← Back to branch summary

~ubuntu-branches/ubuntu/lucid/samba/lucid-security

« back to all changes in this revision

Viewing changes to librpc/gen_ndr/ndr_ntsvcs.c

  • Committer: Package Import Robot
  • Author(s): Tyler Hicks
  • Date: 2012-04-12 05:28:44 UTC
  • Revision ID: package-import@ubuntu.com-20120412052844-b8hw24wpk25nkzrf
Tags: 2:3.4.7~dfsg-1ubuntu3.9
https://launchpad.net/bugs/978458
* SECURITY UPDATE: Unauthenticated remote code execution via
  RPC calls (LP: #978458)
  - debian/patches/CVE-2012-1182-1.patch: Fix PIDL compiler to generate code
    that uses the same value for array allocation and array length checks.
    Based on upstream patch.
  - debian/patches/CVE-2012-1182-2.patch: Regenerate PIDL generated files with
    the patched PIDL compiler
  - CVE-2012-1182

Show diffs side-by-side

added added

removed removed

Lines of Context:
librpc/gen_ndr/ndr_ntsvcs.c
53
53
 
54
54
static enum ndr_err_code ndr_pull_PNP_HwProfInfo(struct ndr_pull *ndr, int ndr_flags, struct PNP_HwProfInfo *r)
55
55
{
 
56
        uint32_t size_friendly_name_0 = 0;
56
57
        uint32_t cntr_friendly_name_0;
57
58
        if (ndr_flags & NDR_SCALARS) {
58
59
                NDR_CHECK(ndr_pull_align(ndr, 4));
59
60
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->profile_handle));
60
 
                for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < 80; cntr_friendly_name_0++) {
 
61
                size_friendly_name_0 = 80;
 
62
                for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < size_friendly_name_0; cntr_friendly_name_0++) {
61
63
                        NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->friendly_name[cntr_friendly_name_0]));
62
64
                }
63
65
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->flags));
373
375
 
374
376
static enum ndr_err_code ndr_pull_PNP_ValidateDeviceInstance(struct ndr_pull *ndr, int flags, struct PNP_ValidateDeviceInstance *r)
375
377
{
 
378
        uint32_t size_devicepath_1 = 0;
 
379
        uint32_t length_devicepath_1 = 0;
376
380
        if (flags & NDR_IN) {
377
381
                NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath));
378
382
                NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath));
379
 
                if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) {
380
 
                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath));
 
383
                size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath);
 
384
                length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath);
 
385
                if (length_devicepath_1 > size_devicepath_1) {
 
386
                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1);
381
387
                }
382
 
                NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t)));
383
 
                NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16));
 
388
                NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t)));
 
389
                NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16));
384
390
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags));
385
391
        }
386
392
        if (flags & NDR_OUT) {
577
583
static enum ndr_err_code ndr_pull_PNP_GetDeviceList(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceList *r)
578
584
{
579
585
        uint32_t _ptr_filter;
 
586
        uint32_t size_filter_1 = 0;
 
587
        uint32_t length_filter_1 = 0;
 
588
        uint32_t size_buffer_1 = 0;
 
589
        uint32_t length_buffer_1 = 0;
580
590
        uint32_t cntr_buffer_1;
581
591
        TALLOC_CTX *_mem_save_filter_0;
582
592
        TALLOC_CTX *_mem_save_buffer_1;
595
605
                        NDR_PULL_SET_MEM_CTX(ndr, r->in.filter, 0);
596
606
                        NDR_CHECK(ndr_pull_array_size(ndr, &r->in.filter));
597
607
                        NDR_CHECK(ndr_pull_array_length(ndr, &r->in.filter));
598
 
                        if (ndr_get_array_length(ndr, &r->in.filter) > ndr_get_array_size(ndr, &r->in.filter)) {
599
 
                                return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.filter), ndr_get_array_length(ndr, &r->in.filter));
 
608
                        size_filter_1 = ndr_get_array_size(ndr, &r->in.filter);
 
609
                        length_filter_1 = ndr_get_array_length(ndr, &r->in.filter);
 
610
                        if (length_filter_1 > size_filter_1) {
 
611
                                return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_filter_1, length_filter_1);
600
612
                        }
601
 
                        NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.filter), sizeof(uint16_t)));
602
 
                        NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.filter, ndr_get_array_length(ndr, &r->in.filter), sizeof(uint16_t), CH_UTF16));
 
