The Samba-Bugzilla – Attachment 15621 Details for
Bug 13876
NDR crash and memory allocation on large array values from untrustworthy servers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
WIP patch for master
0001-pidl-Generate-and-consume-the-switch-level-token-for.patch (text/plain), 4.29 KB, created by
Andrew Bartlett
on 2019-11-15 05:43:52 UTC
(
hide
)
Description:
WIP patch for master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-11-15 05:43:52 UTC
Size:
4.29 KB
patch
obsolete
>From ecb187ff8e6d7d330e617cb9ad4ee42ececc3306 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 15 Nov 2019 16:59:12 +1300 >Subject: [PATCH] pidl: Generate and consume the switch level token for both > NDR_SCALARS and NDR_BUFFERS > >This means what was previously a list becomes a single variable that >could be passed as a function paraemter, but this is avoided for now >because it would change the ABI and be more intrusive. > >Before this, a client could cause a NDR token containing the swith level >to be allocated for each and every element in the array that they >promised they were sending (without having to actually send them). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 37 ++++++++++++++++-------- > 1 file changed, 25 insertions(+), 12 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 222a8b8c7b4..87cfe4498f6 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -647,8 +647,6 @@ sub ParseElementPushLevel > $self->pidl("NDR_CHECK(ndr_push_array_$nl->{DATA_TYPE}($ndr, $ndr_flags, $var_name, $length));"); > return; > } >- } elsif ($l->{TYPE} eq "SWITCH") { >- $self->ParseSwitchPush($e, $l, $ndr, $var_name, $env); > } elsif ($l->{TYPE} eq "DATA") { > $self->ParseDataPush($e, $l, $ndr, $var_name, $primitives, $deferred); > } elsif ($l->{TYPE} eq "TYPEDEF") { >@@ -709,6 +707,14 @@ sub ParseElementPushLevel > $self->pidl("}"); > } > } elsif ($l->{TYPE} eq "SWITCH") { >+ my $nl = GetNextLevel($e,$l); >+ my $needs_deferred_switch = is_deferred_switch_non_empty($nl); >+ >+ # Avoid setting a switch value if it will not be >+ # consumed again in the NDR_BUFFERS pull >+ if ($needs_deferred_switch or !$deferred) { >+ $self->ParseSwitchPush($e, $l, $ndr, $var_name, $env); >+ } > $self->ParseElementPushLevel($e, GetNextLevel($e, $l), $ndr, $var_name, $env, $primitives, $deferred); > } > } >@@ -1174,8 +1180,6 @@ sub ParseElementPullLevel > } > } elsif ($l->{TYPE} eq "POINTER") { > $self->ParsePtrPull($e, $l, $ndr, $var_name); >- } elsif ($l->{TYPE} eq "SWITCH") { >- $self->ParseSwitchPull($e, $l, $ndr, $var_name, $env); > } elsif ($l->{TYPE} eq "DATA") { > $self->ParseDataPull($e, $l, $ndr, $var_name, $primitives, $deferred); > } elsif ($l->{TYPE} eq "TYPEDEF") { >@@ -1256,7 +1260,15 @@ sub ParseElementPullLevel > $self->ParseMemCtxPullEnd($e, $l, $ndr); > > } elsif ($l->{TYPE} eq "SWITCH") { >- $self->ParseElementPullLevel($e, GetNextLevel($e,$l), $ndr, $var_name, $env, $primitives, $deferred); >+ my $nl = GetNextLevel($e,$l); >+ my $needs_deferred_switch = is_deferred_switch_non_empty($nl); >+ >+ # Avoid setting a switch value if it will not be >+ # consumed again in the NDR_BUFFERS pull >+ if ($needs_deferred_switch or !$deferred) { >+ $self->ParseSwitchPull($e, $l, $ndr, $var_name, $env); >+ } >+ $self->ParseElementPullLevel($e, $nl, $ndr, $var_name, $env, $primitives, $deferred); > } > } > >@@ -2152,20 +2164,21 @@ sub ParseUnionPull($$$$) > $self->pidl("NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);"); > $self->pidl("if (ndr_flags & NDR_SCALARS) {"); > $self->indent; >- if (! $needs_deferred_switch) { >- $self->pidl("/* This token is not used again */"); >- $self->pidl("level = ndr_pull_steal_switch_value($ndr, $varname);"); >- } else { >- $self->pidl("level = ndr_pull_get_switch_value($ndr, $varname);"); >- } >+ $self->pidl("/* This token is not used again (except perhaps below in the NDR_BUFFERS case) */"); >+ $self->pidl("level = ndr_pull_steal_switch_value($ndr, $varname);"); > $self->ParseUnionPullPrimitives($e,$ndr,$varname,$switch_type); > $self->deindent; > $self->pidl("}"); > if ($needs_deferred_switch) { > $self->pidl("if (ndr_flags & NDR_BUFFERS) {"); > $self->indent; >- $self->pidl("/* The token is not needed after this. */"); >+ # In case we had ndr_flags of NDR_SCALERS|NDR_BUFFERS >+ $self->pidl("if (!(ndr_flags & NDR_SCALARS)) {"); >+ $self->indent; >+ $self->pidl("/* We didn't get it above, and the token is not needed after this. */"); > $self->pidl("level = ndr_pull_steal_switch_value($ndr, $varname);"); >+ $self->deindent; >+ $self->pidl("}"); > $self->ParseUnionPullDeferred($e,$ndr,$varname); > $self->deindent; > $self->pidl("}"); >-- >2.17.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15621">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13876
:
15621
|
15622
|
15623
|
15626