diff options
author | Andrew Tridgell <tridge@samba.org> | 2005-08-17 03:30:45 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:33:27 -0500 |
commit | 212af7e08ae655bdb36bb77dced8161dcfe09240 (patch) | |
tree | bc68bb0b8a9eb4e7309b96d410f53ba6051e5905 /source4 | |
parent | 5bf803ff82c169698bf363ccd2c935aeb8830742 (diff) | |
download | samba-212af7e08ae655bdb36bb77dced8161dcfe09240.tar.gz samba-212af7e08ae655bdb36bb77dced8161dcfe09240.tar.bz2 samba-212af7e08ae655bdb36bb77dced8161dcfe09240.zip |
r9347: this array bounds checking is harder than it looks ...
this copes with 2 more situations:
1) where the array is NULL, which would previously be coped with by a
if (ptr) check, but now in the deferred array bounds checking needs
to look at the array variable in the ndr code. Not nice.
2) nest the array checking along with the SCALARS vs BUFFERS checks, ensuring we don't
do array bounds checking for a buffer when in scalars only mode
(This used to be commit ad1b9867a5a14bc9ed2e1a5eb8f05bb2046bc645)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/build/pidl/Parse/Pidl/Samba/NDR/Parser.pm | 6 | ||||
-rw-r--r-- | source4/librpc/ndr/ndr.c | 8 |
2 files changed, 12 insertions, 2 deletions
diff --git a/source4/build/pidl/Parse/Pidl/Samba/NDR/Parser.pm b/source4/build/pidl/Parse/Pidl/Samba/NDR/Parser.pm index 87b99c5ef8..65b9ed57bc 100644 --- a/source4/build/pidl/Parse/Pidl/Samba/NDR/Parser.pm +++ b/source4/build/pidl/Parse/Pidl/Samba/NDR/Parser.pm @@ -1330,6 +1330,8 @@ sub ParseStructPull($$) ParseElementPull($e, "ndr", "r->", $env, 1, 0); } + add_deferred(); + deindent; pidl "}"; pidl "if (ndr_flags & NDR_BUFFERS) {"; @@ -1343,11 +1345,11 @@ sub ParseStructPull($$) ParseElementPull($e, "ndr", "r->", $env, 0, 1); } + add_deferred(); + deindent; pidl "}"; - add_deferred(); - end_flags($struct); # restore the old relative_base_offset pidl "ndr_pull_restore_relative_base_offset(ndr, _save_relative_base_offset);" if defined($struct->{PROPERTIES}{relative_base}); diff --git a/source4/librpc/ndr/ndr.c b/source4/librpc/ndr/ndr.c index 3a291c2cf8..2cbb83a0f4 100644 --- a/source4/librpc/ndr/ndr.c +++ b/source4/librpc/ndr/ndr.c @@ -493,6 +493,10 @@ uint32_t ndr_get_array_size(struct ndr_pull *ndr, const void *p) NTSTATUS ndr_check_array_size(struct ndr_pull *ndr, void *p, uint32_t size) { uint32_t stored; + /* a NULL array is OK */ + if (*(void **)p == NULL) { + return NT_STATUS_OK; + } stored = ndr_token_peek(&ndr->array_size_list, p); if (stored != size) { return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, @@ -531,6 +535,10 @@ uint32_t ndr_get_array_length(struct ndr_pull *ndr, const void *p) NTSTATUS ndr_check_array_length(struct ndr_pull *ndr, void *p, uint32_t length) { uint32_t stored; + /* a NULL array is OK */ + if (*(void **)p == NULL) { + return NT_STATUS_OK; + } stored = ndr_token_peek(&ndr->array_length_list, p); if (stored != length) { return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, |