613
                        NDR_CHECK(ndr_check_string_terminator(ndr, length_filter_1, sizeof(uint16_t)));
 
614
                        NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.filter, length_filter_1, sizeof(uint16_t), CH_UTF16));
603
615
                        NDR_PULL_SET_MEM_CTX(ndr, _mem_save_filter_0, 0);
604
616
                }
605
617
                if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
618
630
        if (flags & NDR_OUT) {
619
631
                NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer));
620
632
                NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer));
621
 
                if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) {
622
 
                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer));
 
633
                size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer);
 
634
                length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer);
 
635
                if (length_buffer_1 > size_buffer_1) {
 
636
                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1);
623
637
                }
624
638
                if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
625
 
                        NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer));
 
639
                        NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1);
626
640
                }
627
641
                _mem_save_buffer_1 = NDR_PULL_GET_MEM_CTX(ndr);
628
642
                NDR_PULL_SET_MEM_CTX(ndr, r->out.buffer, 0);
629
 
                for (cntr_buffer_1 = 0; cntr_buffer_1 < *r->out.length; cntr_buffer_1++) {
 
643
                for (cntr_buffer_1 = 0; cntr_buffer_1 < length_buffer_1; cntr_buffer_1++) {
630
644
                        NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.buffer[cntr_buffer_1]));
631
645
                }
632
646
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_1, 0);
723
737
static enum ndr_err_code ndr_pull_PNP_GetDeviceListSize(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceListSize *r)
724
738
{
725
739
        uint32_t _ptr_devicename;
 
740
        uint32_t size_devicename_1 = 0;
 
741
        uint32_t length_devicename_1 = 0;
726
742
        TALLOC_CTX *_mem_save_devicename_0;
727
743
        TALLOC_CTX *_mem_save_size_0;
728
744
        if (flags & NDR_IN) {
739
755
                        NDR_PULL_SET_MEM_CTX(ndr, r->in.devicename, 0);
740
756
                        NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicename));
741
757
                        NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicename));
742
 
                        if (ndr_get_array_length(ndr, &r->in.devicename) > ndr_get_array_size(ndr, &r->in.devicename)) {
743
 
                                return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicename), ndr_get_array_length(ndr, &r->in.devicename));
 
758
                        size_devicename_1 = ndr_get_array_size(ndr, &r->in.devicename);
 
759
                        length_devicename_1 = ndr_get_array_length(ndr, &r->in.devicename);
 
760
                        if (length_devicename_1 > size_devicename_1) {
 
761
                                return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicename_1, length_devicename_1);
744
762
                        }
745
 
                        NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicename), sizeof(uint16_t)));
746
 
                        NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicename, ndr_get_array_length(ndr, &r->in.devicename), sizeof(uint16_t), CH_UTF16));
 
763
                        NDR_CHECK(ndr_check_string_terminator(ndr, length_devicename_1, sizeof(uint16_t)));
 
764
                        NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicename, length_devicename_1, sizeof(uint16_t), CH_UTF16));
747
765
                        NDR_PULL_SET_MEM_CTX(ndr, _mem_save_devicename_0, 0);
748
766
                }
749
767
                NDR_CHECK(ndr_pull_PNP_GetIdListFlags(ndr, NDR_SCALARS, &r->in.flags));
888
906
 
889
907
static enum ndr_err_code ndr_pull_PNP_GetDeviceRegProp(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceRegProp *r)
890
908
{
 
909
        uint32_t size_devicepath_1 = 0;
 
910
        uint32_t length_devicepath_1 = 0;
 
911
        uint32_t size_buffer_1 = 0;
 
912
        uint32_t length_buffer_1 = 0;
891
913
        TALLOC_CTX *_mem_save_reg_data_type_0;
892
914
        TALLOC_CTX *_mem_save_buffer_size_0;
893
915
        TALLOC_CTX *_mem_save_needed_0;
896
918
 
897
919
                NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath));
898
920
                NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath));
899
 
                if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) {
900
 
                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath));
 
921
                size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath);
 
922
                length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath);
 
923
                if (length_devicepath_1 > size_devicepath_1) {
 
924
                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1);
901
925
                }
902
 
                NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t)));
903
 
                NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16));
 
926
                NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t)));
 
927
                NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16));
904
928
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.property));
905
929
                if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
906
930
                        NDR_PULL_ALLOC(ndr, r->in.reg_data_type);
943
967
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reg_data_type_0, LIBNDR_FLAG_REF_ALLOC);
944
968
                NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer));
945
969
                NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer));
946
 
                if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) {
947
 
                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer));
 
970
                size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer);
 
