summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/librpc/gen_ndr/eventlog.h2
-rw-r--r--source3/librpc/gen_ndr/ndr_eventlog.c3
2 files changed, 4 insertions, 1 deletions
diff --git a/source3/librpc/gen_ndr/eventlog.h b/source3/librpc/gen_ndr/eventlog.h
index e067a2bdd3..0fd929dd99 100644
--- a/source3/librpc/gen_ndr/eventlog.h
+++ b/source3/librpc/gen_ndr/eventlog.h
@@ -164,7 +164,7 @@ struct eventlog_ReadEventLogW {
struct policy_handle *handle;/* [ref] */
uint32_t flags;
uint32_t offset;
- uint32_t number_of_bytes;
+ uint32_t number_of_bytes;/* [range(0,0x7FFFF)] */
} in;
struct {
diff --git a/source3/librpc/gen_ndr/ndr_eventlog.c b/source3/librpc/gen_ndr/ndr_eventlog.c
index ef76616c8b..442c40bb80 100644
--- a/source3/librpc/gen_ndr/ndr_eventlog.c
+++ b/source3/librpc/gen_ndr/ndr_eventlog.c
@@ -874,6 +874,9 @@ static enum ndr_err_code ndr_pull_eventlog_ReadEventLogW(struct ndr_pull *ndr, i
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags));
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offset));
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.number_of_bytes));
+ if (r->in.number_of_bytes < 0 || r->in.number_of_bytes > 0x7FFFF) {
+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range");
+ }
NDR_PULL_ALLOC_N(ndr, r->out.data, r->in.number_of_bytes);
memset(r->out.data, 0, r->in.number_of_bytes * sizeof(*r->out.data));
NDR_PULL_ALLOC(ndr, r->out.sent_size);