sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-22 22:04:08 +03:00
Code

pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)

Browse Source 
An anonymous researcher and Brian Gorenc (HP DVLabs) working
with HP's Zero Day Initiative program have found this and notified us.

metze
This commit is contained in:
Stefan Metzmacher 2012-03-15 13:07:47 +01:00 committed by Karolin Seeger
parent b6e74db293
commit 37313598af
1 changed files with 1 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
View File

@ -1157,14 +1157,10 @@ sub ParseElementPullLevel
}
} elsif ($l->{TYPE} eq "ARRAY" and
not has_fast_array($e,$l) and not is_charset_array($e, $l)) {
my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
my $array_name = $var_name;
if ($l->{IS_VARYING}) {
$length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
}
if (my $range = has_property($e, "range")) {
my ($low, $high) = split(/,/, $range, 2);
if ($low < 0) {