~ubuntu-branches/ubuntu/oneiric/samba/oneiric-security

Viewing changes to source3/librpc/gen_ndr/ndr_notify.c

Committer: Package Import Robot
Author(s): Tyler Hicks
Date: 2012-04-12 05:28:44 UTC
mfrom: (147.1.1 oneiric-proposed)
Revision ID: package-import@ubuntu.com-20120412052844-348q6l4dcb303sdu

Tags: 2:3.5.11~dfsg-1ubuntu2.2

* SECURITY UPDATE: Unauthenticated remote code execution via
  RPC calls (LP: #978458)
  - debian/patches/CVE-2012-1182-1.patch: Fix PIDL compiler to generate code
    that uses the same value for array allocation and array length checks.
    Based on upstream patch.
  - debian/patches/CVE-2012-1182-2.patch: Regenerate PIDL generated files with
    the patched PIDL compiler
  - CVE-2012-1182

files added:
.pc/CVE-2012-1182-1.patch

.pc/CVE-2012-1182-1.patch/pidl

.pc/CVE-2012-1182-1.patch/pidl/lib

.pc/CVE-2012-1182-1.patch/pidl/lib/Parse

.pc/CVE-2012-1182-1.patch/pidl/lib/Parse/Pidl

.pc/CVE-2012-1182-1.patch/pidl/lib/Parse/Pidl/Samba4

.pc/CVE-2012-1182-1.patch/pidl/lib/Parse/Pidl/Samba4/NDR

.pc/CVE-2012-1182-1.patch/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm

.pc/CVE-2012-1182-2.patch

.pc/CVE-2012-1182-2.patch/librpc

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_dcerpc.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_dfs.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_drsblobs.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_drsuapi.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_dssetup.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_echo.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_epmapper.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_eventlog.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_krb5pac.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_lsa.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_misc.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_named_pipe_auth.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_nbt.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_netlogon.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_ntlmssp.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_ntsvcs.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_samr.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_schannel.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_security.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_spoolss.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_srvsvc.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_svcctl.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_winreg.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_wkssvc.c

