 0;
TALLOC_CTX *_mem_save_path_0;
uint32_t _ptr_comment;
+ uint32_t size_comment_1 = 0;
+ uint32_t length_comment_1 = 0;
TALLOC_CTX *_mem_save_comment_0;
uint32_t _ptr_stores;
+ uint32_t size_stores_1 = 0;
uint32_t cntr_stores_1;
TALLOC_CTX *_mem_save_stores_0;
TALLOC_CTX *_mem_save_stores_1;
@@ -440,11 +465,13 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->path, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->path));
NDR_CHECK(ndr_pull_array_length(ndr, &r->path));
- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path));
+ size_path_1 = ndr_get_array_size(ndr, &r->path);
+ length_path_1 = ndr_get_array_length(ndr, &r->path);
+ if (length_path_1 > size_path_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0);
}
if (r->comment) {
@@ -452,24 +479,27 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->comment));
NDR_CHECK(ndr_pull_array_length(ndr, &r->comment));
- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment));
+ size_comment_1 = ndr_get_array_size(ndr, &r->comment);
+ length_comment_1 = ndr_get_array_length(ndr, &r->comment);
+ if (length_comment_1 > size_comment_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0);
}
if (r->stores) {
_mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->stores));
- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores));
+ size_stores_1 = ndr_get_array_size(ndr, &r->stores);
+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1);
_mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0);
- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) {
+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) {
NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1]));
}
- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) {
+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) {
NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1]));
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0);
@@ -561,10 +591,15 @@ static enum ndr_err_code ndr_push_dfs_Info4(struct ndr_push *ndr, int ndr_flags,
static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info4 *r)
{
uint32_t _ptr_path;
+ uint32_t size_path_1 = 0;
+ uint32_t length_path_1 = 0;
TALLOC_CTX *_mem_save_path_0;
uint32_t _ptr_comment;
+ uint32_t size_comment_1 = 0;
+ uint32_t length_comment_1 = 0;
TALLOC_CTX *_mem_save_comment_0;
uint32_t _ptr_stores;
+ uint32_t size_stores_1 = 0;
uint32_t cntr_stores_1;
TALLOC_CTX *_mem_save_stores_0;
TALLOC_CTX *_mem_save_stores_1;
@@ -599,11 +634,13 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->path, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->path));
NDR_CHECK(ndr_pull_array_length(ndr, &r->path));
- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path));
+ size_path_1 = ndr_get_array_size(ndr, &r->path);
+ length_path_1 = ndr_get_array_length(ndr, &r->path);
+ if (length_path_1 > size_path_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0);
}
if (r->comment) {
@@ -611,24 +648,27 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->comment));
NDR_CHECK(ndr_pull_array_length(ndr, &r->comment));
- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment));
+ size_comment_1 = ndr_get_array_size(ndr, &r->comment);
+ length_comment_1 = ndr_get_array_length(ndr, &r->comment);
+ if (length_comment_1 > size_comment_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0);
}
if (r->stores) {
_mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->stores));
- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores));
+ size_stores_1 = ndr_get_array_size(ndr, &r->stores);
+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1);
_mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0);
- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) {
+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) {
NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1]));
}
- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) {
+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) {
NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1]));
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0);
@@ -739,8 +779,12 @@ static enum ndr_err_code ndr_push_dfs_Info5(struct ndr_push *ndr, int ndr_flags,
static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info5 *r)
{
uint32_t _ptr_path;
+ uint32_t size_path_1 = 0;
+ uint32_t length_path_1 = 0;
TALLOC_CTX *_mem_save_path_0;
uint32_t _ptr_comment;
+ uint32_t size_comment_1 = 0;
+ uint32_t length_comment_1 = 0;
TALLOC_CTX *_mem_save_comment_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 4));
@@ -769,11 +813,13 @@ static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->path, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->path));
NDR_CHECK(ndr_pull_array_length(ndr, &r->path));
- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path));
+ size_path_1 = ndr_get_array_size(ndr, &r->path);
+ length_path_1 = ndr_get_array_length(ndr, &r->path);
+ if (length_path_1 > size_path_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0);
}
