← Back to branch summary

~ubuntu-branches/ubuntu/quantal/samba/quantal

« back to all changes in this revision

Viewing changes to source3/librpc/gen_ndr/ndr_perfcount.c

  • Committer: Package Import Robot
  • Author(s): Tyler Hicks
  • Date: 2012-04-12 05:28:44 UTC
  • Revision ID: package-import@ubuntu.com-20120412052844-i2u39y7vkrcx61u4
Tags: 2:3.6.3-2ubuntu2
https://launchpad.net/bugs/978458
* SECURITY UPDATE: Unauthenticated remote code execution via
  RPC calls (LP: #978458)
  - debian/patches/CVE-2012-1182-1.patch: Fix PIDL compiler to generate code
    that uses the same value for array allocation and array length checks.
    Based on upstream patch.
  - debian/patches/CVE-2012-1182-2.patch: Regenerate PIDL generated files
    with the patched PIDL compiler
  - CVE-2012-1182

Show diffs side-by-side

added added

removed removed

Lines of Context:
source3/librpc/gen_ndr/ndr_perfcount.c
132
132
 
133
133
_PUBLIC_ enum ndr_err_code ndr_pull_PERF_COUNTER_BLOCK(struct ndr_pull *ndr, int ndr_flags, struct PERF_COUNTER_BLOCK *r)
134
134
{
 
135
        uint32_t size_data_0 = 0;
135
136
        if (ndr_flags & NDR_SCALARS) {
136
137
                NDR_CHECK(ndr_pull_align(ndr, 4));
137
138
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ByteLength));
138
 
                NDR_PULL_ALLOC_N(ndr, r->data, r->ByteLength);
139
 
                NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, r->ByteLength));
 
139
                size_data_0 = r->ByteLength;
 
140
                NDR_PULL_ALLOC_N(ndr, r->data, size_data_0);
 
141
                NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0));
140
142
                NDR_CHECK(ndr_pull_trailer_align(ndr, 4));
141
143
        }
142
144
        if (ndr_flags & NDR_BUFFERS) {
268
270
 
269
271
_PUBLIC_ enum ndr_err_code ndr_pull_PERF_OBJECT_TYPE(struct ndr_pull *ndr, int ndr_flags, struct PERF_OBJECT_TYPE *r)
270
272
{
 
273
        uint32_t size_counters_0 = 0;
271
274
        uint32_t cntr_counters_0;
272
275
        TALLOC_CTX *_mem_save_counters_0;
 
276
        uint32_t size_instances_0 = 0;
273
277
        uint32_t cntr_instances_0;
274
278
        TALLOC_CTX *_mem_save_instances_0;
275
279
        if (ndr_flags & NDR_SCALARS) {
288
292
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->CodePage));
289
293
                NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->PerfTime));
290
294
                NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->PerfFreq));
291
 
                NDR_PULL_ALLOC_N(ndr, r->counters, r->NumCounters);
 
295
                size_counters_0 = r->NumCounters;
 
296
                NDR_PULL_ALLOC_N(ndr, r->counters, size_counters_0);
292
297
                _mem_save_counters_0 = NDR_PULL_GET_MEM_CTX(ndr);
293
298
                NDR_PULL_SET_MEM_CTX(ndr, r->counters, 0);
294
 
                for (cntr_counters_0 = 0; cntr_counters_0 < r->NumCounters; cntr_counters_0++) {
 
299
                for (cntr_counters_0 = 0; cntr_counters_0 < size_counters_0; cntr_counters_0++) {
295
300
                        NDR_CHECK(ndr_pull_PERF_COUNTER_DEFINITION(ndr, NDR_SCALARS, &r->counters[cntr_counters_0]));
296
301
                }
297
302
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_counters_0, 0);
298
 
                NDR_PULL_ALLOC_N(ndr, r->instances, r->NumInstances);
 
303
                size_instances_0 = r->NumInstances;
 
304
                NDR_PULL_ALLOC_N(ndr, r->instances, size_instances_0);
299
305
                _mem_save_instances_0 = NDR_PULL_GET_MEM_CTX(ndr);
300
306
                NDR_PULL_SET_MEM_CTX(ndr, r->instances, 0);
301
 
                for (cntr_instances_0 = 0; cntr_instances_0 < r->NumInstances; cntr_instances_0++) {
 
