diff options
-rw-r--r-- | source3/librpc/gen_ndr/eventlog.h | 2 | ||||
-rw-r--r-- | source3/librpc/gen_ndr/ndr_eventlog.c | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/source3/librpc/gen_ndr/eventlog.h b/source3/librpc/gen_ndr/eventlog.h index e067a2bdd3..0fd929dd99 100644 --- a/source3/librpc/gen_ndr/eventlog.h +++ b/source3/librpc/gen_ndr/eventlog.h @@ -164,7 +164,7 @@ struct eventlog_ReadEventLogW { struct policy_handle *handle;/* [ref] */ uint32_t flags; uint32_t offset; - uint32_t number_of_bytes; + uint32_t number_of_bytes;/* [range(0,0x7FFFF)] */ } in; struct { diff --git a/source3/librpc/gen_ndr/ndr_eventlog.c b/source3/librpc/gen_ndr/ndr_eventlog.c index ef76616c8b..442c40bb80 100644 --- a/source3/librpc/gen_ndr/ndr_eventlog.c +++ b/source3/librpc/gen_ndr/ndr_eventlog.c @@ -874,6 +874,9 @@ static enum ndr_err_code ndr_pull_eventlog_ReadEventLogW(struct ndr_pull *ndr, i NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offset)); NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.number_of_bytes)); + if (r->in.number_of_bytes < 0 || r->in.number_of_bytes > 0x7FFFF) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } NDR_PULL_ALLOC_N(ndr, r->out.data, r->in.number_of_bytes); memset(r->out.data, 0, r->in.number_of_bytes * sizeof(*r->out.data)); NDR_PULL_ALLOC(ndr, r->out.sent_size); |