971
                length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer);
 
972
                if (length_buffer_1 > size_buffer_1) {
 
973
                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1);
948
974
                }
949
975
                if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
950
 
                        NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer));
 
976
                        NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1);
951
977
                }
952
 
                NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_length(ndr, &r->out.buffer)));
 
978
                NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, length_buffer_1));
953
979
                if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
954
980
                        NDR_PULL_ALLOC(ndr, r->out.buffer_size);
955
981
                }
2152
2178
 
2153
2179
static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flags, struct PNP_HwProfFlags *r)
2154
2180
{
 
2181
        uint32_t size_devicepath_1 = 0;
 
2182
        uint32_t length_devicepath_1 = 0;
2155
2183
        uint32_t _ptr_veto_type;
2156
2184
        uint32_t _ptr_unknown5;
 
2185
        uint32_t size_unknown5_1 = 0;
 
2186
        uint32_t length_unknown5_1 = 0;
2157
2187
        uint32_t _ptr_unknown5a;
 
2188
        uint32_t size_unknown5a_2 = 0;
 
2189
        uint32_t length_unknown5a_2 = 0;
2158
2190
        TALLOC_CTX *_mem_save_profile_flags_0;
2159
2191
        TALLOC_CTX *_mem_save_veto_type_0;
2160
2192
        TALLOC_CTX *_mem_save_unknown5_0;
2166
2198
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.action));
2167
2199
                NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath));
2168
2200
                NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath));
2169
 
                if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) {
2170
 
                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath));
 
2201
                size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath);
 
2202
                length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath);
 
2203
                if (length_devicepath_1 > size_devicepath_1) {
 
2204
                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1);
2171
2205
                }
2172
 
                NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t)));
2173
 
                NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16));
 
2206
                NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t)));
 
2207
                NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16));
2174
2208
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.config));
2175
2209
                if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
2176
2210
                        NDR_PULL_ALLOC(ndr, r->in.profile_flags);
2202
2236
                        NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown5, 0);
2203
2237
                        NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown5));
2204
2238
                        NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown5));
2205
 
                        if (ndr_get_array_length(ndr, &r->in.unknown5) > ndr_get_array_size(ndr, &r->in.unknown5)) {
2206
 
                                return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown5), ndr_get_array_length(ndr, &r->in.unknown5));
 
2239
                        size_unknown5_1 = ndr_get_array_size(ndr, &r->in.unknown5);
 
2240
                        length_unknown5_1 = ndr_get_array_length(ndr, &r->in.unknown5);
 
2241
                        if (length_unknown5_1 > size_unknown5_1) {
 
2242
                                return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown5_1, length_unknown5_1);
2207
2243
                        }
2208
 
                        NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t)));
2209
 
                        NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t), CH_UTF16));
 
2244
                        NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown5_1, sizeof(uint16_t)));
 
2245
                        NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, length_unknown5_1, sizeof(uint16_t), CH_UTF16));
2210
2246
                        NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5_0, 0);
2211
2247
                }
2212
2248
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_length));
2254
2290
                                NDR_PULL_SET_MEM_CTX(ndr, *r->out.unknown5a, 0);
2255
2291
                                NDR_CHECK(ndr_pull_array_size(ndr, r->out.unknown5a));
2256
2292
                                NDR_CHECK(ndr_pull_array_length(ndr, r->out.unknown5a));
2257
 
                                if (ndr_get_array_length(ndr, r->out.unknown5a) > ndr_get_array_size(ndr, r->out.unknown5a)) {
2258
 
                                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.unknown5a), ndr_get_array_length(ndr, r->out.unknown5a));
 
2293
                                size_unknown5a_2 = ndr_get_array_size(ndr, r->out.unknown5a);
 
2294
                                length_unknown5a_2 = ndr_get_array_length(ndr, r->out.unknown5a);
 
2295
                                if (length_unknown5a_2 > size_unknown5a_2) {
 
2296
                                        return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown5a_2, length_unknown5a_2);
2259
2297
                                }
2260
 
                                NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.unknown5a), sizeof(uint16_t)));
2261
 
                                NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.unknown5a, ndr_get_array_length(ndr, r->out.unknown5a), sizeof(uint16_t), CH_UTF16));
 
2298
                                NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown5a_2, sizeof(uint16_t)));
 
2299
                                NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.unknown5a, length_unknown5a_2, sizeof(uint16_t), CH_UTF16));
2262
2300
                                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5a_1, 0);
2263
2301
                        }
2264
2302
                        NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5a_0, 0);