diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-03-15 13:07:47 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2012-04-10 16:48:07 +0200 |
commit | 37313598af769f3e9fbe463c2abb6af1ebabfa21 (patch) | |
tree | 9119a2253145b4dfed45b2a465d4c6a1409b9a4a /pidl/lib/Parse | |
parent | b6e74db2936aaeba77a38b5ac85802b7d9bdaad3 (diff) | |
download | samba-37313598af769f3e9fbe463c2abb6af1ebabfa21.tar.gz samba-37313598af769f3e9fbe463c2abb6af1ebabfa21.tar.bz2 samba-37313598af769f3e9fbe463c2abb6af1ebabfa21.zip |
pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
An anonymous researcher and Brian Gorenc (HP DVLabs) working
with HP's Zero Day Initiative program have found this and notified us.
metze
Diffstat (limited to 'pidl/lib/Parse')
-rw-r--r-- | pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index eaf673bbd7..fe93ae19a4 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -1157,14 +1157,10 @@ sub ParseElementPullLevel } } elsif ($l->{TYPE} eq "ARRAY" and not has_fast_array($e,$l) and not is_charset_array($e, $l)) { - my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); + my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; my $array_name = $var_name; - if ($l->{IS_VARYING}) { - $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; - } - if (my $range = has_property($e, "range")) { my ($low, $high) = split(/,/, $range, 2); if ($low < 0) { |