summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2005-08-16 23:19:17 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:33:25 -0500
commit290b0b5b19ef0123a9cc0e178b08937c0a2053cb (patch)
treef45af76ec98fa3f5a68a578f2df08e20d24a8088
parent30296570537e8c0406b93d09c1088e308f210545 (diff)
downloadsamba-290b0b5b19ef0123a9cc0e178b08937c0a2053cb.tar.gz
samba-290b0b5b19ef0123a9cc0e178b08937c0a2053cb.tar.bz2
samba-290b0b5b19ef0123a9cc0e178b08937c0a2053cb.zip
r9335: only copy the in side of an array to the out side of an array when the
array is a [ref] pointer. For non-ref arrays it is quite valid for a server to return a larger response array then the client gave (as can happen with winreg) in which case this memcpy() will fault. (This used to be commit 6cf20e7adb9891119fdc9a0b208c3f94fe823334)
-rw-r--r--source4/build/pidl/Parse/Pidl/Samba/NDR/Parser.pm3
1 files changed, 2 insertions, 1 deletions
diff --git a/source4/build/pidl/Parse/Pidl/Samba/NDR/Parser.pm b/source4/build/pidl/Parse/Pidl/Samba/NDR/Parser.pm
index cde96ca0b2..4cc0dd9184 100644
--- a/source4/build/pidl/Parse/Pidl/Samba/NDR/Parser.pm
+++ b/source4/build/pidl/Parse/Pidl/Samba/NDR/Parser.pm
@@ -1812,7 +1812,8 @@ sub AllocateArrayLevel($$$$$)
}
if (grep(/in/,@{$e->{DIRECTION}}) and
- grep(/out/,@{$e->{DIRECTION}})) {
+ grep(/out/,@{$e->{DIRECTION}}) and
+ $pl->{POINTER_TYPE} eq "ref") {
pidl "memcpy(r->out.$e->{NAME},r->in.$e->{NAME},$size * sizeof(*r->in.$e->{NAME}));";
}
}