From 5dff580fb710c9fe95a77afdb543203c4a6e5645 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 9 Aug 2010 11:26:59 +0200 Subject: [PATCH] rerun: make samba3-idl metze --- librpc/gen_ndr/cli_epmapper.c | 22 ++++++++++++++++---- librpc/gen_ndr/cli_ntsvcs.c | 22 ++++++++++++++++---- librpc/gen_ndr/cli_winreg.c | 47 +++++++++++++++++++++++++++++++++++++------ 3 files changed, 77 insertions(+), 14 deletions(-) diff --git a/librpc/gen_ndr/cli_epmapper.c b/librpc/gen_ndr/cli_epmapper.c index c83dba6c86c..fcfefbcfaca 100644 --- a/librpc/gen_ndr/cli_epmapper.c +++ b/librpc/gen_ndr/cli_epmapper.c @@ -380,7 +380,11 @@ static void rpccli_epm_Lookup_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.entry_handle = *state->tmp.out.entry_handle; *state->orig.out.num_ents = *state->tmp.out.num_ents; - memcpy(state->orig.out.entries, state->tmp.out.entries, (state->tmp.in.max_ents) * sizeof(*state->orig.out.entries)); + if ((*state->tmp.out.num_ents) > (state->tmp.in.max_ents)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + memcpy(state->orig.out.entries, state->tmp.out.entries, (*state->tmp.out.num_ents) * sizeof(*state->orig.out.entries)); /* Copy result */ state->orig.out.result = state->tmp.out.result; @@ -453,7 +457,10 @@ NTSTATUS rpccli_epm_Lookup(struct rpc_pipe_client *cli, /* Return variables */ *entry_handle = *r.out.entry_handle; *num_ents = *r.out.num_ents; - memcpy(entries, r.out.entries, (r.in.max_ents) * sizeof(*entries)); + if ((*r.out.num_ents) > (r.in.max_ents)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + memcpy(entries, r.out.entries, (*r.out.num_ents) * sizeof(*entries)); /* Return result */ return NT_STATUS_OK; @@ -549,7 +556,11 @@ static void rpccli_epm_Map_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.entry_handle = *state->tmp.out.entry_handle; *state->orig.out.num_towers = *state->tmp.out.num_towers; - memcpy(state->orig.out.towers, state->tmp.out.towers, (state->tmp.in.max_towers) * sizeof(*state->orig.out.towers)); + if ((*state->tmp.out.num_towers) > (state->tmp.in.max_towers)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + memcpy(state->orig.out.towers, state->tmp.out.towers, (*state->tmp.out.num_towers) * sizeof(*state->orig.out.towers)); /* Copy result */ state->orig.out.result = state->tmp.out.result; @@ -618,7 +629,10 @@ NTSTATUS rpccli_epm_Map(struct rpc_pipe_client *cli, /* Return variables */ *entry_handle = *r.out.entry_handle; *num_towers = *r.out.num_towers; - memcpy(towers, r.out.towers, (r.in.max_towers) * sizeof(*towers)); + if ((*r.out.num_towers) > (r.in.max_towers)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + memcpy(towers, r.out.towers, (*r.out.num_towers) * sizeof(*towers)); /* Return result */ return NT_STATUS_OK; diff --git a/librpc/gen_ndr/cli_ntsvcs.c b/librpc/gen_ndr/cli_ntsvcs.c index 760ce53591d..e3e941a82db 100644 --- a/librpc/gen_ndr/cli_ntsvcs.c +++ b/librpc/gen_ndr/cli_ntsvcs.c @@ -1459,7 +1459,11 @@ static void rpccli_PNP_GetDeviceList_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.length) * sizeof(*state->orig.out.buffer)); + if ((*state->tmp.out.length) > (*state->tmp.in.length)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.length) * sizeof(*state->orig.out.buffer)); *state->orig.out.length = *state->tmp.out.length; /* Copy result */ @@ -1525,7 +1529,10 @@ NTSTATUS rpccli_PNP_GetDeviceList(struct rpc_pipe_client *cli, } /* Return variables */ - memcpy(buffer, r.out.buffer, (*r.in.length) * sizeof(*buffer)); + if ((*r.out.length) > (*r.in.length)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + memcpy(buffer, r.out.buffer, (*r.out.length) * sizeof(*buffer)); *length = *r.out.length; /* Return result */ @@ -1918,7 +1925,11 @@ static void rpccli_PNP_GetDeviceRegProp_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.reg_data_type = *state->tmp.out.reg_data_type; - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.buffer_size) * sizeof(*state->orig.out.buffer)); + if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.buffer_size) * sizeof(*state->orig.out.buffer)); *state->orig.out.buffer_size = *state->tmp.out.buffer_size; *state->orig.out.needed = *state->tmp.out.needed; @@ -1992,7 +2003,10 @@ NTSTATUS rpccli_PNP_GetDeviceRegProp(struct