From 212af7e08ae655bdb36bb77dced8161dcfe09240 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 17 Aug 2005 03:30:45 +0000 Subject: r9347: this array bounds checking is harder than it looks ... this copes with 2 more situations: 1) where the array is NULL, which would previously be coped with by a if (ptr) check, but now in the deferred array bounds checking needs to look at the array variable in the ndr code. Not nice. 2) nest the array checking along with the SCALARS vs BUFFERS checks, ensuring we don't do array bounds checking for a buffer when in scalars only mode (This used to be commit ad1b9867a5a14bc9ed2e1a5eb8f05bb2046bc645) --- source4/librpc/ndr/ndr.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source4/librpc/ndr') diff --git a/source4/librpc/ndr/ndr.c b/source4/librpc/ndr/ndr.c index 3a291c2cf8..2cbb83a0f4 100644 --- a/source4/librpc/ndr/ndr.c +++ b/source4/librpc/ndr/ndr.c @@ -493,6 +493,10 @@ uint32_t ndr_get_array_size(struct ndr_pull *ndr, const void *p) NTSTATUS ndr_check_array_size(struct ndr_pull *ndr, void *p, uint32_t size) { uint32_t stored; + /* a NULL array is OK */ + if (*(void **)p == NULL) { + return NT_STATUS_OK; + } stored = ndr_token_peek(&ndr->array_size_list, p); if (stored != size) { return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, @@ -531,6 +535,10 @@ uint32_t ndr_get_array_length(struct ndr_pull *ndr, const void *p) NTSTATUS ndr_check_array_length(struct ndr_pull *ndr, void *p, uint32_t length) { uint32_t stored; + /* a NULL array is OK */ + if (*(void **)p == NULL) { + return NT_STATUS_OK; + } stored = ndr_token_peek(&ndr->array_length_list, p); if (stored != length) { return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, -- cgit