summaryrefslogtreecommitdiff
path: root/pidl/lib/Parse/Pidl
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-03-15 13:07:47 +0100
committerKarolin Seeger <kseeger@samba.org>2012-04-10 16:48:07 +0200
commit37313598af769f3e9fbe463c2abb6af1ebabfa21 (patch)
tree9119a2253145b4dfed45b2a465d4c6a1409b9a4a /pidl/lib/Parse/Pidl
parentb6e74db2936aaeba77a38b5ac85802b7d9bdaad3 (diff)
downloadsamba-37313598af769f3e9fbe463c2abb6af1ebabfa21.tar.gz
samba-37313598af769f3e9fbe463c2abb6af1ebabfa21.tar.bz2
samba-37313598af769f3e9fbe463c2abb6af1ebabfa21.zip
pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
An anonymous researcher and Brian Gorenc (HP DVLabs) working with HP's Zero Day Initiative program have found this and notified us. metze
Diffstat (limited to 'pidl/lib/Parse/Pidl')
-rw-r--r--pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm6
1 files changed, 1 insertions, 5 deletions
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index eaf673bbd7..fe93ae19a4 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -1157,14 +1157,10 @@ sub ParseElementPullLevel
}
} elsif ($l->{TYPE} eq "ARRAY" and
not has_fast_array($e,$l) and not is_charset_array($e, $l)) {
- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
+ my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
my $array_name = $var_name;
- if ($l->{IS_VARYING}) {
- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
- }
-
if (my $range = has_property($e, "range")) {
my ($low, $high) = split(/,/, $range, 2);
if ($low < 0) {