rpc_pipe_client *cli, /* Return variables */ *reg_data_type = *r.out.reg_data_type; - memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer)); + if ((*r.out.buffer_size) > (*r.in.buffer_size)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer)); *buffer_size = *r.out.buffer_size; *needed = *r.out.needed; diff --git a/librpc/gen_ndr/cli_winreg.c b/librpc/gen_ndr/cli_winreg.c index 1c37f519869..15017d25057 100644 --- a/librpc/gen_ndr/cli_winreg.c +++ b/librpc/gen_ndr/cli_winreg.c @@ -1668,7 +1668,15 @@ static void rpccli_winreg_EnumValue_done(struct tevent_req *subreq) *state->orig.out.type = *state->tmp.out.type; } if (state->orig.out.value && state->tmp.out.value) { - memcpy(state->orig.out.value, state->tmp.out.value, (*state->tmp.in.size) * sizeof(*state->orig.out.value)); + if ((*state->tmp.out.size) > (*state->tmp.in.size)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + if ((*state->tmp.out.length) > (*state->tmp.out.size)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + memcpy(state->orig.out.value, state->tmp.out.value, (*state->tmp.out.length) * sizeof(*state->orig.out.value)); } if (state->orig.out.size && state->tmp.out.size) { *state->orig.out.size = *state->tmp.out.size; @@ -1752,7 +1760,13 @@ NTSTATUS rpccli_winreg_EnumValue(struct rpc_pipe_client *cli, *type = *r.out.type; } if (value && r.out.value) { - memcpy(value, r.out.value, (*r.in.size) * sizeof(*value)); + if ((*r.out.size) > (*r.in.size)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if ((*r.out.length) > (*r.out.size)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + memcpy(value, r.out.value, (*r.out.length) * sizeof(*value)); } if (size && r.out.size) { *size = *r.out.size; @@ -2823,7 +2837,15 @@ static void rpccli_winreg_QueryValue_done(struct tevent_req *subreq) *state->orig.out.type = *state->tmp.out.type; } if (state->orig.out.data && state->tmp.out.data) { - memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.in.data_size?*state->tmp.in.data_size:0) * sizeof(*state->orig.out.data)); + if ((state->tmp.out.data_size?*state->tmp.out.data_size:0) > (state->tmp.in.data_size?*state->tmp.in.data_size:0)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + if ((state->tmp.out.data_length?*state->tmp.out.data_length:0) > (state->tmp.out.data_size?*state->tmp.out.data_size:0)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.out.data_length?*state->tmp.out.data_length:0) * sizeof(*state->orig.out.data)); } if (state->orig.out.data_size && state->tmp.out.data_size) { *state->orig.out.data_size = *state->tmp.out.data_size; @@ -2904,7 +2926,13 @@ NTSTATUS rpccli_winreg_QueryValue(struct rpc_pipe_client *cli, *type = *r.out.type; } if (data && r.out.data) { - memcpy(data, r.out.data, (r.in.data_size?*r.in.data_size:0) * sizeof(*data)); + if ((r.out.data_size?*r.out.data_size:0) > (r.in.data_size?*r.in.data_size:0)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if ((r.out.data_length?*r.out.data_length:0) > (r.out.data_size?*r.out.data_size:0)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + memcpy(data, r.out.data, (r.out.data_length?*r.out.data_length:0) * sizeof(*data)); } if (data_size && r.out.data_size) { *data_size = *r.out.data_size; @@ -4629,7 +4657,11 @@ static void rpccli_winreg_QueryMultipleValues_done(struct tevent_req *subreq) /* Copy out parameters */ memcpy(state->orig.out.values, state->tmp.out.values, (state->tmp.in.num_values) * sizeof(*state->orig.out.values)); if (state->orig.out.buffer && state->tmp.out.buffer) { - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.buffer_size) * sizeof(*state->orig.out.buffer)); + if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.buffer_size) * sizeof(*state->orig.out.buffer)); } *state->orig.out.buffer_size = *state->tmp.out.buffer_size; @@ -4701,7 +4733,10 @@ NTSTATUS rpccli_winreg_QueryMultipleValues(struct rpc_pipe_client *cli, /* Return variables */ memcpy(values, r.out.values, (r.in.num_values) * sizeof(*values)); if (buffer && r.out.buffer) { - memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer)); + if ((*r.out.buffer_size) > (*r.in.buffer_size)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer)); } *buffer_size = *r.out.buffer_size; -- 2.11.4.GIT