if (r->comment) {
@@ -781,11 +827,13 @@ static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->comment));
NDR_CHECK(ndr_pull_array_length(ndr, &r->comment));
- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment));
+ size_comment_1 = ndr_get_array_size(ndr, &r->comment);
+ length_comment_1 = ndr_get_array_length(ndr, &r->comment);
+ if (length_comment_1 > size_comment_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0);
}
}
@@ -961,10 +1009,15 @@ static enum ndr_err_code ndr_push_dfs_Info6(struct ndr_push *ndr, int ndr_flags,
static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info6 *r)
{
uint32_t _ptr_entry_path;
+ uint32_t size_entry_path_1 = 0;
+ uint32_t length_entry_path_1 = 0;
TALLOC_CTX *_mem_save_entry_path_0;
uint32_t _ptr_comment;
+ uint32_t size_comment_1 = 0;
+ uint32_t length_comment_1 = 0;
TALLOC_CTX *_mem_save_comment_0;
uint32_t _ptr_stores;
+ uint32_t size_stores_1 = 0;
uint32_t cntr_stores_1;
TALLOC_CTX *_mem_save_stores_0;
TALLOC_CTX *_mem_save_stores_1;
@@ -1001,11 +1054,13 @@ static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->entry_path, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->entry_path));
NDR_CHECK(ndr_pull_array_length(ndr, &r->entry_path));
- if (ndr_get_array_length(ndr, &r->entry_path) > ndr_get_array_size(ndr, &r->entry_path)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->entry_path), ndr_get_array_length(ndr, &r->entry_path));
+ size_entry_path_1 = ndr_get_array_size(ndr, &r->entry_path);
+ length_entry_path_1 = ndr_get_array_length(ndr, &r->entry_path);
+ if (length_entry_path_1 > size_entry_path_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_entry_path_1, length_entry_path_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->entry_path), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->entry_path, ndr_get_array_length(ndr, &r->entry_path), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_entry_path_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->entry_path, length_entry_path_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entry_path_0, 0);
}
if (r->comment) {
@@ -1013,24 +1068,27 @@ static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags,
NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->comment));
NDR_CHECK(ndr_pull_array_length(ndr, &r->comment));
- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment));
+ size_comment_1 = ndr_get_array_size(ndr, &r->comment);
+ length_comment_1 = ndr_get_array_length(ndr, &r->comment);
+ if (length_comment_1 > size_comment_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0);
}
if (r->stores) {
_mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->stores));
- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores));
+ size_stores_1 = ndr_get_array_size(ndr, &r->stores);
+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1);
_mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr);
NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0);
- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) {
+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) {
NDR_CHECK(ndr_pull_dfs_StorageInfo2(ndr, NDR_SCALARS, &r->stores[cntr_stores_1]));
}
- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) {
+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) {
NDR_CHECK(ndr_pull_dfs_StorageInfo2(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1]));
}
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0);
@@ -1134,6 +1192,8 @@ static enum ndr_err_code ndr_push_dfs_Info100(struct ndr_push *ndr, int ndr_flag
static enum ndr_err_code ndr_pull_dfs_Info100(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info100 *r)
{
uint32_t _ptr_comment;
+ uint32_t size_comment_1 = 0;
+ uint32_t length_comment_1 = 0;
TALLOC_CTX *_mem_save_comment_0;
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_align(ndr, 4));
@@ -1150,11 +1210,13 @@ static enum ndr_err_code ndr_pull_dfs_Info100(struct ndr_pull *ndr, int ndr_flag
NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0);
NDR_CHECK(ndr_pull_array_size(ndr, &r->comment));
NDR_CHECK(ndr_pull_array_length(ndr, &r->comment));
- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) {
- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment));
+ size_comment_1 = ndr_get_array_size(ndr, &r->comment);
+ length_comment_1 = ndr_get_array_length(ndr, &r->comment);
+ if (length_comment_1 > size_comment_1) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1);
}
- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t)));
- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16));
NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0);
}
}
@@ -1318,6 +1380,8 @@ static enum ndr_err_code ndr_push_dfs_Info105(struct ndr_push *ndr, int ndr_flag
static enum ndr_err_code ndr_pull_dfs_Info105(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info105 *r)
{
uint32_t _ptr_comment;
+ uint32_t size_comment_1 = 0;
--
Samba Shared Repository
More information about the samba-cvs
mailing list