307
                for (cntr_instances_0 = 0; cntr_instances_0 < size_instances_0; cntr_instances_0++) {
302
308
                        NDR_CHECK(ndr_pull_PERF_INSTANCE_DEFINITION(ndr, NDR_SCALARS, &r->instances[cntr_instances_0]));
303
309
                }
304
310
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_instances_0, 0);
306
312
                NDR_CHECK(ndr_pull_trailer_align(ndr, 8));
307
313
        }
308
314
        if (ndr_flags & NDR_BUFFERS) {
 
315
                size_instances_0 = r->NumInstances;
309
316
                _mem_save_instances_0 = NDR_PULL_GET_MEM_CTX(ndr);
310
317
                NDR_PULL_SET_MEM_CTX(ndr, r->instances, 0);
311
 
                for (cntr_instances_0 = 0; cntr_instances_0 < r->NumInstances; cntr_instances_0++) {
 
318
                for (cntr_instances_0 = 0; cntr_instances_0 < size_instances_0; cntr_instances_0++) {
312
319
                        NDR_CHECK(ndr_pull_PERF_INSTANCE_DEFINITION(ndr, NDR_BUFFERS, &r->instances[cntr_instances_0]));
313
320
                }
314
321
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_instances_0, 0);
395
402
 
396
403
_PUBLIC_ enum ndr_err_code ndr_pull_PERF_DATA_BLOCK(struct ndr_pull *ndr, int ndr_flags, struct PERF_DATA_BLOCK *r)
397
404
{
 
405
        uint32_t size_Signature_0 = 0;
398
406
        uint32_t cntr_Signature_0;
399
407
        uint32_t _ptr_data;
400
408
        TALLOC_CTX *_mem_save_data_0;
 
409
        uint32_t size_objects_0 = 0;
401
410
        uint32_t cntr_objects_0;
402
411
        TALLOC_CTX *_mem_save_objects_0;
403
412
        if (ndr_flags & NDR_SCALARS) {
404
413
                NDR_CHECK(ndr_pull_align(ndr, 8));
405
 
                for (cntr_Signature_0 = 0; cntr_Signature_0 < 4; cntr_Signature_0++) {
 
414
                size_Signature_0 = 4;
 
415
                for (cntr_Signature_0 = 0; cntr_Signature_0 < size_Signature_0; cntr_Signature_0++) {
406
416
                        NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Signature[cntr_Signature_0]));
407
417
                }
408
418
                NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->LittleEndian));
425
435
                } else {
426
436
                        r->data = NULL;
427
437
                }
428
 
                NDR_PULL_ALLOC_N(ndr, r->objects, r->NumObjectTypes);
 
438
                size_objects_0 = r->NumObjectTypes;
 
439
                NDR_PULL_ALLOC_N(ndr, r->objects, size_objects_0);
429
440
                _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr);
430
441
                NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0);
431
 
                for (cntr_objects_0 = 0; cntr_objects_0 < r->NumObjectTypes; cntr_objects_0++) {
 
442
                for (cntr_objects_0 = 0; cntr_objects_0 < size_objects_0; cntr_objects_0++) {
432
443
                        NDR_CHECK(ndr_pull_PERF_OBJECT_TYPE(ndr, NDR_SCALARS, &r->objects[cntr_objects_0]));
433
444
                }
434
445
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_0, 0);
441
452
                        NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, r->data));
442
453
                        NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0);
443
454
                }
 
455
                size_objects_0 = r->NumObjectTypes;
444
456
                _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr);
445
457
                NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0);
446
 
                for (cntr_objects_0 = 0; cntr_objects_0 < r->NumObjectTypes; cntr_objects_0++) {
 
458
                for (cntr_objects_0 = 0; cntr_objects_0 < size_objects_0; cntr_objects_0++) {
447
459
                        NDR_CHECK(ndr_pull_PERF_OBJECT_TYPE(ndr, NDR_BUFFERS, &r->objects[cntr_objects_0]));
448
460
                }
449
461
                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_0, 0);