← Back to branch summary

~ubuntu-branches/ubuntu/lucid/samba/lucid-security

« back to all changes in this revision

Viewing changes to librpc/gen_ndr/ndr_krb5pac.c

  • Committer: Package Import Robot
  • Author(s): Tyler Hicks
  • Date: 2012-04-12 05:28:44 UTC
  • Revision ID: package-import@ubuntu.com-20120412052844-b8hw24wpk25nkzrf
Tags: 2:3.4.7~dfsg-1ubuntu3.9
https://launchpad.net/bugs/978458
* SECURITY UPDATE: Unauthenticated remote code execution via
  RPC calls (LP: #978458)
  - debian/patches/CVE-2012-1182-1.patch: Fix PIDL compiler to generate code
    that uses the same value for array allocation and array length checks.
    Based on upstream patch.
  - debian/patches/CVE-2012-1182-2.patch: Regenerate PIDL generated files with
    the patched PIDL compiler
  - CVE-2012-1182

Show diffs side-by-side

added added

removed removed

Lines of Context:
librpc/gen_ndr/ndr_krb5pac.c
21
21
 
22
22
static enum ndr_err_code ndr_pull_PAC_LOGON_NAME(struct ndr_pull *ndr, int ndr_flags, struct PAC_LOGON_NAME *r)
23
23
{
 
24
        uint32_t size_account_name_0 = 0;
24
25
        if (ndr_flags & NDR_SCALARS) {
25
26
                NDR_CHECK(ndr_pull_align(ndr, 4));
26
27
                NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->logon_time));
27
28
                NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size));
28
 
                NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, r->size, sizeof(uint8_t), CH_UTF16));
 
29
                size_account_name_0 = r->size;
 
30
                NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, size_account_name_0, sizeof(uint8_t), CH_UTF16));
29
31
        }
30
32
        if (ndr_flags & NDR_BUFFERS) {
31
33
        }
456
458
 
457
459
_PUBLIC_ enum ndr_err_code ndr_pull_PAC_DATA(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA *r)
458
460
{
 
461
        uint32_t size_buffers_0 = 0;
459
462
        uint32_t cntr_buffers_0;
460
463
        TALLOC_CTX *_mem_save_buffers_0;
461
464
        if (ndr_flags & NDR_SCALARS) {
462
465
                NDR_CHECK(ndr_pull_align(ndr, 4));
463
466
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_buffers));
464
467
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version));
465
 
                NDR_PULL_ALLOC_N(ndr, r->buffers, r->num_buffers);
 
468
                size_buffers_0 = r->num_buffers;
 
469
                NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_0);
466
470
                _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr);
467
471
                NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0);
468
 
                for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) {
 
472
                for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) {
469
473
                        NDR_CHECK(ndr_pull_PAC_BUFFER(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_0]));
470
474
                }
471
475
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0);
472
476
        }
473
477
        if (ndr_flags & NDR_BUFFERS) {
 
478
                size_buffers_0 = r->num_buffers;
474
479
                _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr);
475
480
                NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0);
476
 
                for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) {
 
481
                for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) {
477
482
                        NDR_CHECK(ndr_pull_PAC_BUFFER(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_0]));
478
483
                }
479
484
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0);
619
624
 
620
625
_PUBLIC_ enum ndr_err_code ndr_pull_PAC_DATA_RAW(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA_RAW *r)
621
626
{
 
627
        uint32_t size_buffers_0 = 0;
622
628
        uint32_t cntr_buffers_0;
623
629
        TALLOC_CTX *_mem_save_buffers_0;
624
630
        if (ndr_flags & NDR_SCALARS) {
625
631
                NDR_CHECK(ndr_pull_align(ndr, 4));
626
632
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_buffers));
627
633
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version));
628
 
                NDR_PULL_ALLOC_N(ndr, r->buffers, r->num_buffers);
 
634
                size_buffers_0 = r->num_buffers;
 
635
                NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_0);
629
636
                _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr);
630
637
                NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0);
631
 
                for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) {
 
638
                for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) {
632
639
                        NDR_CHECK(ndr_pull_PAC_BUFFER_RAW(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_0]));
633
640
                }
634
641
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0);
635
642
        }
636
643
        if (ndr_flags & NDR_BUFFERS) {
 
644
                size_buffers_0 = r->num_buffers;
637
645
                _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr);
638
646
                NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0);
639
 
                for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) {
 
647
                for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) {
640
648
                        NDR_CHECK(ndr_pull_PAC_BUFFER_RAW(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_0]));
641
649
                }
642
650
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0);