.pc/CVE-2012-1182-2.patch/librpc/gen_ndr/ndr_xattr.c

.pc/CVE-2012-1182-2.patch/source3

.pc/CVE-2012-1182-2.patch/source3/librpc

.pc/CVE-2012-1182-2.patch/source3/librpc/gen_ndr

.pc/CVE-2012-1182-2.patch/source3/librpc/gen_ndr/ndr_libnetapi.c

.pc/CVE-2012-1182-2.patch/source3/librpc/gen_ndr/ndr_messaging.c

.pc/CVE-2012-1182-2.patch/source3/librpc/gen_ndr/ndr_notify.c

.pc/CVE-2012-1182-2.patch/source3/librpc/gen_ndr/ndr_perfcount.c

.pc/CVE-2012-1182-2.patch/source3/librpc/gen_ndr/ndr_printcap.c

.pc/CVE-2012-1182-2.patch/source3/librpc/gen_ndr/ndr_secrets.c

.pc/CVE-2012-1182-2.patch/source3/librpc/gen_ndr/ndr_wbint.c

.pc/initialize_password_db-null-deref

.pc/initialize_password_db-null-deref/source3

.pc/initialize_password_db-null-deref/source3/passdb

.pc/initialize_password_db-null-deref/source3/passdb/pdb_interface.c

debian/patches/CVE-2012-1182-1.patch

debian/patches/CVE-2012-1182-2.patch

debian/patches/initialize_password_db-null-deref

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

librpc/gen_ndr/ndr_dcerpc.c

librpc/gen_ndr/ndr_dfs.c

librpc/gen_ndr/ndr_drsblobs.c

librpc/gen_ndr/ndr_drsuapi.c

librpc/gen_ndr/ndr_dssetup.c

librpc/gen_ndr/ndr_echo.c

librpc/gen_ndr/ndr_epmapper.c

librpc/gen_ndr/ndr_eventlog.c

librpc/gen_ndr/ndr_krb5pac.c

librpc/gen_ndr/ndr_lsa.c

librpc/gen_ndr/ndr_misc.c

librpc/gen_ndr/ndr_named_pipe_auth.c

librpc/gen_ndr/ndr_nbt.c

librpc/gen_ndr/ndr_netlogon.c

librpc/gen_ndr/ndr_ntlmssp.c

librpc/gen_ndr/ndr_ntsvcs.c

librpc/gen_ndr/ndr_samr.c

librpc/gen_ndr/ndr_schannel.c

librpc/gen_ndr/ndr_security.c

librpc/gen_ndr/ndr_spoolss.c

librpc/gen_ndr/ndr_srvsvc.c

librpc/gen_ndr/ndr_svcctl.c

librpc/gen_ndr/ndr_winreg.c

librpc/gen_ndr/ndr_wkssvc.c

librpc/gen_ndr/ndr_xattr.c

pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm

source3/librpc/gen_ndr/ndr_libnetapi.c

source3/librpc/gen_ndr/ndr_messaging.c

source3/librpc/gen_ndr/ndr_notify.c

source3/librpc/gen_ndr/ndr_perfcount.c

source3/librpc/gen_ndr/ndr_printcap.c

source3/librpc/gen_ndr/ndr_secrets.c

source3/librpc/gen_ndr/ndr_wbint.c

source3/passdb/pdb_interface.c

Show diffs side-by-side

added added

removed removed

source3/librpc/gen_ndr/ndr_notify.c

_PUBLIC_ enum ndr_err_code ndr_pull_notify_entry_array(struct ndr_pull *ndr, int ndr_flags, struct notify_entry_array *r)

{

uint32_t size_entries_0 = 0;

uint32_t cntr_entries_0;

TALLOC_CTX *_mem_save_entries_0;

if (ndr_flags & NDR_SCALARS) {

NDR_CHECK(ndr_pull_align(ndr, 8));

NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_entries));

NDR_PULL_ALLOC_N(ndr, r->entries, r->num_entries);

100

size_entries_0 = r->num_entries;

101

NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_0);

100

102

_mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr);

101

103

NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0);

102

for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) {

104

for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) {

103

105

NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_SCALARS, &r->entries[cntr_entries_0]));

104

106

}

105

107

NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0);

106

108

NDR_CHECK(ndr_pull_trailer_align(ndr, 8));

107

109

}

108

110

if (ndr_flags & NDR_BUFFERS) {

111

size_entries_0 = r->num_entries;

109

112

_mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr);

110

113

NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0);

111

for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) {

114

for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) {

112

115

NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_0]));

113

116

}

114

117

NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0);

158

161

159

162

static enum ndr_err_code ndr_pull_notify_depth(struct ndr_pull *ndr, int ndr_flags, struct notify_depth *r)

160

163

{

164

uint32_t size_entries_0 = 0;

161

165

uint32_t cntr_entries_0;

162

166

TALLOC_CTX *_mem_save_entries_0;

163

167

if (ndr_flags & NDR_SCALARS) {

165

169

NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask));

166

170

NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask_subdir));

167

171

NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_entries));

168

NDR_PULL_ALLOC_N(ndr, r->entries, r->num_entries);

172

size_entries_0 = r->num_entries;

173

NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_0);

169

174

_mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr);

170

175

NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0);

171

for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) {

176

for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) {

172

177

NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_SCALARS, &r->entries[cntr_entries_0]));

173

178

}

174

179

NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0);

175

180

NDR_CHECK(ndr_pull_trailer_align(ndr, 8));

176

181

}

177

182

if (ndr_flags & NDR_BUFFERS) {

183

size_entries_0 = r->num_entries;

178

184

_mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr);

179

185

NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0);

180

for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) {

186

for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) {

181

187

NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_0]));

182

188

}

183

189

NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0);

227

233

228

234

_PUBLIC_ enum ndr_err_code ndr_pull_notify_array(struct ndr_pull *ndr, int ndr_flags, struct notify_array *r)

229

235

{

236

uint32_t size_depth_0 = 0;

230

237

uint32_t cntr_depth_0;

231

238

TALLOC_CTX *_mem_save_depth_0;

232

239

if (ndr_flags & NDR_SCALARS) {

233

240

NDR_CHECK(ndr_pull_align(ndr, 8));

234

241

NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_depths));

235

NDR_PULL_ALLOC_N(ndr, r->depth, r->num_depths);

242

size_depth_0 = r->num_depths;

243

NDR_PULL_ALLOC_N(ndr, r->depth, size_depth_0);

236

244

_mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr);

237

245

NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0);

238

for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) {

246

for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) {

239

247

NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_SCALARS, &r->depth[cntr_depth_0]));

240

248

}

241

249

NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0);

242

250

NDR_CHECK(ndr_pull_trailer_align(ndr, 8));

243

251

}

244

252

if (ndr_flags & NDR_BUFFERS) {

253

size_depth_0 = r->num_depths;

245

254

_mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr);

246

255

NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0);

247

for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) {

256

for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) {

248

257

NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_BUFFERS, &r->depth[cntr_depth_0]));

249

258

}

250

259

NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0);

Older »