The Samba-Bugzilla – Attachment 7390 Details for
Bug 8815
PIDL based autogenerated code allows overwriting beyond of allocated array; CVE-2012-1182
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
draft patches for v3-5-test
pidl-array-length-03.v3-5.txt (text/plain), 1.76 MB, created by
Stefan Metzmacher
on 2012-03-15 17:58:53 UTC
(
hide
)
Description:
draft patches for v3-5-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-03-15 17:58:53 UTC
Size:
1.76 MB
patch
obsolete
>From 1d4407e7824b5848ec5d9f7decb0a681557342e7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 21 Sep 2010 05:41:37 +0200 >Subject: [PATCH 01/10] pidl:NDR/Parser: fix range() for arrays > >metze >(cherry picked from commit bea4948acb4bbee2fbf886adeb53edbc84de96da) >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 33 +++++++++++++++++++++++++++++- > 1 files changed, 32 insertions(+), 1 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index da536be..bd8d676 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -865,7 +865,10 @@ sub ParseDataPull($$$$$$$) > > $self->pidl("NDR_CHECK(".TypeFunctionName("ndr_pull", $l->{DATA_TYPE})."($ndr, $ndr_flags, $var_name));"); > >- if (my $range = has_property($e, "range")) { >+ my $pl = GetPrevLevel($e, $l); >+ >+ my $range = has_property($e, "range"); >+ if ($range and $pl->{TYPE} ne "ARRAY") { > $var_name = get_value_of($var_name); > my $signed = Parse::Pidl::Typelist::is_signed($l->{DATA_TYPE}); > my ($low, $high) = split(/,/, $range, 2); >@@ -1010,6 +1013,20 @@ sub ParseElementPullLevel > } elsif ($l->{TYPE} eq "ARRAY") { > my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($length > $high) {"); >+ } else { >+ $self->pidl("if ($length < $low || $length > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > my $nl = GetNextLevel($e, $l); > > if (is_charset_array($e,$l)) { >@@ -1073,6 +1090,20 @@ sub ParseElementPullLevel > $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; > } > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($length > $high) {"); >+ } else { >+ $self->pidl("if ($length < $low || $length > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > $var_name = get_array_element($var_name, $counter); > > $self->ParseMemCtxPullStart($e, $l, $ndr, $array_name); >-- >1.7.4.1 > > >From b2cc67d61a562f2e8525f9461822e3d57b815a0e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:09:51 +0100 >Subject: [PATCH 02/10] pidl/NDR/Parser: declare all union helper variables in ParseUnionPull() > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index bd8d676..a4957bb 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1845,8 +1845,6 @@ sub ParseUnionPullPrimitives($$$$$) > > if ($el->{TYPE} ne "EMPTY") { > $self->indent; >- $self->DeclarePtrVariables($el); >- $self->DeclareArrayVariables($el); > if (defined($e->{PROPERTIES}{relative_base})) { > $self->pidl("NDR_CHECK(ndr_pull_align($ndr, $el->{ALIGN}));"); > # set the current offset as base for relative pointers >@@ -1923,6 +1921,8 @@ sub ParseUnionPull($$$$) > next if ($el->{TYPE} eq "EMPTY"); > next if ($double_cases{"$el->{NAME}"}); > $self->DeclareMemCtxVariables($el); >+ $self->DeclarePtrVariables($el); >+ $self->DeclareArrayVariables($el); > $double_cases{"$el->{NAME}"} = 1; > } > >-- >1.7.4.1 > > >From 104a2bf96cd167dfed6ed5a060ae4340b76d78c5 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:12:04 +0100 >Subject: [PATCH 03/10] pidl/NDR/Parser: simplify logic in DeclareArrayVariables*() > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 14 ++++++-------- > 1 files changed, 6 insertions(+), 8 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index a4957bb..d1982f8 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1514,11 +1514,10 @@ sub DeclareArrayVariables($$) > my ($self,$e) = @_; > > foreach my $l (@{$e->{LEVELS}}) { >+ next if ($l->{TYPE} ne "ARRAY"); > next if has_fast_array($e,$l); > next if is_charset_array($e,$l); >- if ($l->{TYPE} eq "ARRAY") { >- $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); >- } >+ $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); > } > } > >@@ -1527,15 +1526,14 @@ sub DeclareArrayVariablesNoZero($$$) > my ($self,$e,$env) = @_; > > foreach my $l (@{$e->{LEVELS}}) { >+ next if ($l->{TYPE} ne "ARRAY"); > next if has_fast_array($e,$l); > next if is_charset_array($e,$l); >- if ($l->{TYPE} eq "ARRAY") { >- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); >- if ($length eq "0") { >+ my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); >+ if ($length eq "0") { > warning($e->{ORIGINAL}, "pointless array cntr: 'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length"); >- } else { >+ } else { > $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); >- } > } > } > } >-- >1.7.4.1 > > >From a90dadc3bd02c231fe0782a833a1a39a77d2f0b0 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:05:39 +0100 >Subject: [PATCH 04/10] pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength() > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 55 +++++++++++++++++++++++------- > 1 files changed, 42 insertions(+), 13 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index d1982f8..285a056 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -315,39 +315,68 @@ sub check_null_pointer($$$$) > } > } > >-##################################################################### >-# parse an array - pull side >-sub ParseArrayPullHeader($$$$$$) >+sub ParseArrayPullGetSize($$$$$$) > { > my ($self,$e,$l,$ndr,$var_name,$env) = @_; > >- my $length; > my $size; > > if ($l->{IS_CONFORMANT}) { >- $length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; >+ $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; > } elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays >- $length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; >+ $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; > } else { >- $length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, >+ $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, > check_null_pointer($e, $env, sub { $self->pidl(shift); }, > "return ndr_pull_error($ndr, NDR_ERR_INVALID_POINTER, \"NULL Pointer for size_is()\");"), > check_fully_dereferenced($e, $env)); > } > >+ my $array_size = $size; >+ >+ return $array_size; >+} >+ >+##################################################################### >+# parse an array - pull side >+sub ParseArrayPullGetLength($$$$$$;$) >+{ >+ my ($self,$e,$l,$ndr,$var_name,$env,$array_size) = @_; >+ >+ if (not defined($array_size)) { >+ $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); >+ } >+ >+ my $array_length = $array_size; >+ if ($l->{IS_VARYING}) { >+ my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >+ $array_length = $length; >+ } >+ >+ return $array_length; >+} >+ >+##################################################################### >+# parse an array - pull side >+sub ParseArrayPullHeader($$$$$$) >+{ >+ my ($self,$e,$l,$ndr,$var_name,$env) = @_; >+ > if ((!$l->{IS_SURROUNDING}) and $l->{IS_CONFORMANT}) { > $self->pidl("NDR_CHECK(ndr_pull_array_size($ndr, " . get_pointer_to($var_name) . "));"); > } > > if ($l->{IS_VARYING}) { > $self->pidl("NDR_CHECK(ndr_pull_array_length($ndr, " . get_pointer_to($var_name) . "));"); >- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; > } > >- if ($length ne $size) { >- $self->pidl("if ($length > $size) {"); >+ my $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); >+ my $array_length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env, $array_size); >+ >+ if ($array_length ne $array_size) { >+ $self->pidl("if ($array_length > $array_size) {"); > $self->indent; >- $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $size, $length);"); >+ $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $array_size, $array_length);"); > $self->deindent; > $self->pidl("}"); > } >@@ -377,10 +406,10 @@ sub ParseArrayPullHeader($$$$$$) > } > > if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) { >- $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size); >+ $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$array_size); > } > >- return $length; >+ return $array_length; > } > > sub compression_alg($$) >-- >1.7.4.1 > > >From 728557488bc59babc31b57ea75e73d96207b4ffe Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:07:47 +0100 >Subject: [PATCH 05/10] pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 +----- > 1 files changed, 1 insertions(+), 5 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 285a056..e398cae 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1111,14 +1111,10 @@ sub ParseElementPullLevel > } > } elsif ($l->{TYPE} eq "ARRAY" and > not has_fast_array($e,$l) and not is_charset_array($e, $l)) { >- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); >+ my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); > my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; > my $array_name = $var_name; > >- if ($l->{IS_VARYING}) { >- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >- } >- > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); > if ($low < 0) { >-- >1.7.4.1 > > >From f7b8253a44b177c8894050d21005462a9e898ea1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 15:07:08 +0100 >Subject: [PATCH 06/10] pidl/NDR/Parser: remember if we already know the array length > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 8 +++++++- > 1 files changed, 7 insertions(+), 1 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index e398cae..ff1f0c1 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1028,6 +1028,7 @@ sub ParseElementPullLevel > my($self,$e,$l,$ndr,$var_name,$env,$primitives,$deferred) = @_; > > my $ndr_flags = CalcNdrFlags($l, $primitives, $deferred); >+ my $array_length = undef; > > if ($l->{TYPE} eq "ARRAY" and ($l->{IS_VARYING} or $l->{IS_CONFORMANT})) { > $var_name = get_pointer_to($var_name); >@@ -1041,6 +1042,7 @@ sub ParseElementPullLevel > $self->ParseSubcontextPullEnd($e, $l, $ndr, $env); > } elsif ($l->{TYPE} eq "ARRAY") { > my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); >+ $array_length = $length; > > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); >@@ -1111,10 +1113,14 @@ sub ParseElementPullLevel > } > } elsif ($l->{TYPE} eq "ARRAY" and > not has_fast_array($e,$l) and not is_charset_array($e, $l)) { >- my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); >+ my $length = $array_length; > my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; > my $array_name = $var_name; > >+ if (not defined($length)) { >+ $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); >+ } >+ > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); > if ($low < 0) { >-- >1.7.4.1 > > >From 469df3802d0998fb16e6dd870c84339cb8556be7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:13:20 +0100 >Subject: [PATCH 07/10] pidl/NDR/Parser: use helper variables for array size and length > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 22 +++++++++++++++------- > 1 files changed, 15 insertions(+), 7 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index ff1f0c1..a98ec6e 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -332,7 +332,8 @@ sub ParseArrayPullGetSize($$$$$$) > check_fully_dereferenced($e, $env)); > } > >- my $array_size = $size; >+ $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;"); >+ my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}"; > > return $array_size; > } >@@ -350,7 +351,8 @@ sub ParseArrayPullGetLength($$$$$$;$) > my $array_length = $array_size; > if ($l->{IS_VARYING}) { > my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >- $array_length = $length; >+ $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); >+ $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; > } > > return $array_length; >@@ -1540,12 +1542,18 @@ sub DeclarePtrVariables($$) > } > } > >-sub DeclareArrayVariables($$) >+sub DeclareArrayVariables($$;$) > { >- my ($self,$e) = @_; >+ my ($self,$e,$pull) = @_; > > foreach my $l (@{$e->{LEVELS}}) { > next if ($l->{TYPE} ne "ARRAY"); >+ if (defined($pull)) { >+ $self->pidl("uint32_t size_$e->{NAME}_$l->{LEVEL_INDEX} = 0;"); >+ if ($l->{IS_VARYING}) { >+ $self->pidl("uint32_t length_$e->{NAME}_$l->{LEVEL_INDEX} = 0;"); >+ } >+ } > next if has_fast_array($e,$l); > next if is_charset_array($e,$l); > $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); >@@ -1630,7 +1638,7 @@ sub ParseStructPull($$$$) > # declare any internal pointers we need > foreach my $e (@{$struct->{ELEMENTS}}) { > $self->DeclarePtrVariables($e); >- $self->DeclareArrayVariables($e); >+ $self->DeclareArrayVariables($e, "pull"); > $self->DeclareMemCtxVariables($e); > } > >@@ -1951,7 +1959,7 @@ sub ParseUnionPull($$$$) > next if ($double_cases{"$el->{NAME}"}); > $self->DeclareMemCtxVariables($el); > $self->DeclarePtrVariables($el); >- $self->DeclareArrayVariables($el); >+ $self->DeclareArrayVariables($el, "pull"); > $double_cases{"$el->{NAME}"} = 1; > } > >@@ -2223,7 +2231,7 @@ sub ParseFunctionPull($$) > # declare any internal pointers we need > foreach my $e (@{$fn->{ELEMENTS}}) { > $self->DeclarePtrVariables($e); >- $self->DeclareArrayVariables($e); >+ $self->DeclareArrayVariables($e, "pull"); > } > > my %double_cases = (); >-- >1.7.4.1 > > >From 067e955fd6365815428fbe96dee73202acb7cb6f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:14:48 +0100 >Subject: [PATCH 08/10] pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength() > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 42 ++++++++++-------------------- > 1 files changed, 14 insertions(+), 28 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index a98ec6e..48a94ef 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -355,6 +355,20 @@ sub ParseArrayPullGetLength($$$$$$;$) > $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; > } > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($array_length > $high) {"); >+ } else { >+ $self->pidl("if ($array_length < $low || $array_length > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > return $array_length; > } > >@@ -1046,20 +1060,6 @@ sub ParseElementPullLevel > my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); > $array_length = $length; > >- if (my $range = has_property($e, "range")) { >- my ($low, $high) = split(/,/, $range, 2); >- if ($low < 0) { >- warning(0, "$low is invalid for the range of an array size"); >- } >- if ($low == 0) { >- $self->pidl("if ($length > $high) {"); >- } else { >- $self->pidl("if ($length < $low || $length > $high) {"); >- } >- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >- $self->pidl("}"); >- } >- > my $nl = GetNextLevel($e, $l); > > if (is_charset_array($e,$l)) { >@@ -1123,20 +1123,6 @@ sub ParseElementPullLevel > $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); > } > >- if (my $range = has_property($e, "range")) { >- my ($low, $high) = split(/,/, $range, 2); >- if ($low < 0) { >- warning(0, "$low is invalid for the range of an array size"); >- } >- if ($low == 0) { >- $self->pidl("if ($length > $high) {"); >- } else { >- $self->pidl("if ($length < $low || $length > $high) {"); >- } >- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >- $self->pidl("}"); >- } >- > $var_name = get_array_element($var_name, $counter); > > $self->ParseMemCtxPullStart($e, $l, $ndr, $array_name); >-- >1.7.4.1 > > >From deafcb59aaf286cd8601a3eff056bac9fc5ee960 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 17:03:05 +0100 >Subject: [PATCH 09/10] pidl/NDR/Parser: also do range checks on the array size > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 25 ++++++++++++++++++++----- > 1 files changed, 20 insertions(+), 5 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 48a94ef..1543984 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -335,6 +335,20 @@ sub ParseArrayPullGetSize($$$$$$) > $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;"); > my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}"; > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($array_size > $high) {"); >+ } else { >+ $self->pidl("if ($array_size < $low || $array_size > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > return $array_size; > } > >@@ -348,13 +362,14 @@ sub ParseArrayPullGetLength($$$$$$;$) > $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); > } > >- my $array_length = $array_size; >- if ($l->{IS_VARYING}) { >- my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >- $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); >- $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; >+ if (not $l->{IS_VARYING}) { >+ return $array_size; > } > >+ my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >+ $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); >+ my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; >+ > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); > if ($low < 0) { >-- >1.7.4.1 > > >From 2a15fea61c6e589393222b00d13f4226ba81a959 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 18:46:44 +0100 >Subject: [PATCH 10/10] rerun 'make samba3-idl' > >metze >--- > librpc/gen_ndr/ndr_dcerpc.c | 42 +- > librpc/gen_ndr/ndr_dfs.c | 840 ++++++++---- > librpc/gen_ndr/ndr_drsblobs.c | 160 ++- > librpc/gen_ndr/ndr_drsuapi.c | 1031 ++++++++++----- > librpc/gen_ndr/ndr_dssetup.c | 36 +- > librpc/gen_ndr/ndr_echo.c | 54 +- > librpc/gen_ndr/ndr_epmapper.c | 54 +- > librpc/gen_ndr/ndr_eventlog.c | 79 +- > librpc/gen_ndr/ndr_krb5pac.c | 22 +- > librpc/gen_ndr/ndr_lsa.c | 276 +++-- > librpc/gen_ndr/ndr_misc.c | 8 +- > librpc/gen_ndr/ndr_named_pipe_auth.c | 122 ++- > librpc/gen_ndr/ndr_nbt.c | 78 +- > librpc/gen_ndr/ndr_netlogon.c | 1789 ++++++++++++++++--------- > librpc/gen_ndr/ndr_ntlmssp.c | 60 +- > librpc/gen_ndr/ndr_ntsvcs.c | 112 +- > librpc/gen_ndr/ndr_samr.c | 182 ++- > librpc/gen_ndr/ndr_schannel.c | 52 +- > librpc/gen_ndr/ndr_security.c | 18 +- > librpc/gen_ndr/ndr_spoolss.c | 2321 +++++++++++++++++++++----------- > librpc/gen_ndr/ndr_srvsvc.c | 2178 +++++++++++++++++++----------- > librpc/gen_ndr/ndr_svcctl.c | 704 +++++++--- > librpc/gen_ndr/ndr_winreg.c | 158 ++- > librpc/gen_ndr/ndr_wkssvc.c | 1378 ++++++++++++------- > librpc/gen_ndr/ndr_xattr.c | 32 +- > source3/librpc/gen_ndr/ndr_libnetapi.c | 22 +- > source3/librpc/gen_ndr/ndr_messaging.c | 31 +- > source3/librpc/gen_ndr/ndr_notify.c | 27 +- > source3/librpc/gen_ndr/ndr_perfcount.c | 34 +- > source3/librpc/gen_ndr/ndr_printcap.c | 60 +- > source3/librpc/gen_ndr/ndr_secrets.c | 4 +- > source3/librpc/gen_ndr/ndr_wbint.c | 222 ++- > 32 files changed, 8031 insertions(+), 4155 deletions(-) > >diff --git a/librpc/gen_ndr/ndr_dcerpc.c b/librpc/gen_ndr/ndr_dcerpc.c >index 37f6d54..bf0ae29 100644 >--- a/librpc/gen_ndr/ndr_dcerpc.c >+++ b/librpc/gen_ndr/ndr_dcerpc.c >@@ -24,6 +24,7 @@ static enum ndr_err_code ndr_push_dcerpc_ctx_list(struct ndr_push *ndr, int ndr_ > > static enum ndr_err_code ndr_pull_dcerpc_ctx_list(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_ctx_list *r) > { >+ uint32_t size_transfer_syntaxes_0 = 0; > uint32_t cntr_transfer_syntaxes_0; > TALLOC_CTX *_mem_save_transfer_syntaxes_0; > if (ndr_flags & NDR_SCALARS) { >@@ -31,10 +32,11 @@ static enum ndr_err_code ndr_pull_dcerpc_ctx_list(struct ndr_pull *ndr, int ndr_ > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->context_id)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_transfer_syntaxes)); > NDR_CHECK(ndr_pull_ndr_syntax_id(ndr, NDR_SCALARS, &r->abstract_syntax)); >- NDR_PULL_ALLOC_N(ndr, r->transfer_syntaxes, r->num_transfer_syntaxes); >+ size_transfer_syntaxes_0 = r->num_transfer_syntaxes; >+ NDR_PULL_ALLOC_N(ndr, r->transfer_syntaxes, size_transfer_syntaxes_0); > _mem_save_transfer_syntaxes_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->transfer_syntaxes, 0); >- for (cntr_transfer_syntaxes_0 = 0; cntr_transfer_syntaxes_0 < r->num_transfer_syntaxes; cntr_transfer_syntaxes_0++) { >+ for (cntr_transfer_syntaxes_0 = 0; cntr_transfer_syntaxes_0 < size_transfer_syntaxes_0; cntr_transfer_syntaxes_0++) { > NDR_CHECK(ndr_pull_ndr_syntax_id(ndr, NDR_SCALARS, &r->transfer_syntaxes[cntr_transfer_syntaxes_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transfer_syntaxes_0, 0); >@@ -99,6 +101,7 @@ static enum ndr_err_code ndr_push_dcerpc_bind(struct ndr_push *ndr, int ndr_flag > > static enum ndr_err_code ndr_pull_dcerpc_bind(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind *r) > { >+ uint32_t size_ctx_list_0 = 0; > uint32_t cntr_ctx_list_0; > TALLOC_CTX *_mem_save_ctx_list_0; > if (ndr_flags & NDR_SCALARS) { >@@ -107,10 +110,11 @@ static enum ndr_err_code ndr_pull_dcerpc_bind(struct ndr_pull *ndr, int ndr_flag > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->max_recv_frag)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->assoc_group_id)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_contexts)); >- NDR_PULL_ALLOC_N(ndr, r->ctx_list, r->num_contexts); >+ size_ctx_list_0 = r->num_contexts; >+ NDR_PULL_ALLOC_N(ndr, r->ctx_list, size_ctx_list_0); > _mem_save_ctx_list_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->ctx_list, 0); >- for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < r->num_contexts; cntr_ctx_list_0++) { >+ for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < size_ctx_list_0; cntr_ctx_list_0++) { > NDR_CHECK(ndr_pull_dcerpc_ctx_list(ndr, NDR_SCALARS, &r->ctx_list[cntr_ctx_list_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ctx_list_0, 0); >@@ -406,6 +410,8 @@ static enum ndr_err_code ndr_push_dcerpc_bind_ack(struct ndr_push *ndr, int ndr_ > > static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_ack *r) > { >+ uint32_t size_secondary_address_0 = 0; >+ uint32_t size_ctx_list_0 = 0; > uint32_t cntr_ctx_list_0; > TALLOC_CTX *_mem_save_ctx_list_0; > if (ndr_flags & NDR_SCALARS) { >@@ -414,7 +420,8 @@ static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_ > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->max_recv_frag)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->assoc_group_id)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->secondary_address_size)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->secondary_address, r->secondary_address_size, sizeof(uint8_t), CH_DOS)); >+ size_secondary_address_0 = r->secondary_address_size; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->secondary_address, size_secondary_address_0, sizeof(uint8_t), CH_DOS)); > { > uint32_t _flags_save_DATA_BLOB = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN4); >@@ -422,10 +429,11 @@ static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_ > ndr->flags = _flags_save_DATA_BLOB; > } > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_results)); >- NDR_PULL_ALLOC_N(ndr, r->ctx_list, r->num_results); >+ size_ctx_list_0 = r->num_results; >+ NDR_PULL_ALLOC_N(ndr, r->ctx_list, size_ctx_list_0); > _mem_save_ctx_list_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->ctx_list, 0); >- for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < r->num_results; cntr_ctx_list_0++) { >+ for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < size_ctx_list_0; cntr_ctx_list_0++) { > NDR_CHECK(ndr_pull_dcerpc_ack_ctx(ndr, NDR_SCALARS, &r->ctx_list[cntr_ctx_list_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ctx_list_0, 0); >@@ -486,15 +494,17 @@ static enum ndr_err_code ndr_push_dcerpc_bind_nak_versions(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_dcerpc_bind_nak_versions(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_nak_versions *r) > { >+ uint32_t size_versions_0 = 0; > uint32_t cntr_versions_0; > TALLOC_CTX *_mem_save_versions_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_versions)); >- NDR_PULL_ALLOC_N(ndr, r->versions, r->num_versions); >+ size_versions_0 = r->num_versions; >+ NDR_PULL_ALLOC_N(ndr, r->versions, size_versions_0); > _mem_save_versions_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->versions, 0); >- for (cntr_versions_0 = 0; cntr_versions_0 < r->num_versions; cntr_versions_0++) { >+ for (cntr_versions_0 = 0; cntr_versions_0 < size_versions_0; cntr_versions_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->versions[cntr_versions_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_versions_0, 0); >@@ -1107,6 +1117,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_dcerpc_fack(struct ndr_push *ndr, int ndr_fl > > _PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_fack(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_fack *r) > { >+ uint32_t size_selack_0 = 0; > uint32_t cntr_selack_0; > TALLOC_CTX *_mem_save_selack_0; > if (ndr_flags & NDR_SCALARS) { >@@ -1118,10 +1129,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_fack(struct ndr_pull *ndr, int ndr_fl > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_frag_size)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->serial_no)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->selack_size)); >- NDR_PULL_ALLOC_N(ndr, r->selack, r->selack_size); >+ size_selack_0 = r->selack_size; >+ NDR_PULL_ALLOC_N(ndr, r->selack, size_selack_0); > _mem_save_selack_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->selack, 0); >- for (cntr_selack_0 = 0; cntr_selack_0 < r->selack_size; cntr_selack_0++) { >+ for (cntr_selack_0 = 0; cntr_selack_0 < size_selack_0; cntr_selack_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->selack[cntr_selack_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_selack_0, 0); >@@ -1753,13 +1765,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_ncacn_packet(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_ncacn_packet(struct ndr_pull *ndr, int ndr_flags, struct ncacn_packet *r) > { >+ uint32_t size_drep_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers_minor)); > NDR_CHECK(ndr_pull_dcerpc_pkt_type(ndr, NDR_SCALARS, &r->ptype)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->pfc_flags)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, 4)); >+ size_drep_0 = 4; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, size_drep_0)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->frag_length)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->auth_length)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->call_id)); >@@ -1825,13 +1839,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_ncadg_packet(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_ncadg_packet(struct ndr_pull *ndr, int ndr_flags, struct ncadg_packet *r) > { >+ uint32_t size_drep_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->ptype)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->pfc_flags)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->ncadg_flags)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, 3)); >+ size_drep_0 = 3; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, size_drep_0)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->serial_high)); > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->object)); > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->iface)); >diff --git a/librpc/gen_ndr/ndr_dfs.c b/librpc/gen_ndr/ndr_dfs.c >index 62f42ba..bbadbeb 100644 >--- a/librpc/gen_ndr/ndr_dfs.c >+++ b/librpc/gen_ndr/ndr_dfs.c >@@ -81,6 +81,8 @@ static enum ndr_err_code ndr_push_dfs_Info1(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info1 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -98,11 +100,13 @@ static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > } >@@ -179,8 +183,12 @@ static enum ndr_err_code ndr_push_dfs_Info2(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info2 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -206,11 +214,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -218,11 +228,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -303,8 +315,12 @@ static enum ndr_err_code ndr_push_dfs_StorageInfo(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_flags, struct dfs_StorageInfo *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > TALLOC_CTX *_mem_save_server_0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; > TALLOC_CTX *_mem_save_share_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -329,11 +345,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server)); >- if (ndr_get_array_length(ndr, &r->server) > ndr_get_array_size(ndr, &r->server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server), ndr_get_array_length(ndr, &r->server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->server); >+ length_server_1 = ndr_get_array_length(ndr, &r->server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > if (r->share) { >@@ -341,11 +359,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->share)); >- if (ndr_get_array_length(ndr, &r->share) > ndr_get_array_size(ndr, &r->share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->share), ndr_get_array_length(ndr, &r->share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->share); >+ length_share_1 = ndr_get_array_length(ndr, &r->share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > } >@@ -413,10 +433,15 @@ static enum ndr_err_code ndr_push_dfs_Info3(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info3 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_stores; >+ uint32_t size_stores_1 = 0; > uint32_t cntr_stores_1; > TALLOC_CTX *_mem_save_stores_0; > TALLOC_CTX *_mem_save_stores_1; >@@ -450,11 +475,13 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -462,24 +489,27 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->stores) { > _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); >- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); >+ size_stores_1 = ndr_get_array_size(ndr, &r->stores); >+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); > _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); > } >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); >@@ -572,10 +602,15 @@ static enum ndr_err_code ndr_push_dfs_Info4(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info4 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_stores; >+ uint32_t size_stores_1 = 0; > uint32_t cntr_stores_1; > TALLOC_CTX *_mem_save_stores_0; > TALLOC_CTX *_mem_save_stores_1; >@@ -611,11 +646,13 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -623,24 +660,27 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->stores) { > _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); >- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); >+ size_stores_1 = ndr_get_array_size(ndr, &r->stores); >+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); > _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); > } >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); >@@ -752,8 +792,12 @@ static enum ndr_err_code ndr_push_dfs_Info5(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info5 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -783,11 +827,13 @@ static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -795,11 +841,13 @@ static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -980,10 +1028,15 @@ static enum ndr_err_code ndr_push_dfs_Info6(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info6 *r) > { > uint32_t _ptr_entry_path; >+ uint32_t size_entry_path_1 = 0; >+ uint32_t length_entry_path_1 = 0; > TALLOC_CTX *_mem_save_entry_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_stores; >+ uint32_t size_stores_1 = 0; > uint32_t cntr_stores_1; > TALLOC_CTX *_mem_save_stores_0; > TALLOC_CTX *_mem_save_stores_1; >@@ -1021,11 +1074,13 @@ static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->entry_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->entry_path)); >- if (ndr_get_array_length(ndr, &r->entry_path) > ndr_get_array_size(ndr, &r->entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->entry_path), ndr_get_array_length(ndr, &r->entry_path)); >+ size_entry_path_1 = ndr_get_array_size(ndr, &r->entry_path); >+ length_entry_path_1 = ndr_get_array_length(ndr, &r->entry_path); >+ if (length_entry_path_1 > size_entry_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_entry_path_1, length_entry_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->entry_path, ndr_get_array_length(ndr, &r->entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_entry_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->entry_path, length_entry_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entry_path_0, 0); > } > if (r->comment) { >@@ -1033,24 +1088,27 @@ static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->stores) { > _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); >- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); >+ size_stores_1 = ndr_get_array_size(ndr, &r->stores); >+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); > _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo2(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); > } >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo2(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); >@@ -1157,6 +1215,8 @@ static enum ndr_err_code ndr_push_dfs_Info100(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info100(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info100 *r) > { > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -1174,11 +1234,13 @@ static enum ndr_err_code ndr_pull_dfs_Info100(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -1351,6 +1413,8 @@ static enum ndr_err_code ndr_push_dfs_Info105(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info105(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info105 *r) > { > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -1372,11 +1436,13 @@ static enum ndr_err_code ndr_pull_dfs_Info105(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -1456,6 +1522,8 @@ static enum ndr_err_code ndr_push_dfs_Info200(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info200(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info200 *r) > { > uint32_t _ptr_dom_root; >+ uint32_t size_dom_root_1 = 0; >+ uint32_t length_dom_root_1 = 0; > TALLOC_CTX *_mem_save_dom_root_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -1473,11 +1541,13 @@ static enum ndr_err_code ndr_pull_dfs_Info200(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->dom_root, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dom_root)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dom_root)); >- if (ndr_get_array_length(ndr, &r->dom_root) > ndr_get_array_size(ndr, &r->dom_root)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dom_root), ndr_get_array_length(ndr, &r->dom_root)); >+ size_dom_root_1 = ndr_get_array_size(ndr, &r->dom_root); >+ length_dom_root_1 = ndr_get_array_length(ndr, &r->dom_root); >+ if (length_dom_root_1 > size_dom_root_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_root_1, length_dom_root_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_root_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, length_dom_root_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_root_0, 0); > } > } >@@ -1544,6 +1614,8 @@ static enum ndr_err_code ndr_push_dfs_Info300(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info300(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info300 *r) > { > uint32_t _ptr_dom_root; >+ uint32_t size_dom_root_1 = 0; >+ uint32_t length_dom_root_1 = 0; > TALLOC_CTX *_mem_save_dom_root_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -1562,11 +1634,13 @@ static enum ndr_err_code ndr_pull_dfs_Info300(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->dom_root, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dom_root)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dom_root)); >- if (ndr_get_array_length(ndr, &r->dom_root) > ndr_get_array_size(ndr, &r->dom_root)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dom_root), ndr_get_array_length(ndr, &r->dom_root)); >+ size_dom_root_1 = ndr_get_array_size(ndr, &r->dom_root); >+ length_dom_root_1 = ndr_get_array_length(ndr, &r->dom_root); >+ if (length_dom_root_1 > size_dom_root_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_root_1, length_dom_root_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_root_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, length_dom_root_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_root_0, 0); > } > } >@@ -1763,20 +1837,35 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > TALLOC_CTX *_mem_save_info5_0; >+ uint32_t _ptr_info5; > TALLOC_CTX *_mem_save_info6_0; >+ uint32_t _ptr_info6; > TALLOC_CTX *_mem_save_info7_0; >+ uint32_t _ptr_info7; > TALLOC_CTX *_mem_save_info100_0; >+ uint32_t _ptr_info100; > TALLOC_CTX *_mem_save_info101_0; >+ uint32_t _ptr_info101; > TALLOC_CTX *_mem_save_info102_0; >+ uint32_t _ptr_info102; > TALLOC_CTX *_mem_save_info103_0; >+ uint32_t _ptr_info103; > TALLOC_CTX *_mem_save_info104_0; >+ uint32_t _ptr_info104; > TALLOC_CTX *_mem_save_info105_0; >+ uint32_t _ptr_info105; > TALLOC_CTX *_mem_save_info106_0; >+ uint32_t _ptr_info106; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -1786,7 +1875,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -1796,7 +1884,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -1806,7 +1893,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -1816,7 +1902,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -1826,7 +1911,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -1836,7 +1920,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 5: { >- uint32_t _ptr_info5; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); > if (_ptr_info5) { > NDR_PULL_ALLOC(ndr, r->info5); >@@ -1846,7 +1929,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 6: { >- uint32_t _ptr_info6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); > if (_ptr_info6) { > NDR_PULL_ALLOC(ndr, r->info6); >@@ -1856,7 +1938,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 7: { >- uint32_t _ptr_info7; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info7)); > if (_ptr_info7) { > NDR_PULL_ALLOC(ndr, r->info7); >@@ -1866,7 +1947,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 100: { >- uint32_t _ptr_info100; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info100)); > if (_ptr_info100) { > NDR_PULL_ALLOC(ndr, r->info100); >@@ -1876,7 +1956,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 101: { >- uint32_t _ptr_info101; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info101)); > if (_ptr_info101) { > NDR_PULL_ALLOC(ndr, r->info101); >@@ -1886,7 +1965,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 102: { >- uint32_t _ptr_info102; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info102)); > if (_ptr_info102) { > NDR_PULL_ALLOC(ndr, r->info102); >@@ -1896,7 +1974,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 103: { >- uint32_t _ptr_info103; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info103)); > if (_ptr_info103) { > NDR_PULL_ALLOC(ndr, r->info103); >@@ -1906,7 +1983,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 104: { >- uint32_t _ptr_info104; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info104)); > if (_ptr_info104) { > NDR_PULL_ALLOC(ndr, r->info104); >@@ -1916,7 +1992,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 105: { >- uint32_t _ptr_info105; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info105)); > if (_ptr_info105) { > NDR_PULL_ALLOC(ndr, r->info105); >@@ -1926,7 +2001,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 106: { >- uint32_t _ptr_info106; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info106)); > if (_ptr_info106) { > NDR_PULL_ALLOC(ndr, r->info106); >@@ -2255,6 +2329,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray1(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray1(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray1 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2274,13 +2349,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray1(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info1(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info1(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2343,6 +2419,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray2(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray2(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray2 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2362,13 +2439,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray2(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info2(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info2(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2431,6 +2509,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray3(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray3(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray3 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2450,13 +2529,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray3(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info3(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info3(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2519,6 +2599,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray4(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray4(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray4 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2538,13 +2619,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray4(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info4(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info4(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2607,6 +2689,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray5(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray5(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray5 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2626,13 +2709,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray5(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info5(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info5(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2695,6 +2779,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray6(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray6(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray6 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2714,13 +2799,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray6(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info6(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info6(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2783,6 +2869,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray200(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_dfs_EnumArray200(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray200 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2802,13 +2889,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray200(struct ndr_pull *ndr, int ndr > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info200(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info200(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2871,6 +2959,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray300(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_dfs_EnumArray300(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray300 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2890,13 +2979,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray300(struct ndr_pull *ndr, int ndr > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info300(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info300(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -3039,13 +3129,21 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > TALLOC_CTX *_mem_save_info5_0; >+ uint32_t _ptr_info5; > TALLOC_CTX *_mem_save_info6_0; >+ uint32_t _ptr_info6; > TALLOC_CTX *_mem_save_info200_0; >+ uint32_t _ptr_info200; > TALLOC_CTX *_mem_save_info300_0; >+ uint32_t _ptr_info300; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -3055,7 +3153,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -3065,7 +3162,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -3075,7 +3171,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -3085,7 +3180,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -3095,7 +3189,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 5: { >- uint32_t _ptr_info5; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); > if (_ptr_info5) { > NDR_PULL_ALLOC(ndr, r->info5); >@@ -3105,7 +3198,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 6: { >- uint32_t _ptr_info6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); > if (_ptr_info6) { > NDR_PULL_ALLOC(ndr, r->info6); >@@ -3115,7 +3207,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 200: { >- uint32_t _ptr_info200; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info200)); > if (_ptr_info200) { > NDR_PULL_ALLOC(ndr, r->info200); >@@ -3125,7 +3216,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 300: { >- uint32_t _ptr_info300; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info300)); > if (_ptr_info300) { > NDR_PULL_ALLOC(ndr, r->info300); >@@ -3364,6 +3454,8 @@ static enum ndr_err_code ndr_push_dfs_UnknownStruct(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_dfs_UnknownStruct(struct ndr_pull *ndr, int ndr_flags, struct dfs_UnknownStruct *r) > { > uint32_t _ptr_unknown2; >+ uint32_t size_unknown2_1 = 0; >+ uint32_t length_unknown2_1 = 0; > TALLOC_CTX *_mem_save_unknown2_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3382,11 +3474,13 @@ static enum ndr_err_code ndr_pull_dfs_UnknownStruct(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown2)); >- if (ndr_get_array_length(ndr, &r->unknown2) > ndr_get_array_size(ndr, &r->unknown2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown2), ndr_get_array_length(ndr, &r->unknown2)); >+ size_unknown2_1 = ndr_get_array_size(ndr, &r->unknown2); >+ length_unknown2_1 = ndr_get_array_length(ndr, &r->unknown2); >+ if (length_unknown2_1 > size_unknown2_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown2_1, length_unknown2_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown2_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, length_unknown2_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown2_0, 0); > } > } >@@ -3506,25 +3600,37 @@ static enum ndr_err_code ndr_push_dfs_Add(struct ndr_push *ndr, int flags, const > > static enum ndr_err_code ndr_pull_dfs_Add(struct ndr_pull *ndr, int flags, struct dfs_Add *r) > { >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_share_0; > TALLOC_CTX *_mem_save_comment_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_1 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_share)); > if (_ptr_share) { > NDR_PULL_ALLOC(ndr, r->in.share); >@@ -3536,11 +3642,13 @@ static enum ndr_err_code ndr_pull_dfs_Add(struct ndr_pull *ndr, int flags, struc > NDR_PULL_SET_MEM_CTX(ndr, r->in.share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); >- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->in.share); >+ length_share_1 = ndr_get_array_length(ndr, &r->in.share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_comment)); >@@ -3554,11 +3662,13 @@ static enum ndr_err_code ndr_pull_dfs_Add(struct ndr_pull *ndr, int flags, struc > NDR_PULL_SET_MEM_CTX(ndr, r->in.comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); >@@ -3644,18 +3754,26 @@ static enum ndr_err_code ndr_push_dfs_Remove(struct ndr_push *ndr, int flags, co > > static enum ndr_err_code ndr_pull_dfs_Remove(struct ndr_pull *ndr, int flags, struct dfs_Remove *r) > { >+ uint32_t size_dfs_entry_path_1 = 0; >+ uint32_t length_dfs_entry_path_1 = 0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_sharename_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); >- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); >+ size_dfs_entry_path_1 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); >+ length_dfs_entry_path_1 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); >+ if (length_dfs_entry_path_1 > size_dfs_entry_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_1, length_dfs_entry_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); > if (_ptr_servername) { > NDR_PULL_ALLOC(ndr, r->in.servername); >@@ -3667,11 +3785,13 @@ static enum ndr_err_code ndr_pull_dfs_Remove(struct ndr_pull *ndr, int flags, st > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); >@@ -3685,11 +3805,13 @@ static enum ndr_err_code ndr_pull_dfs_Remove(struct ndr_pull *ndr, int flags, st > NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); >- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > } >@@ -3772,19 +3894,27 @@ static enum ndr_err_code ndr_push_dfs_SetInfo(struct ndr_push *ndr, int flags, c > > static enum ndr_err_code ndr_pull_dfs_SetInfo(struct ndr_pull *ndr, int flags, struct dfs_SetInfo *r) > { >+ uint32_t size_dfs_entry_path_0 = 0; >+ uint32_t length_dfs_entry_path_0 = 0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_sharename_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); >- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); >+ size_dfs_entry_path_0 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); >+ length_dfs_entry_path_0 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); >+ if (length_dfs_entry_path_0 > size_dfs_entry_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_0, length_dfs_entry_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); > if (_ptr_servername) { > NDR_PULL_ALLOC(ndr, r->in.servername); >@@ -3796,11 +3926,13 @@ static enum ndr_err_code ndr_pull_dfs_SetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); >@@ -3814,11 +3946,13 @@ static enum ndr_err_code ndr_pull_dfs_SetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); >- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -3913,8 +4047,14 @@ static enum ndr_err_code ndr_push_dfs_GetInfo(struct ndr_push *ndr, int flags, c > > static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, struct dfs_GetInfo *r) > { >+ uint32_t size_dfs_entry_path_0 = 0; >+ uint32_t length_dfs_entry_path_0 = 0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_sharename_0; > TALLOC_CTX *_mem_save_info_0; >@@ -3923,11 +4063,13 @@ static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, s > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); >- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); >+ size_dfs_entry_path_0 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); >+ length_dfs_entry_path_0 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); >+ if (length_dfs_entry_path_0 > size_dfs_entry_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_0, length_dfs_entry_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); > if (_ptr_servername) { > NDR_PULL_ALLOC(ndr, r->in.servername); >@@ -3939,11 +4081,13 @@ static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); >@@ -3957,11 +4101,13 @@ static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); >- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -4379,6 +4525,18 @@ static enum ndr_err_code ndr_push_dfs_AddFtRoot(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_dfs_AddFtRoot(struct ndr_pull *ndr, int flags, struct dfs_AddFtRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_dns_servername_0 = 0; >+ uint32_t length_dns_servername_0 = 0; >+ uint32_t size_dfsname_0 = 0; >+ uint32_t length_dfsname_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; >+ uint32_t size_comment_0 = 0; >+ uint32_t length_comment_0 = 0; >+ uint32_t size_dfs_config_dn_0 = 0; >+ uint32_t length_dfs_config_dn_0 = 0; > uint32_t _ptr_unknown2; > TALLOC_CTX *_mem_save_unknown2_0; > TALLOC_CTX *_mem_save_unknown2_1; >@@ -4387,46 +4545,58 @@ static enum ndr_err_code ndr_pull_dfs_AddFtRoot(struct ndr_pull *ndr, int flags, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_servername)); >- if (ndr_get_array_length(ndr, &r->in.dns_servername) > ndr_get_array_size(ndr, &r->in.dns_servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_servername), ndr_get_array_length(ndr, &r->in.dns_servername)); >+ size_dns_servername_0 = ndr_get_array_size(ndr, &r->in.dns_servername); >+ length_dns_servername_0 = ndr_get_array_length(ndr, &r->in.dns_servername); >+ if (length_dns_servername_0 > size_dns_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_servername_0, length_dns_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, length_dns_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfsname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfsname)); >- if (ndr_get_array_length(ndr, &r->in.dfsname) > ndr_get_array_size(ndr, &r->in.dfsname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfsname), ndr_get_array_length(ndr, &r->in.dfsname)); >+ size_dfsname_0 = ndr_get_array_size(ndr, &r->in.dfsname); >+ length_dfsname_0 = ndr_get_array_length(ndr, &r->in.dfsname); >+ if (length_dfsname_0 > size_dfsname_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfsname_0, length_dfsname_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfsname_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, length_dfsname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_0 > size_comment_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_config_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_config_dn)); >- if (ndr_get_array_length(ndr, &r->in.dfs_config_dn) > ndr_get_array_size(ndr, &r->in.dfs_config_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_config_dn), ndr_get_array_length(ndr, &r->in.dfs_config_dn)); >+ size_dfs_config_dn_0 = ndr_get_array_size(ndr, &r->in.dfs_config_dn); >+ length_dfs_config_dn_0 = ndr_get_array_length(ndr, &r->in.dfs_config_dn); >+ if (length_dfs_config_dn_0 > size_dfs_config_dn_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_config_dn_0, length_dfs_config_dn_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_config_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_config_dn, ndr_get_array_length(ndr, &r->in.dfs_config_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_config_dn_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_config_dn, length_dfs_config_dn_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->in.unknown1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown2)); >@@ -4576,6 +4746,14 @@ static enum ndr_err_code ndr_push_dfs_RemoveFtRoot(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_RemoveFtRoot(struct ndr_pull *ndr, int flags, struct dfs_RemoveFtRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_dns_servername_0 = 0; >+ uint32_t length_dns_servername_0 = 0; >+ uint32_t size_dfsname_0 = 0; >+ uint32_t length_dfsname_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; > uint32_t _ptr_unknown; > TALLOC_CTX *_mem_save_unknown_0; > TALLOC_CTX *_mem_save_unknown_1; >@@ -4584,32 +4762,40 @@ static enum ndr_err_code ndr_pull_dfs_RemoveFtRoot(struct ndr_pull *ndr, int fla > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_servername)); >- if (ndr_get_array_length(ndr, &r->in.dns_servername) > ndr_get_array_size(ndr, &r->in.dns_servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_servername), ndr_get_array_length(ndr, &r->in.dns_servername)); >+ size_dns_servername_0 = ndr_get_array_size(ndr, &r->in.dns_servername); >+ length_dns_servername_0 = ndr_get_array_length(ndr, &r->in.dns_servername); >+ if (length_dns_servername_0 > size_dns_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_servername_0, length_dns_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, length_dns_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfsname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfsname)); >- if (ndr_get_array_length(ndr, &r->in.dfsname) > ndr_get_array_size(ndr, &r->in.dfsname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfsname), ndr_get_array_length(ndr, &r->in.dfsname)); >+ size_dfsname_0 = ndr_get_array_size(ndr, &r->in.dfsname); >+ length_dfsname_0 = ndr_get_array_length(ndr, &r->in.dfsname); >+ if (length_dfsname_0 > size_dfsname_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfsname_0, length_dfsname_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfsname_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, length_dfsname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown)); > if (_ptr_unknown) { >@@ -4737,28 +4923,40 @@ static enum ndr_err_code ndr_push_dfs_AddStdRoot(struct ndr_push *ndr, int flags > > static enum ndr_err_code ndr_pull_dfs_AddStdRoot(struct ndr_pull *ndr, int flags, struct dfs_AddStdRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; >+ uint32_t size_comment_0 = 0; >+ uint32_t length_comment_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_0 > size_comment_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -4813,21 +5011,29 @@ static enum ndr_err_code ndr_push_dfs_RemoveStdRoot(struct ndr_push *ndr, int fl > > static enum ndr_err_code ndr_pull_dfs_RemoveStdRoot(struct ndr_pull *ndr, int flags, struct dfs_RemoveStdRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -4880,14 +5086,18 @@ static enum ndr_err_code ndr_push_dfs_ManagerInitialize(struct ndr_push *ndr, in > > static enum ndr_err_code ndr_pull_dfs_ManagerInitialize(struct ndr_pull *ndr, int flags, struct dfs_ManagerInitialize *r) > { >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -4950,35 +5160,51 @@ static enum ndr_err_code ndr_push_dfs_AddStdRootForced(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_dfs_AddStdRootForced(struct ndr_pull *ndr, int flags, struct dfs_AddStdRootForced *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; >+ uint32_t size_comment_0 = 0; >+ uint32_t length_comment_0 = 0; >+ uint32_t size_store_0 = 0; >+ uint32_t length_store_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_0 > size_comment_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.store)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.store)); >- if (ndr_get_array_length(ndr, &r->in.store) > ndr_get_array_size(ndr, &r->in.store)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.store), ndr_get_array_length(ndr, &r->in.store)); >+ size_store_0 = ndr_get_array_size(ndr, &r->in.store); >+ length_store_0 = ndr_get_array_length(ndr, &r->in.store); >+ if (length_store_0 > size_store_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_store_0, length_store_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.store), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.store, ndr_get_array_length(ndr, &r->in.store), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_store_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.store, length_store_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -5063,7 +5289,11 @@ static enum ndr_err_code ndr_push_dfs_GetDcAddress(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int flags, struct dfs_GetDcAddress *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; > uint32_t _ptr_server_fullname; >+ uint32_t size_server_fullname_2 = 0; >+ uint32_t length_server_fullname_2 = 0; > TALLOC_CTX *_mem_save_server_fullname_0; > TALLOC_CTX *_mem_save_server_fullname_1; > TALLOC_CTX *_mem_save_is_root_0; >@@ -5073,11 +5303,13 @@ static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int fla > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.server_fullname); > } >@@ -5094,11 +5326,13 @@ static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int fla > NDR_PULL_SET_MEM_CTX(ndr, *r->in.server_fullname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->in.server_fullname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->in.server_fullname)); >- if (ndr_get_array_length(ndr, r->in.server_fullname) > ndr_get_array_size(ndr, r->in.server_fullname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->in.server_fullname), ndr_get_array_length(ndr, r->in.server_fullname)); >+ size_server_fullname_2 = ndr_get_array_size(ndr, r->in.server_fullname); >+ length_server_fullname_2 = ndr_get_array_length(ndr, r->in.server_fullname); >+ if (length_server_fullname_2 > size_server_fullname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_2, length_server_fullname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->in.server_fullname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.server_fullname, ndr_get_array_length(ndr, r->in.server_fullname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.server_fullname, length_server_fullname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -5140,11 +5374,13 @@ static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int fla > NDR_PULL_SET_MEM_CTX(ndr, *r->out.server_fullname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.server_fullname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.server_fullname)); >- if (ndr_get_array_length(ndr, r->out.server_fullname) > ndr_get_array_size(ndr, r->out.server_fullname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.server_fullname), ndr_get_array_length(ndr, r->out.server_fullname)); >+ size_server_fullname_2 = ndr_get_array_size(ndr, r->out.server_fullname); >+ length_server_fullname_2 = ndr_get_array_length(ndr, r->out.server_fullname); >+ if (length_server_fullname_2 > size_server_fullname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_2, length_server_fullname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.server_fullname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.server_fullname, ndr_get_array_length(ndr, r->out.server_fullname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.server_fullname, length_server_fullname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -5245,21 +5481,29 @@ static enum ndr_err_code ndr_push_dfs_SetDcAddress(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_SetDcAddress(struct ndr_pull *ndr, int flags, struct dfs_SetDcAddress *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_server_fullname_0 = 0; >+ uint32_t length_server_fullname_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_fullname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_fullname)); >- if (ndr_get_array_length(ndr, &r->in.server_fullname) > ndr_get_array_size(ndr, &r->in.server_fullname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_fullname), ndr_get_array_length(ndr, &r->in.server_fullname)); >+ size_server_fullname_0 = ndr_get_array_size(ndr, &r->in.server_fullname); >+ length_server_fullname_0 = ndr_get_array_length(ndr, &r->in.server_fullname); >+ if (length_server_fullname_0 > size_server_fullname_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_0, length_server_fullname_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_fullname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_fullname, ndr_get_array_length(ndr, &r->in.server_fullname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_fullname, length_server_fullname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.ttl)); > } >@@ -5314,21 +5558,29 @@ static enum ndr_err_code ndr_push_dfs_FlushFtTable(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_FlushFtTable(struct ndr_pull *ndr, int flags, struct dfs_FlushFtTable *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -5475,6 +5727,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_dfs_EnumEx(struct ndr_push *ndr, int flags, > > _PUBLIC_ enum ndr_err_code ndr_pull_dfs_EnumEx(struct ndr_pull *ndr, int flags, struct dfs_EnumEx *r) > { >+ uint32_t size_dfs_name_0 = 0; >+ uint32_t length_dfs_name_0 = 0; > uint32_t _ptr_info; > uint32_t _ptr_total; > TALLOC_CTX *_mem_save_info_0; >@@ -5484,11 +5738,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dfs_EnumEx(struct ndr_pull *ndr, int flags, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_name)); >- if (ndr_get_array_length(ndr, &r->in.dfs_name) > ndr_get_array_size(ndr, &r->in.dfs_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_name), ndr_get_array_length(ndr, &r->in.dfs_name)); >+ size_dfs_name_0 = ndr_get_array_size(ndr, &r->in.dfs_name); >+ length_dfs_name_0 = ndr_get_array_length(ndr, &r->in.dfs_name); >+ if (length_dfs_name_0 > size_dfs_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_name_0, length_dfs_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_name, ndr_get_array_length(ndr, &r->in.dfs_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_name, length_dfs_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.bufsize)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info)); >diff --git a/librpc/gen_ndr/ndr_drsblobs.c b/librpc/gen_ndr/ndr_drsblobs.c >index 948fdc5..a675706 100644 >--- a/librpc/gen_ndr/ndr_drsblobs.c >+++ b/librpc/gen_ndr/ndr_drsblobs.c >@@ -73,16 +73,18 @@ static enum ndr_err_code ndr_push_replPropertyMetaDataCtr1(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_replPropertyMetaDataCtr1(struct ndr_pull *ndr, int ndr_flags, struct replPropertyMetaDataCtr1 *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, r->count); >+ size_array_0 = r->count; >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_replPropertyMetaData1(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -242,16 +244,18 @@ static enum ndr_err_code ndr_push_replUpToDateVectorCtr1(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_replUpToDateVectorCtr1(struct ndr_pull *ndr, int ndr_flags, struct replUpToDateVectorCtr1 *r) > { >+ uint32_t size_cursors_0 = 0; > uint32_t cntr_cursors_0; > TALLOC_CTX *_mem_save_cursors_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->cursors, r->count); >+ size_cursors_0 = r->count; >+ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); > _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); >- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { >+ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); >@@ -301,16 +305,18 @@ static enum ndr_err_code ndr_push_replUpToDateVectorCtr2(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_replUpToDateVectorCtr2(struct ndr_pull *ndr, int ndr_flags, struct replUpToDateVectorCtr2 *r) > { >+ uint32_t size_cursors_0 = 0; > uint32_t cntr_cursors_0; > TALLOC_CTX *_mem_save_cursors_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->cursors, r->count); >+ size_cursors_0 = r->count; >+ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); > _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); >- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { >+ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor2(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); >@@ -484,10 +490,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_repsFromTo1OtherInfo(struct ndr_push *ndr, i > > _PUBLIC_ enum ndr_err_code ndr_pull_repsFromTo1OtherInfo(struct ndr_pull *ndr, int ndr_flags, struct repsFromTo1OtherInfo *r) > { >+ uint32_t size_dns_name_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__dns_name_size)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, r->__dns_name_size, sizeof(uint8_t), CH_DOS)); >+ size_dns_name_0 = r->__dns_name_size; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, size_dns_name_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -548,6 +556,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_repsFromTo1(struct ndr_pull *ndr, int ndr_fl > { > uint32_t _ptr_other_info; > TALLOC_CTX *_mem_save_other_info_0; >+ uint32_t size_schedule_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); >@@ -567,7 +576,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_repsFromTo1(struct ndr_pull *ndr, int ndr_fl > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->other_info_length)); > NDR_CHECK(ndr_pull_drsuapi_DsReplicaNeighbourFlags(ndr, NDR_SCALARS, &r->replica_flags)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); >+ size_schedule_0 = 84; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); > NDR_CHECK(ndr_pull_drsuapi_DsReplicaHighWaterMark(ndr, NDR_SCALARS, &r->highwatermark)); > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->source_dsa_obj_guid)); >@@ -822,6 +832,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_repsFromTo2(struct ndr_pull *ndr, int ndr_fl > { > uint32_t _ptr_other_info; > TALLOC_CTX *_mem_save_other_info_0; >+ uint32_t size_schedule_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); >@@ -841,7 +852,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_repsFromTo2(struct ndr_pull *ndr, int ndr_fl > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->other_info_length)); > NDR_CHECK(ndr_pull_drsuapi_DsReplicaNeighbourFlags(ndr, NDR_SCALARS, &r->replica_flags)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); >+ size_schedule_0 = 84; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); > NDR_CHECK(ndr_pull_drsuapi_DsReplicaHighWaterMark(ndr, NDR_SCALARS, &r->highwatermark)); > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->source_dsa_obj_guid)); >@@ -1057,15 +1069,17 @@ static enum ndr_err_code ndr_push_partialAttributeSetCtr1(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_partialAttributeSetCtr1(struct ndr_pull *ndr, int ndr_flags, struct partialAttributeSetCtr1 *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); >- NDR_PULL_ALLOC_N(ndr, r->array, r->count); >+ size_array_0 = r->count; >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsAttributeId(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -1505,10 +1519,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_ldapControlDirSyncCookie(struct ndr_push *nd > _PUBLIC_ enum ndr_err_code ndr_pull_ldapControlDirSyncCookie(struct ndr_pull *ndr, int ndr_flags, struct ldapControlDirSyncCookie *r) > { > uint32_t _save_relative_base_offset = ndr_pull_get_relative_base_offset(ndr); >+ uint32_t size_msds_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_setup_relative_base_offset1(ndr, r, ndr->offset)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->msds, 4, sizeof(uint8_t), CH_DOS)); >+ size_msds_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->msds, size_msds_0, sizeof(uint8_t), CH_DOS)); > { > struct ndr_pull *_ndr_blob; > NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_blob, 0, -1)); >@@ -1551,13 +1567,17 @@ static enum ndr_err_code ndr_push_supplementalCredentialsPackage(struct ndr_push > > static enum ndr_err_code ndr_pull_supplementalCredentialsPackage(struct ndr_pull *ndr, int ndr_flags, struct supplementalCredentialsPackage *r) > { >+ uint32_t size_name_0 = 0; >+ uint32_t size_data_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->name_len)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->data_len)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->reserved)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, r->name_len, sizeof(uint8_t), CH_UTF16)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data, r->data_len, sizeof(uint8_t), CH_DOS)); >+ size_name_0 = r->name_len; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, size_name_0, sizeof(uint8_t), CH_UTF16)); >+ size_data_0 = r->data_len; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data, size_data_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 2)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -1636,17 +1656,21 @@ static enum ndr_err_code ndr_push_supplementalCredentialsSubBlob(struct ndr_push > > static enum ndr_err_code ndr_pull_supplementalCredentialsSubBlob(struct ndr_pull *ndr, int ndr_flags, struct supplementalCredentialsSubBlob *r) > { >+ uint32_t size_prefix_0 = 0; >+ uint32_t size_packages_0 = 0; > uint32_t cntr_packages_0; > TALLOC_CTX *_mem_save_packages_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 3)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->prefix, 0x30, sizeof(uint16_t), CH_UTF16)); >+ size_prefix_0 = 0x30; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->prefix, size_prefix_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_supplementalCredentialsSignature(ndr, NDR_SCALARS, &r->signature)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_packages)); >- NDR_PULL_ALLOC_N(ndr, r->packages, r->num_packages); >+ size_packages_0 = r->num_packages; >+ NDR_PULL_ALLOC_N(ndr, r->packages, size_packages_0); > _mem_save_packages_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->packages, 0); >- for (cntr_packages_0 = 0; cntr_packages_0 < r->num_packages; cntr_packages_0++) { >+ for (cntr_packages_0 = 0; cntr_packages_0 < size_packages_0; cntr_packages_0++) { > NDR_CHECK(ndr_pull_supplementalCredentialsPackage(ndr, NDR_SCALARS, &r->packages[cntr_packages_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_packages_0, 0); >@@ -2016,8 +2040,10 @@ static enum ndr_err_code ndr_push_package_PrimaryKerberosCtr3(struct ndr_push *n > > static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr3(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryKerberosCtr3 *r) > { >+ uint32_t size_keys_0 = 0; > uint32_t cntr_keys_0; > TALLOC_CTX *_mem_save_keys_0; >+ uint32_t size_old_keys_0 = 0; > uint32_t cntr_old_keys_0; > TALLOC_CTX *_mem_save_old_keys_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2025,17 +2051,19 @@ static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr3(struct ndr_pull *n > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_keys)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_old_keys)); > NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_SCALARS, &r->salt)); >- NDR_PULL_ALLOC_N(ndr, r->keys, r->num_keys); >+ size_keys_0 = r->num_keys; >+ NDR_PULL_ALLOC_N(ndr, r->keys, size_keys_0); > _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); >- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { >+ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_SCALARS, &r->keys[cntr_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->old_keys, r->num_old_keys); >+ size_old_keys_0 = r->num_old_keys; >+ NDR_PULL_ALLOC_N(ndr, r->old_keys, size_old_keys_0); > _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); >- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { >+ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_SCALARS, &r->old_keys[cntr_old_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); >@@ -2048,15 +2076,17 @@ static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr3(struct ndr_pull *n > } > if (ndr_flags & NDR_BUFFERS) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_BUFFERS, &r->salt)); >+ size_keys_0 = r->num_keys; > _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); >- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { >+ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_BUFFERS, &r->keys[cntr_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); >+ size_old_keys_0 = r->num_old_keys; > _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); >- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { >+ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_BUFFERS, &r->old_keys[cntr_old_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); >@@ -2250,12 +2280,16 @@ static enum ndr_err_code ndr_push_package_PrimaryKerberosCtr4(struct ndr_push *n > > static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr4(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryKerberosCtr4 *r) > { >+ uint32_t size_keys_0 = 0; > uint32_t cntr_keys_0; > TALLOC_CTX *_mem_save_keys_0; >+ uint32_t size_service_keys_0 = 0; > uint32_t cntr_service_keys_0; > TALLOC_CTX *_mem_save_service_keys_0; >+ uint32_t size_old_keys_0 = 0; > uint32_t cntr_old_keys_0; > TALLOC_CTX *_mem_save_old_keys_0; >+ uint32_t size_older_keys_0 = 0; > uint32_t cntr_older_keys_0; > TALLOC_CTX *_mem_save_older_keys_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2266,31 +2300,35 @@ static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr4(struct ndr_pull *n > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_older_keys)); > NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_SCALARS, &r->salt)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->default_iteration_count)); >- NDR_PULL_ALLOC_N(ndr, r->keys, r->num_keys); >+ size_keys_0 = r->num_keys; >+ NDR_PULL_ALLOC_N(ndr, r->keys, size_keys_0); > _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); >- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { >+ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->keys[cntr_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->service_keys, r->num_service_keys); >+ size_service_keys_0 = r->num_service_keys; >+ NDR_PULL_ALLOC_N(ndr, r->service_keys, size_service_keys_0); > _mem_save_service_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->service_keys, 0); >- for (cntr_service_keys_0 = 0; cntr_service_keys_0 < r->num_service_keys; cntr_service_keys_0++) { >+ for (cntr_service_keys_0 = 0; cntr_service_keys_0 < size_service_keys_0; cntr_service_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->service_keys[cntr_service_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_keys_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->old_keys, r->num_old_keys); >+ size_old_keys_0 = r->num_old_keys; >+ NDR_PULL_ALLOC_N(ndr, r->old_keys, size_old_keys_0); > _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); >- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { >+ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->old_keys[cntr_old_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->older_keys, r->num_older_keys); >+ size_older_keys_0 = r->num_older_keys; >+ NDR_PULL_ALLOC_N(ndr, r->older_keys, size_older_keys_0); > _mem_save_older_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->older_keys, 0); >- for (cntr_older_keys_0 = 0; cntr_older_keys_0 < r->num_older_keys; cntr_older_keys_0++) { >+ for (cntr_older_keys_0 = 0; cntr_older_keys_0 < size_older_keys_0; cntr_older_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->older_keys[cntr_older_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_older_keys_0, 0); >@@ -2298,27 +2336,31 @@ static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr4(struct ndr_pull *n > } > if (ndr_flags & NDR_BUFFERS) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_BUFFERS, &r->salt)); >+ size_keys_0 = r->num_keys; > _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); >- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { >+ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->keys[cntr_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); >+ size_service_keys_0 = r->num_service_keys; > _mem_save_service_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->service_keys, 0); >- for (cntr_service_keys_0 = 0; cntr_service_keys_0 < r->num_service_keys; cntr_service_keys_0++) { >+ for (cntr_service_keys_0 = 0; cntr_service_keys_0 < size_service_keys_0; cntr_service_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->service_keys[cntr_service_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_keys_0, 0); >+ size_old_keys_0 = r->num_old_keys; > _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); >- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { >+ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->old_keys[cntr_old_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); >+ size_older_keys_0 = r->num_older_keys; > _mem_save_older_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->older_keys, 0); >- for (cntr_older_keys_0 = 0; cntr_older_keys_0 < r->num_older_keys; cntr_older_keys_0++) { >+ for (cntr_older_keys_0 = 0; cntr_older_keys_0 < size_older_keys_0; cntr_older_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->older_keys[cntr_older_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_older_keys_0, 0); >@@ -2578,12 +2620,14 @@ static enum ndr_err_code ndr_push_package_PrimaryWDigestHash(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_package_PrimaryWDigestHash(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryWDigestHash *r) > { >+ uint32_t size_hash_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); >+ size_hash_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -2628,6 +2672,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_package_PrimaryWDigestBlob(struct ndr_push * > > _PUBLIC_ enum ndr_err_code ndr_pull_package_PrimaryWDigestBlob(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryWDigestBlob *r) > { >+ uint32_t size_hashes_0 = 0; > uint32_t cntr_hashes_0; > TALLOC_CTX *_mem_save_hashes_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2637,10 +2682,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_package_PrimaryWDigestBlob(struct ndr_pull * > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_hashes)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown3)); > NDR_CHECK(ndr_pull_udlong(ndr, NDR_SCALARS, &r->uuknown4)); >- NDR_PULL_ALLOC_N(ndr, r->hashes, r->num_hashes); >+ size_hashes_0 = r->num_hashes; >+ NDR_PULL_ALLOC_N(ndr, r->hashes, size_hashes_0); > _mem_save_hashes_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->hashes, 0); >- for (cntr_hashes_0 = 0; cntr_hashes_0 < r->num_hashes; cntr_hashes_0++) { >+ for (cntr_hashes_0 = 0; cntr_hashes_0 < size_hashes_0; cntr_hashes_0++) { > NDR_CHECK(ndr_pull_package_PrimaryWDigestHash(ndr, NDR_SCALARS, &r->hashes[cntr_hashes_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_hashes_0, 0); >@@ -2756,11 +2802,13 @@ static enum ndr_err_code ndr_push_AuthInfoClear(struct ndr_push *ndr, int ndr_fl > > static enum ndr_err_code ndr_pull_AuthInfoClear(struct ndr_pull *ndr, int ndr_flags, struct AuthInfoClear *r) > { >+ uint32_t size_password_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); >- NDR_PULL_ALLOC_N(ndr, r->password, r->size); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->password, r->size)); >+ size_password_0 = r->size; >+ NDR_PULL_ALLOC_N(ndr, r->password, size_password_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->password, size_password_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -3020,16 +3068,18 @@ _PUBLIC_ enum ndr_err_code ndr_push_trustCurrentPasswords(struct ndr_push *ndr, > _PUBLIC_ enum ndr_err_code ndr_pull_trustCurrentPasswords(struct ndr_pull *ndr, int ndr_flags, struct trustCurrentPasswords *r) > { > uint32_t _ptr_current; >+ uint32_t size_current_0 = 0; > uint32_t cntr_current_0; > TALLOC_CTX *_mem_save_current_0; > TALLOC_CTX *_mem_save_current_1; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); >- NDR_PULL_ALLOC_N(ndr, r->current, r->count); >+ size_current_0 = r->count; >+ NDR_PULL_ALLOC_N(ndr, r->current, size_current_0); > _mem_save_current_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->current, 0); >- for (cntr_current_0 = 0; cntr_current_0 < r->count; cntr_current_0++) { >+ for (cntr_current_0 = 0; cntr_current_0 < size_current_0; cntr_current_0++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_current)); > if (_ptr_current) { > NDR_PULL_ALLOC(ndr, r->current[cntr_current_0]); >@@ -3042,9 +3092,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_trustCurrentPasswords(struct ndr_pull *ndr, > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_current_0 = r->count; > _mem_save_current_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->current, 0); >- for (cntr_current_0 = 0; cntr_current_0 < r->count; cntr_current_0++) { >+ for (cntr_current_0 = 0; cntr_current_0 < size_current_0; cntr_current_0++) { > if (r->current[cntr_current_0]) { > uint32_t _relative_save_offset; > _relative_save_offset = ndr->offset; >@@ -3183,6 +3234,7 @@ static enum ndr_err_code ndr_push_ExtendedErrorAString(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_ExtendedErrorAString(struct ndr_pull *ndr, int ndr_flags, struct ExtendedErrorAString *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3200,7 +3252,8 @@ static enum ndr_err_code ndr_pull_ExtendedErrorAString(struct ndr_pull *ndr, int > _mem_save_string_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_size(ndr, &r->string), sizeof(uint8_t), CH_DOS)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, size_string_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -3244,6 +3297,7 @@ static enum ndr_err_code ndr_push_ExtendedErrorUString(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_ExtendedErrorUString(struct ndr_pull *ndr, int ndr_flags, struct ExtendedErrorUString *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3261,7 +3315,8 @@ static enum ndr_err_code ndr_pull_ExtendedErrorUString(struct ndr_pull *ndr, int > _mem_save_string_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_size(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, size_string_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -3305,6 +3360,7 @@ static enum ndr_err_code ndr_push_ExtendedErrorBlob(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_ExtendedErrorBlob(struct ndr_pull *ndr, int ndr_flags, struct ExtendedErrorBlob *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3322,8 +3378,9 @@ static enum ndr_err_code ndr_pull_ExtendedErrorBlob(struct ndr_pull *ndr, int nd > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -3796,6 +3853,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_ExtendedErrorInfo(struct ndr_pull *ndr, int > { > uint32_t _ptr_next; > TALLOC_CTX *_mem_save_next_0; >+ uint32_t size_params_0 = 0; > uint32_t cntr_params_0; > TALLOC_CTX *_mem_save_params_0; > if (ndr_flags & NDR_SCALARS) { >@@ -3815,10 +3873,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_ExtendedErrorInfo(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->detection_location)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->flags)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_params)); >- NDR_PULL_ALLOC_N(ndr, r->params, ndr_get_array_size(ndr, &r->params)); >+ size_params_0 = ndr_get_array_size(ndr, &r->params); >+ NDR_PULL_ALLOC_N(ndr, r->params, size_params_0); > _mem_save_params_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->params, 0); >- for (cntr_params_0 = 0; cntr_params_0 < r->num_params; cntr_params_0++) { >+ for (cntr_params_0 = 0; cntr_params_0 < size_params_0; cntr_params_0++) { > NDR_CHECK(ndr_pull_ExtendedErrorParam(ndr, NDR_SCALARS, &r->params[cntr_params_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_params_0, 0); >@@ -3835,9 +3894,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_ExtendedErrorInfo(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_next_0, 0); > } > NDR_CHECK(ndr_pull_ExtendedErrorComputerName(ndr, NDR_BUFFERS, &r->computer_name)); >+ size_params_0 = ndr_get_array_size(ndr, &r->params); > _mem_save_params_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->params, 0); >- for (cntr_params_0 = 0; cntr_params_0 < r->num_params; cntr_params_0++) { >+ for (cntr_params_0 = 0; cntr_params_0 < size_params_0; cntr_params_0++) { > NDR_CHECK(ndr_pull_ExtendedErrorParam(ndr, NDR_BUFFERS, &r->params[cntr_params_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_params_0, 0); >diff --git a/librpc/gen_ndr/ndr_drsuapi.c b/librpc/gen_ndr/ndr_drsuapi.c >index 6777acc..ea0abbd 100644 >--- a/librpc/gen_ndr/ndr_drsuapi.c >+++ b/librpc/gen_ndr/ndr_drsuapi.c >@@ -468,6 +468,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_drsuapi_DsReplicaObjectIdentifier(struct ndr > > _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjectIdentifier *r) > { >+ uint32_t size_dn_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->dn)); > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -476,7 +477,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier(struct ndr > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->guid)); > NDR_CHECK(ndr_pull_dom_sid28(ndr, NDR_SCALARS, &r->sid)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_dn)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, ndr_get_array_size(ndr, &r->dn), sizeof(uint16_t), CH_UTF16)); >+ size_dn_0 = ndr_get_array_size(ndr, &r->dn); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, size_dn_0, sizeof(uint16_t), CH_UTF16)); > if (r->dn) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->dn, r->__ndr_size_dn + 1)); > } >@@ -826,6 +828,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursorCtrEx(struct ndr_push * > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursorCtrEx(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursorCtrEx *r) > { >+ uint32_t size_cursors_0 = 0; > uint32_t cntr_cursors_0; > TALLOC_CTX *_mem_save_cursors_0; > if (ndr_flags & NDR_SCALARS) { >@@ -838,10 +841,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursorCtrEx(struct ndr_pull * > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved2)); >- NDR_PULL_ALLOC_N(ndr, r->cursors, ndr_get_array_size(ndr, &r->cursors)); >+ size_cursors_0 = ndr_get_array_size(ndr, &r->cursors); >+ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); > _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); >- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { >+ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); >@@ -1193,6 +1197,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_drsuapi_DsReplicaOIDMapping_Ctr(struct ndr_p > _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaOIDMapping_Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaOIDMapping_Ctr *r) > { > uint32_t _ptr_mappings; >+ uint32_t size_mappings_1 = 0; > uint32_t cntr_mappings_1; > TALLOC_CTX *_mem_save_mappings_0; > TALLOC_CTX *_mem_save_mappings_1; >@@ -1215,13 +1220,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaOIDMapping_Ctr(struct ndr_p > _mem_save_mappings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->mappings, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->mappings)); >- NDR_PULL_ALLOC_N(ndr, r->mappings, ndr_get_array_size(ndr, &r->mappings)); >+ size_mappings_1 = ndr_get_array_size(ndr, &r->mappings); >+ NDR_PULL_ALLOC_N(ndr, r->mappings, size_mappings_1); > _mem_save_mappings_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->mappings, 0); >- for (cntr_mappings_1 = 0; cntr_mappings_1 < r->num_mappings; cntr_mappings_1++) { >+ for (cntr_mappings_1 = 0; cntr_mappings_1 < size_mappings_1; cntr_mappings_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaOIDMapping(ndr, NDR_SCALARS, &r->mappings[cntr_mappings_1])); > } >- for (cntr_mappings_1 = 0; cntr_mappings_1 < r->num_mappings; cntr_mappings_1++) { >+ for (cntr_mappings_1 = 0; cntr_mappings_1 < size_mappings_1; cntr_mappings_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaOIDMapping(ndr, NDR_BUFFERS, &r->mappings[cntr_mappings_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_mappings_1, 0); >@@ -1386,6 +1392,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsPartialAttributeSet(struct ndr_push > > static enum ndr_err_code ndr_pull_drsuapi_DsPartialAttributeSet(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsPartialAttributeSet *r) > { >+ uint32_t size_attids_0 = 0; > uint32_t cntr_attids_0; > TALLOC_CTX *_mem_save_attids_0; > if (ndr_flags & NDR_SCALARS) { >@@ -1397,10 +1404,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsPartialAttributeSet(struct ndr_pull > if (r->num_attids < 1 || r->num_attids > 0x100000) { > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } >- NDR_PULL_ALLOC_N(ndr, r->attids, ndr_get_array_size(ndr, &r->attids)); >+ size_attids_0 = ndr_get_array_size(ndr, &r->attids); >+ NDR_PULL_ALLOC_N(ndr, r->attids, size_attids_0); > _mem_save_attids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attids, 0); >- for (cntr_attids_0 = 0; cntr_attids_0 < r->num_attids; cntr_attids_0++) { >+ for (cntr_attids_0 = 0; cntr_attids_0 < size_attids_0; cntr_attids_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsAttributeId(ndr, NDR_SCALARS, &r->attids[cntr_attids_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attids_0, 0); >@@ -1917,6 +1925,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursor2CtrEx(struct ndr_push > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor2CtrEx(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor2CtrEx *r) > { >+ uint32_t size_cursors_0 = 0; > uint32_t cntr_cursors_0; > TALLOC_CTX *_mem_save_cursors_0; > if (ndr_flags & NDR_SCALARS) { >@@ -1929,10 +1938,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor2CtrEx(struct ndr_pull > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved2)); >- NDR_PULL_ALLOC_N(ndr, r->cursors, ndr_get_array_size(ndr, &r->cursors)); >+ size_cursors_0 = ndr_get_array_size(ndr, &r->cursors); >+ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); > _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); >- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { >+ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor2(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); >@@ -2053,6 +2063,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsAttributeValueCtr(struct ndr_push *n > static enum ndr_err_code ndr_pull_drsuapi_DsAttributeValueCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsAttributeValueCtr *r) > { > uint32_t _ptr_values; >+ uint32_t size_values_1 = 0; > uint32_t cntr_values_1; > TALLOC_CTX *_mem_save_values_0; > TALLOC_CTX *_mem_save_values_1; >@@ -2075,13 +2086,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAttributeValueCtr(struct ndr_pull *n > _mem_save_values_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->values, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->values)); >- NDR_PULL_ALLOC_N(ndr, r->values, ndr_get_array_size(ndr, &r->values)); >+ size_values_1 = ndr_get_array_size(ndr, &r->values); >+ NDR_PULL_ALLOC_N(ndr, r->values, size_values_1); > _mem_save_values_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->values, 0); >- for (cntr_values_1 = 0; cntr_values_1 < r->num_values; cntr_values_1++) { >+ for (cntr_values_1 = 0; cntr_values_1 < size_values_1; cntr_values_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsAttributeValue(ndr, NDR_SCALARS, &r->values[cntr_values_1])); > } >- for (cntr_values_1 = 0; cntr_values_1 < r->num_values; cntr_values_1++) { >+ for (cntr_values_1 = 0; cntr_values_1 < size_values_1; cntr_values_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsAttributeValue(ndr, NDR_BUFFERS, &r->values[cntr_values_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_values_1, 0); >@@ -2138,6 +2150,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_drsuapi_DsReplicaObjectIdentifier3(struct nd > > _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjectIdentifier3 *r) > { >+ uint32_t size_dn_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size)); >@@ -2145,7 +2158,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier3(struct nd > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->guid)); > NDR_CHECK(ndr_pull_dom_sid28(ndr, NDR_SCALARS, &r->sid)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_dn)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, r->__ndr_size_dn + 1, sizeof(uint16_t), CH_UTF16)); >+ size_dn_0 = r->__ndr_size_dn + 1; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, size_dn_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -2199,6 +2213,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_drsuapi_DsReplicaObjectIdentifier3Binary(str > > _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier3Binary(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjectIdentifier3Binary *r) > { >+ uint32_t size_dn_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size)); >@@ -2206,7 +2221,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier3Binary(str > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->guid)); > NDR_CHECK(ndr_pull_dom_sid28(ndr, NDR_SCALARS, &r->sid)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_dn)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, r->__ndr_size_dn + 1, sizeof(uint16_t), CH_UTF16)); >+ size_dn_0 = r->__ndr_size_dn + 1; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, size_dn_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_binary)); > { > uint32_t _flags_save_DATA_BLOB = ndr->flags; >@@ -2300,6 +2316,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaAttributeCtr(struct ndr_push > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttributeCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttributeCtr *r) > { > uint32_t _ptr_attributes; >+ uint32_t size_attributes_1 = 0; > uint32_t cntr_attributes_1; > TALLOC_CTX *_mem_save_attributes_0; > TALLOC_CTX *_mem_save_attributes_1; >@@ -2322,13 +2339,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttributeCtr(struct ndr_pull > _mem_save_attributes_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attributes, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attributes)); >- NDR_PULL_ALLOC_N(ndr, r->attributes, ndr_get_array_size(ndr, &r->attributes)); >+ size_attributes_1 = ndr_get_array_size(ndr, &r->attributes); >+ NDR_PULL_ALLOC_N(ndr, r->attributes, size_attributes_1); > _mem_save_attributes_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attributes, 0); >- for (cntr_attributes_1 = 0; cntr_attributes_1 < r->num_attributes; cntr_attributes_1++) { >+ for (cntr_attributes_1 = 0; cntr_attributes_1 < size_attributes_1; cntr_attributes_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttribute(ndr, NDR_SCALARS, &r->attributes[cntr_attributes_1])); > } >- for (cntr_attributes_1 = 0; cntr_attributes_1 < r->num_attributes; cntr_attributes_1++) { >+ for (cntr_attributes_1 = 0; cntr_attributes_1 < size_attributes_1; cntr_attributes_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttribute(ndr, NDR_BUFFERS, &r->attributes[cntr_attributes_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attributes_1, 0); >@@ -2510,6 +2528,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_drsuapi_DsReplicaMetaDataCtr(struct ndr_push > > _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaMetaDataCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaMetaDataCtr *r) > { >+ uint32_t size_meta_data_0 = 0; > uint32_t cntr_meta_data_0; > TALLOC_CTX *_mem_save_meta_data_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2519,10 +2538,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaMetaDataCtr(struct ndr_pull > if (r->count > 1048576) { > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } >- NDR_PULL_ALLOC_N(ndr, r->meta_data, ndr_get_array_size(ndr, &r->meta_data)); >+ size_meta_data_0 = ndr_get_array_size(ndr, &r->meta_data); >+ NDR_PULL_ALLOC_N(ndr, r->meta_data, size_meta_data_0); > _mem_save_meta_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->meta_data, 0); >- for (cntr_meta_data_0 = 0; cntr_meta_data_0 < r->count; cntr_meta_data_0++) { >+ for (cntr_meta_data_0 = 0; cntr_meta_data_0 < size_meta_data_0; cntr_meta_data_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaMetaData(ndr, NDR_SCALARS, &r->meta_data[cntr_meta_data_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_meta_data_0, 0); >@@ -2921,6 +2941,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsGetNCChangesCtr6(struct ndr_pull * > uint32_t _ptr_first_object; > TALLOC_CTX *_mem_save_first_object_0; > uint32_t _ptr_linked_attributes; >+ uint32_t size_linked_attributes_1 = 0; > uint32_t cntr_linked_attributes_1; > TALLOC_CTX *_mem_save_linked_attributes_0; > TALLOC_CTX *_mem_save_linked_attributes_1; >@@ -2992,13 +3013,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsGetNCChangesCtr6(struct ndr_pull * > _mem_save_linked_attributes_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->linked_attributes, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->linked_attributes)); >- NDR_PULL_ALLOC_N(ndr, r->linked_attributes, ndr_get_array_size(ndr, &r->linked_attributes)); >+ size_linked_attributes_1 = ndr_get_array_size(ndr, &r->linked_attributes); >+ NDR_PULL_ALLOC_N(ndr, r->linked_attributes, size_linked_attributes_1); > _mem_save_linked_attributes_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->linked_attributes, 0); >- for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < r->linked_attributes_count; cntr_linked_attributes_1++) { >+ for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < size_linked_attributes_1; cntr_linked_attributes_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaLinkedAttribute(ndr, NDR_SCALARS, &r->linked_attributes[cntr_linked_attributes_1])); > } >- for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < r->linked_attributes_count; cntr_linked_attributes_1++) { >+ for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < size_linked_attributes_1; cntr_linked_attributes_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaLinkedAttribute(ndr, NDR_BUFFERS, &r->linked_attributes[cntr_linked_attributes_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_linked_attributes_1, 0); >@@ -3810,6 +3832,8 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaUpdateRefsRequest1(struct ndr > uint32_t _ptr_naming_context; > TALLOC_CTX *_mem_save_naming_context_0; > uint32_t _ptr_dest_dsa_dns_name; >+ uint32_t size_dest_dsa_dns_name_1 = 0; >+ uint32_t length_dest_dsa_dns_name_1 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_ref_ptr(ndr, &_ptr_naming_context)); >@@ -3835,11 +3859,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaUpdateRefsRequest1(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_naming_context_0, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dest_dsa_dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dest_dsa_dns_name)); >- if (ndr_get_array_length(ndr, &r->dest_dsa_dns_name) > ndr_get_array_size(ndr, &r->dest_dsa_dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dest_dsa_dns_name), ndr_get_array_length(ndr, &r->dest_dsa_dns_name)); >+ size_dest_dsa_dns_name_1 = ndr_get_array_size(ndr, &r->dest_dsa_dns_name); >+ length_dest_dsa_dns_name_1 = ndr_get_array_length(ndr, &r->dest_dsa_dns_name); >+ if (length_dest_dsa_dns_name_1 > size_dest_dsa_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dest_dsa_dns_name_1, length_dest_dsa_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dest_dsa_dns_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dest_dsa_dns_name, ndr_get_array_length(ndr, &r->dest_dsa_dns_name), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dest_dsa_dns_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dest_dsa_dns_name, length_dest_dsa_dns_name_1, sizeof(uint8_t), CH_DOS)); > } > return NDR_ERR_SUCCESS; > } >@@ -3991,7 +4017,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAddRequest1(struct ndr_pull * > uint32_t _ptr_naming_context; > TALLOC_CTX *_mem_save_naming_context_0; > uint32_t _ptr_source_dsa_address; >+ uint32_t size_source_dsa_address_1 = 0; >+ uint32_t length_source_dsa_address_1 = 0; > TALLOC_CTX *_mem_save_source_dsa_address_0; >+ uint32_t size_schedule_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_ref_ptr(ndr, &_ptr_naming_context)); >@@ -4006,7 +4035,8 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAddRequest1(struct ndr_pull * > } else { > r->source_dsa_address = NULL; > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); >+ size_schedule_0 = 84; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAddOptions(ndr, NDR_SCALARS, &r->options)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } >@@ -4020,11 +4050,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAddRequest1(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_address)); >- if (ndr_get_array_length(ndr, &r->source_dsa_address) > ndr_get_array_size(ndr, &r->source_dsa_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_address), ndr_get_array_length(ndr, &r->source_dsa_address)); >+ size_source_dsa_address_1 = ndr_get_array_size(ndr, &r->source_dsa_address); >+ length_source_dsa_address_1 = ndr_get_array_length(ndr, &r->source_dsa_address); >+ if (length_source_dsa_address_1 > size_source_dsa_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_address_1, length_source_dsa_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, length_source_dsa_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_address_0, 0); > } > } >@@ -4092,7 +4124,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAddRequest2(struct ndr_pull * > uint32_t _ptr_transport_dn; > TALLOC_CTX *_mem_save_transport_dn_0; > uint32_t _ptr_source_dsa_address; >+ uint32_t size_source_dsa_address_1 = 0; >+ uint32_t length_source_dsa_address_1 = 0; > TALLOC_CTX *_mem_save_source_dsa_address_0; >+ uint32_t size_schedule_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_ref_ptr(ndr, &_ptr_naming_context)); >@@ -4119,7 +4154,8 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAddRequest2(struct ndr_pull * > } else { > r->source_dsa_address = NULL; > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); >+ size_schedule_0 = 84; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAddOptions(ndr, NDR_SCALARS, &r->options)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } >@@ -4145,11 +4181,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAddRequest2(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_address)); >- if (ndr_get_array_length(ndr, &r->source_dsa_address) > ndr_get_array_size(ndr, &r->source_dsa_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_address), ndr_get_array_length(ndr, &r->source_dsa_address)); >+ size_source_dsa_address_1 = ndr_get_array_size(ndr, &r->source_dsa_address); >+ length_source_dsa_address_1 = ndr_get_array_length(ndr, &r->source_dsa_address); >+ if (length_source_dsa_address_1 > size_source_dsa_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_address_1, length_source_dsa_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, length_source_dsa_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_address_0, 0); > } > } >@@ -4336,6 +4374,8 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaDelRequest1(struct ndr_pull * > uint32_t _ptr_naming_context; > TALLOC_CTX *_mem_save_naming_context_0; > uint32_t _ptr_source_dsa_address; >+ uint32_t size_source_dsa_address_1 = 0; >+ uint32_t length_source_dsa_address_1 = 0; > TALLOC_CTX *_mem_save_source_dsa_address_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4364,11 +4404,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaDelRequest1(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_address)); >- if (ndr_get_array_length(ndr, &r->source_dsa_address) > ndr_get_array_size(ndr, &r->source_dsa_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_address), ndr_get_array_length(ndr, &r->source_dsa_address)); >+ size_source_dsa_address_1 = ndr_get_array_size(ndr, &r->source_dsa_address); >+ length_source_dsa_address_1 = ndr_get_array_length(ndr, &r->source_dsa_address); >+ if (length_source_dsa_address_1 > size_source_dsa_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_address_1, length_source_dsa_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, length_source_dsa_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_address_0, 0); > } > } >@@ -4526,7 +4568,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaModRequest1(struct ndr_pull * > uint32_t _ptr_naming_context; > TALLOC_CTX *_mem_save_naming_context_0; > uint32_t _ptr_source_dra_address; >+ uint32_t size_source_dra_address_1 = 0; >+ uint32_t length_source_dra_address_1 = 0; > TALLOC_CTX *_mem_save_source_dra_address_0; >+ uint32_t size_schedule_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_ref_ptr(ndr, &_ptr_naming_context)); >@@ -4542,7 +4587,8 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaModRequest1(struct ndr_pull * > } else { > r->source_dra_address = NULL; > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); >+ size_schedule_0 = 84; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->replica_flags)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->modify_fields)); > NDR_CHECK(ndr_pull_drsuapi_DsReplicaModifyOptions(ndr, NDR_SCALARS, &r->options)); >@@ -4558,11 +4604,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaModRequest1(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->source_dra_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dra_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dra_address)); >- if (ndr_get_array_length(ndr, &r->source_dra_address) > ndr_get_array_size(ndr, &r->source_dra_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dra_address), ndr_get_array_length(ndr, &r->source_dra_address)); >+ size_source_dra_address_1 = ndr_get_array_size(ndr, &r->source_dra_address); >+ length_source_dra_address_1 = ndr_get_array_length(ndr, &r->source_dra_address); >+ if (length_source_dra_address_1 > size_source_dra_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dra_address_1, length_source_dra_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dra_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dra_address, ndr_get_array_length(ndr, &r->source_dra_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dra_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dra_address, length_source_dra_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dra_address_0, 0); > } > } >@@ -4749,15 +4797,18 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetMembershipsCtr1(struct ndr_push * > static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetMembershipsCtr1 *r) > { > uint32_t _ptr_info_array; >+ uint32_t size_info_array_1 = 0; > uint32_t cntr_info_array_1; > TALLOC_CTX *_mem_save_info_array_0; > TALLOC_CTX *_mem_save_info_array_1; > TALLOC_CTX *_mem_save_info_array_2; > uint32_t _ptr_group_attrs; >+ uint32_t size_group_attrs_1 = 0; > uint32_t cntr_group_attrs_1; > TALLOC_CTX *_mem_save_group_attrs_0; > TALLOC_CTX *_mem_save_group_attrs_1; > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -4798,10 +4849,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull * > _mem_save_info_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->info_array)); >- NDR_PULL_ALLOC_N(ndr, r->info_array, ndr_get_array_size(ndr, &r->info_array)); >+ size_info_array_1 = ndr_get_array_size(ndr, &r->info_array); >+ NDR_PULL_ALLOC_N(ndr, r->info_array, size_info_array_1); > _mem_save_info_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); >- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->num_memberships; cntr_info_array_1++) { >+ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info_array)); > if (_ptr_info_array) { > NDR_PULL_ALLOC(ndr, r->info_array[cntr_info_array_1]); >@@ -4809,7 +4861,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull * > r->info_array[cntr_info_array_1] = NULL; > } > } >- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->num_memberships; cntr_info_array_1++) { >+ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { > if (r->info_array[cntr_info_array_1]) { > _mem_save_info_array_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array[cntr_info_array_1], 0); >@@ -4824,10 +4876,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull * > _mem_save_group_attrs_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->group_attrs, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->group_attrs)); >- NDR_PULL_ALLOC_N(ndr, r->group_attrs, ndr_get_array_size(ndr, &r->group_attrs)); >+ size_group_attrs_1 = ndr_get_array_size(ndr, &r->group_attrs); >+ NDR_PULL_ALLOC_N(ndr, r->group_attrs, size_group_attrs_1); > _mem_save_group_attrs_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->group_attrs, 0); >- for (cntr_group_attrs_1 = 0; cntr_group_attrs_1 < r->num_memberships; cntr_group_attrs_1++) { >+ for (cntr_group_attrs_1 = 0; cntr_group_attrs_1 < size_group_attrs_1; cntr_group_attrs_1++) { > NDR_CHECK(ndr_pull_samr_GroupAttrs(ndr, NDR_SCALARS, &r->group_attrs[cntr_group_attrs_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_attrs_1, 0); >@@ -4837,10 +4890,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull * > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sids)); > if (_ptr_sids) { > NDR_PULL_ALLOC(ndr, r->sids[cntr_sids_1]); >@@ -4848,7 +4902,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull * > r->sids[cntr_sids_1] = NULL; > } > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > if (r->sids[cntr_sids_1]) { > _mem_save_sids_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids[cntr_sids_1], 0); >@@ -5051,6 +5105,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetMembershipsRequest1(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetMembershipsRequest1 *r) > { > uint32_t _ptr_info_array; >+ uint32_t size_info_array_1 = 0; > uint32_t cntr_info_array_1; > TALLOC_CTX *_mem_save_info_array_0; > TALLOC_CTX *_mem_save_info_array_1; >@@ -5084,10 +5139,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsRequest1(struct ndr_pu > _mem_save_info_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->info_array)); >- NDR_PULL_ALLOC_N(ndr, r->info_array, ndr_get_array_size(ndr, &r->info_array)); >+ size_info_array_1 = ndr_get_array_size(ndr, &r->info_array); >+ NDR_PULL_ALLOC_N(ndr, r->info_array, size_info_array_1); > _mem_save_info_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); >- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->count; cntr_info_array_1++) { >+ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info_array)); > if (_ptr_info_array) { > NDR_PULL_ALLOC(ndr, r->info_array[cntr_info_array_1]); >@@ -5095,7 +5151,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsRequest1(struct ndr_pu > r->info_array[cntr_info_array_1] = NULL; > } > } >- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->count; cntr_info_array_1++) { >+ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { > if (r->info_array[cntr_info_array_1]) { > _mem_save_info_array_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array[cntr_info_array_1], 0); >@@ -5255,6 +5311,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetNT4ChangeLogRequest1(struct ndr_p > static enum ndr_err_code ndr_pull_drsuapi_DsGetNT4ChangeLogRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetNT4ChangeLogRequest1 *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -5277,8 +5334,9 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetNT4ChangeLogRequest1(struct ndr_p > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -5414,8 +5472,10 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetNT4ChangeLogInfo1(struct ndr_push > static enum ndr_err_code ndr_pull_drsuapi_DsGetNT4ChangeLogInfo1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetNT4ChangeLogInfo1 *r) > { > uint32_t _ptr_data1; >+ uint32_t size_data1_1 = 0; > TALLOC_CTX *_mem_save_data1_0; > uint32_t _ptr_data2; >+ uint32_t size_data2_1 = 0; > TALLOC_CTX *_mem_save_data2_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -5453,16 +5513,18 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetNT4ChangeLogInfo1(struct ndr_pull > _mem_save_data1_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data1)); >- NDR_PULL_ALLOC_N(ndr, r->data1, ndr_get_array_size(ndr, &r->data1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data1, ndr_get_array_size(ndr, &r->data1))); >+ size_data1_1 = ndr_get_array_size(ndr, &r->data1); >+ NDR_PULL_ALLOC_N(ndr, r->data1, size_data1_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data1, size_data1_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data1_0, 0); > } > if (r->data2) { > _mem_save_data2_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data2)); >- NDR_PULL_ALLOC_N(ndr, r->data2, ndr_get_array_size(ndr, &r->data2)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data2, ndr_get_array_size(ndr, &r->data2))); >+ size_data2_1 = ndr_get_array_size(ndr, &r->data2); >+ NDR_PULL_ALLOC_N(ndr, r->data2, size_data2_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data2, size_data2_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data2_0, 0); > } > if (r->data1) { >@@ -5694,6 +5756,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsNameString(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsNameString(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameString *r) > { > uint32_t _ptr_str; >+ uint32_t size_str_1 = 0; >+ uint32_t length_str_1 = 0; > TALLOC_CTX *_mem_save_str_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -5711,11 +5775,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameString(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->str, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->str)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->str)); >- if (ndr_get_array_length(ndr, &r->str) > ndr_get_array_size(ndr, &r->str)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->str), ndr_get_array_length(ndr, &r->str)); >+ size_str_1 = ndr_get_array_size(ndr, &r->str); >+ length_str_1 = ndr_get_array_length(ndr, &r->str); >+ if (length_str_1 > size_str_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_str_1, length_str_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->str), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str, ndr_get_array_length(ndr, &r->str), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_str_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str, length_str_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_str_0, 0); > } > } >@@ -5766,6 +5832,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsNameRequest1(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_drsuapi_DsNameRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameRequest1 *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -5793,13 +5860,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameRequest1(struct ndr_pull *ndr, i > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -5947,8 +6015,12 @@ static enum ndr_err_code ndr_push_drsuapi_DsNameInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsNameInfo1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameInfo1 *r) > { > uint32_t _ptr_dns_domain_name; >+ uint32_t size_dns_domain_name_1 = 0; >+ uint32_t length_dns_domain_name_1 = 0; > TALLOC_CTX *_mem_save_dns_domain_name_0; > uint32_t _ptr_result_name; >+ uint32_t size_result_name_1 = 0; >+ uint32_t length_result_name_1 = 0; > TALLOC_CTX *_mem_save_result_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -5973,11 +6045,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->dns_domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_domain_name)); >- if (ndr_get_array_length(ndr, &r->dns_domain_name) > ndr_get_array_size(ndr, &r->dns_domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_domain_name), ndr_get_array_length(ndr, &r->dns_domain_name)); >+ size_dns_domain_name_1 = ndr_get_array_size(ndr, &r->dns_domain_name); >+ length_dns_domain_name_1 = ndr_get_array_length(ndr, &r->dns_domain_name); >+ if (length_dns_domain_name_1 > size_dns_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_domain_name_1, length_dns_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain_name, ndr_get_array_length(ndr, &r->dns_domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain_name, length_dns_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_domain_name_0, 0); > } > if (r->result_name) { >@@ -5985,11 +6059,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->result_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->result_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->result_name)); >- if (ndr_get_array_length(ndr, &r->result_name) > ndr_get_array_size(ndr, &r->result_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->result_name), ndr_get_array_length(ndr, &r->result_name)); >+ size_result_name_1 = ndr_get_array_size(ndr, &r->result_name); >+ length_result_name_1 = ndr_get_array_length(ndr, &r->result_name); >+ if (length_result_name_1 > size_result_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_result_name_1, length_result_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->result_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->result_name, ndr_get_array_length(ndr, &r->result_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_result_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->result_name, length_result_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_result_name_0, 0); > } > } >@@ -6042,6 +6118,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsNameCtr1(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_drsuapi_DsNameCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -6061,13 +6138,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameCtr1(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -6140,6 +6218,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameCtr(struct ndr_pull *ndr, int nd > int level; > int32_t _level; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &_level)); >@@ -6149,7 +6228,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameCtr(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -6261,8 +6339,11 @@ static enum ndr_err_code ndr_push_drsuapi_DsWriteAccountSpnRequest1(struct ndr_p > static enum ndr_err_code ndr_pull_drsuapi_DsWriteAccountSpnRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsWriteAccountSpnRequest1 *r) > { > uint32_t _ptr_object_dn; >+ uint32_t size_object_dn_1 = 0; >+ uint32_t length_object_dn_1 = 0; > TALLOC_CTX *_mem_save_object_dn_0; > uint32_t _ptr_spn_names; >+ uint32_t size_spn_names_1 = 0; > uint32_t cntr_spn_names_1; > TALLOC_CTX *_mem_save_spn_names_0; > TALLOC_CTX *_mem_save_spn_names_1; >@@ -6294,24 +6375,27 @@ static enum ndr_err_code ndr_pull_drsuapi_DsWriteAccountSpnRequest1(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); >- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); >+ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); >+ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); >+ if (length_object_dn_1 > size_object_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); > } > if (r->spn_names) { > _mem_save_spn_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->spn_names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->spn_names)); >- NDR_PULL_ALLOC_N(ndr, r->spn_names, ndr_get_array_size(ndr, &r->spn_names)); >+ size_spn_names_1 = ndr_get_array_size(ndr, &r->spn_names); >+ NDR_PULL_ALLOC_N(ndr, r->spn_names, size_spn_names_1); > _mem_save_spn_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->spn_names, 0); >- for (cntr_spn_names_1 = 0; cntr_spn_names_1 < r->count; cntr_spn_names_1++) { >+ for (cntr_spn_names_1 = 0; cntr_spn_names_1 < size_spn_names_1; cntr_spn_names_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_SCALARS, &r->spn_names[cntr_spn_names_1])); > } >- for (cntr_spn_names_1 = 0; cntr_spn_names_1 < r->count; cntr_spn_names_1++) { >+ for (cntr_spn_names_1 = 0; cntr_spn_names_1 < size_spn_names_1; cntr_spn_names_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_BUFFERS, &r->spn_names[cntr_spn_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_spn_names_1, 0); >@@ -6569,8 +6653,12 @@ static enum ndr_err_code ndr_push_drsuapi_DsRemoveDSServerRequest1(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_DsRemoveDSServerRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsRemoveDSServerRequest1 *r) > { > uint32_t _ptr_server_dn; >+ uint32_t size_server_dn_1 = 0; >+ uint32_t length_server_dn_1 = 0; > TALLOC_CTX *_mem_save_server_dn_0; > uint32_t _ptr_domain_dn; >+ uint32_t size_domain_dn_1 = 0; >+ uint32_t length_domain_dn_1 = 0; > TALLOC_CTX *_mem_save_domain_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -6595,11 +6683,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsRemoveDSServerRequest1(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); >- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); >+ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); >+ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); >+ if (length_server_dn_1 > size_server_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); > } > if (r->domain_dn) { >@@ -6607,11 +6697,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsRemoveDSServerRequest1(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->domain_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_dn)); >- if (ndr_get_array_length(ndr, &r->domain_dn) > ndr_get_array_size(ndr, &r->domain_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_dn), ndr_get_array_length(ndr, &r->domain_dn)); >+ size_domain_dn_1 = ndr_get_array_size(ndr, &r->domain_dn); >+ length_domain_dn_1 = ndr_get_array_length(ndr, &r->domain_dn); >+ if (length_domain_dn_1 > size_domain_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_dn_1, length_domain_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_dn, ndr_get_array_length(ndr, &r->domain_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_dn, length_domain_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_dn_0, 0); > } > } >@@ -6844,6 +6936,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfoRequest1(struct ndr_push *n > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoRequest1 *r) > { > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_domain_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -6862,11 +6956,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoRequest1(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); >- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > } >@@ -7015,14 +7111,24 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfo1 *r) > { > uint32_t _ptr_netbios_name; >+ uint32_t size_netbios_name_1 = 0; >+ uint32_t length_netbios_name_1 = 0; > TALLOC_CTX *_mem_save_netbios_name_0; > uint32_t _ptr_dns_name; >+ uint32_t size_dns_name_1 = 0; >+ uint32_t length_dns_name_1 = 0; > TALLOC_CTX *_mem_save_dns_name_0; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > TALLOC_CTX *_mem_save_site_name_0; > uint32_t _ptr_computer_dn; >+ uint32_t size_computer_dn_1 = 0; >+ uint32_t length_computer_dn_1 = 0; > TALLOC_CTX *_mem_save_computer_dn_0; > uint32_t _ptr_server_dn; >+ uint32_t size_server_dn_1 = 0; >+ uint32_t length_server_dn_1 = 0; > TALLOC_CTX *_mem_save_server_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7066,11 +7172,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); >- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); >+ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); >+ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); >+ if (length_netbios_name_1 > size_netbios_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); > } > if (r->dns_name) { >@@ -7078,11 +7186,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); >- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); >+ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); >+ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); >+ if (length_dns_name_1 > size_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); > } > if (r->site_name) { >@@ -7090,11 +7200,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_name)); >- if (ndr_get_array_length(ndr, &r->site_name) > ndr_get_array_size(ndr, &r->site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_name), ndr_get_array_length(ndr, &r->site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > if (r->computer_dn) { >@@ -7102,11 +7214,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->computer_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_dn)); >- if (ndr_get_array_length(ndr, &r->computer_dn) > ndr_get_array_size(ndr, &r->computer_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_dn), ndr_get_array_length(ndr, &r->computer_dn)); >+ size_computer_dn_1 = ndr_get_array_size(ndr, &r->computer_dn); >+ length_computer_dn_1 = ndr_get_array_length(ndr, &r->computer_dn); >+ if (length_computer_dn_1 > size_computer_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_dn_1, length_computer_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, length_computer_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_dn_0, 0); > } > if (r->server_dn) { >@@ -7114,11 +7228,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); >- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); >+ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); >+ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); >+ if (length_server_dn_1 > size_server_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); > } > } >@@ -7190,6 +7306,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfoCtr1(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -7212,13 +7329,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr1(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -7325,18 +7443,32 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfo2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfo2 *r) > { > uint32_t _ptr_netbios_name; >+ uint32_t size_netbios_name_1 = 0; >+ uint32_t length_netbios_name_1 = 0; > TALLOC_CTX *_mem_save_netbios_name_0; > uint32_t _ptr_dns_name; >+ uint32_t size_dns_name_1 = 0; >+ uint32_t length_dns_name_1 = 0; > TALLOC_CTX *_mem_save_dns_name_0; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > TALLOC_CTX *_mem_save_site_name_0; > uint32_t _ptr_site_dn; >+ uint32_t size_site_dn_1 = 0; >+ uint32_t length_site_dn_1 = 0; > TALLOC_CTX *_mem_save_site_dn_0; > uint32_t _ptr_computer_dn; >+ uint32_t size_computer_dn_1 = 0; >+ uint32_t length_computer_dn_1 = 0; > TALLOC_CTX *_mem_save_computer_dn_0; > uint32_t _ptr_server_dn; >+ uint32_t size_server_dn_1 = 0; >+ uint32_t length_server_dn_1 = 0; > TALLOC_CTX *_mem_save_server_dn_0; > uint32_t _ptr_ntds_dn; >+ uint32_t size_ntds_dn_1 = 0; >+ uint32_t length_ntds_dn_1 = 0; > TALLOC_CTX *_mem_save_ntds_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7397,11 +7529,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); >- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); >+ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); >+ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); >+ if (length_netbios_name_1 > size_netbios_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); > } > if (r->dns_name) { >@@ -7409,11 +7543,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); >- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); >+ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); >+ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); >+ if (length_dns_name_1 > size_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); > } > if (r->site_name) { >@@ -7421,11 +7557,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_name)); >- if (ndr_get_array_length(ndr, &r->site_name) > ndr_get_array_size(ndr, &r->site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_name), ndr_get_array_length(ndr, &r->site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > if (r->site_dn) { >@@ -7433,11 +7571,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->site_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_dn)); >- if (ndr_get_array_length(ndr, &r->site_dn) > ndr_get_array_size(ndr, &r->site_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_dn), ndr_get_array_length(ndr, &r->site_dn)); >+ size_site_dn_1 = ndr_get_array_size(ndr, &r->site_dn); >+ length_site_dn_1 = ndr_get_array_length(ndr, &r->site_dn); >+ if (length_site_dn_1 > size_site_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_dn_1, length_site_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, length_site_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_dn_0, 0); > } > if (r->computer_dn) { >@@ -7445,11 +7585,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->computer_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_dn)); >- if (ndr_get_array_length(ndr, &r->computer_dn) > ndr_get_array_size(ndr, &r->computer_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_dn), ndr_get_array_length(ndr, &r->computer_dn)); >+ size_computer_dn_1 = ndr_get_array_size(ndr, &r->computer_dn); >+ length_computer_dn_1 = ndr_get_array_length(ndr, &r->computer_dn); >+ if (length_computer_dn_1 > size_computer_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_dn_1, length_computer_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, length_computer_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_dn_0, 0); > } > if (r->server_dn) { >@@ -7457,11 +7599,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); >- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); >+ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); >+ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); >+ if (length_server_dn_1 > size_server_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); > } > if (r->ntds_dn) { >@@ -7469,11 +7613,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->ntds_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->ntds_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->ntds_dn)); >- if (ndr_get_array_length(ndr, &r->ntds_dn) > ndr_get_array_size(ndr, &r->ntds_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->ntds_dn), ndr_get_array_length(ndr, &r->ntds_dn)); >+ size_ntds_dn_1 = ndr_get_array_size(ndr, &r->ntds_dn); >+ length_ntds_dn_1 = ndr_get_array_length(ndr, &r->ntds_dn); >+ if (length_ntds_dn_1 > size_ntds_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ntds_dn_1, length_ntds_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ntds_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, length_ntds_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ntds_dn_0, 0); > } > } >@@ -7562,6 +7708,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfoCtr2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -7584,13 +7731,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr2(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -7698,18 +7846,32 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfo3(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfo3 *r) > { > uint32_t _ptr_netbios_name; >+ uint32_t size_netbios_name_1 = 0; >+ uint32_t length_netbios_name_1 = 0; > TALLOC_CTX *_mem_save_netbios_name_0; > uint32_t _ptr_dns_name; >+ uint32_t size_dns_name_1 = 0; >+ uint32_t length_dns_name_1 = 0; > TALLOC_CTX *_mem_save_dns_name_0; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > TALLOC_CTX *_mem_save_site_name_0; > uint32_t _ptr_site_dn; >+ uint32_t size_site_dn_1 = 0; >+ uint32_t length_site_dn_1 = 0; > TALLOC_CTX *_mem_save_site_dn_0; > uint32_t _ptr_computer_dn; >+ uint32_t size_computer_dn_1 = 0; >+ uint32_t length_computer_dn_1 = 0; > TALLOC_CTX *_mem_save_computer_dn_0; > uint32_t _ptr_server_dn; >+ uint32_t size_server_dn_1 = 0; >+ uint32_t length_server_dn_1 = 0; > TALLOC_CTX *_mem_save_server_dn_0; > uint32_t _ptr_ntds_dn; >+ uint32_t size_ntds_dn_1 = 0; >+ uint32_t length_ntds_dn_1 = 0; > TALLOC_CTX *_mem_save_ntds_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7771,11 +7933,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); >- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); >+ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); >+ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); >+ if (length_netbios_name_1 > size_netbios_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); > } > if (r->dns_name) { >@@ -7783,11 +7947,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); >- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); >+ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); >+ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); >+ if (length_dns_name_1 > size_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); > } > if (r->site_name) { >@@ -7795,11 +7961,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_name)); >- if (ndr_get_array_length(ndr, &r->site_name) > ndr_get_array_size(ndr, &r->site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_name), ndr_get_array_length(ndr, &r->site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > if (r->site_dn) { >@@ -7807,11 +7975,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->site_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_dn)); >- if (ndr_get_array_length(ndr, &r->site_dn) > ndr_get_array_size(ndr, &r->site_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_dn), ndr_get_array_length(ndr, &r->site_dn)); >+ size_site_dn_1 = ndr_get_array_size(ndr, &r->site_dn); >+ length_site_dn_1 = ndr_get_array_length(ndr, &r->site_dn); >+ if (length_site_dn_1 > size_site_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_dn_1, length_site_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, length_site_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_dn_0, 0); > } > if (r->computer_dn) { >@@ -7819,11 +7989,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->computer_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_dn)); >- if (ndr_get_array_length(ndr, &r->computer_dn) > ndr_get_array_size(ndr, &r->computer_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_dn), ndr_get_array_length(ndr, &r->computer_dn)); >+ size_computer_dn_1 = ndr_get_array_size(ndr, &r->computer_dn); >+ length_computer_dn_1 = ndr_get_array_length(ndr, &r->computer_dn); >+ if (length_computer_dn_1 > size_computer_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_dn_1, length_computer_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, length_computer_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_dn_0, 0); > } > if (r->server_dn) { >@@ -7831,11 +8003,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); >- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); >+ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); >+ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); >+ if (length_server_dn_1 > size_server_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); > } > if (r->ntds_dn) { >@@ -7843,11 +8017,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->ntds_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->ntds_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->ntds_dn)); >- if (ndr_get_array_length(ndr, &r->ntds_dn) > ndr_get_array_size(ndr, &r->ntds_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->ntds_dn), ndr_get_array_length(ndr, &r->ntds_dn)); >+ size_ntds_dn_1 = ndr_get_array_size(ndr, &r->ntds_dn); >+ length_ntds_dn_1 = ndr_get_array_length(ndr, &r->ntds_dn); >+ if (length_ntds_dn_1 > size_ntds_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ntds_dn_1, length_ntds_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ntds_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, length_ntds_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ntds_dn_0, 0); > } > } >@@ -7937,6 +8113,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfoCtr3(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoCtr3 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -7959,13 +8136,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr3(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo3(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo3(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -8034,6 +8212,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCConnection01(struct ndr_push *n > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCConnection01(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCConnection01 *r) > { > uint32_t _ptr_client_account; >+ uint32_t size_client_account_1 = 0; >+ uint32_t length_client_account_1 = 0; > TALLOC_CTX *_mem_save_client_account_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -8062,11 +8242,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCConnection01(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->client_account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_account)); >- if (ndr_get_array_length(ndr, &r->client_account) > ndr_get_array_size(ndr, &r->client_account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_account), ndr_get_array_length(ndr, &r->client_account)); >+ size_client_account_1 = ndr_get_array_size(ndr, &r->client_account); >+ length_client_account_1 = ndr_get_array_length(ndr, &r->client_account); >+ if (length_client_account_1 > size_client_account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_account_1, length_client_account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_account, ndr_get_array_length(ndr, &r->client_account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_account, length_client_account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_account_0, 0); > } > } >@@ -8118,6 +8300,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCConnectionCtr01(struct ndr_push > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCConnectionCtr01(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCConnectionCtr01 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -8140,13 +8323,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCConnectionCtr01(struct ndr_pull > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCConnection01(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCConnection01(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -8536,6 +8720,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsAddEntryExtraErrorBuffer(struct ndr_ > static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryExtraErrorBuffer(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsAddEntryExtraErrorBuffer *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -8556,8 +8741,9 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryExtraErrorBuffer(struct ndr_ > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -9102,6 +9288,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryCtr2(struct ndr_pull *ndr, i > uint32_t _ptr_id; > TALLOC_CTX *_mem_save_id_0; > uint32_t _ptr_objects; >+ uint32_t size_objects_1 = 0; > uint32_t cntr_objects_1; > TALLOC_CTX *_mem_save_objects_0; > TALLOC_CTX *_mem_save_objects_1; >@@ -9138,13 +9325,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryCtr2(struct ndr_pull *ndr, i > _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->objects)); >- NDR_PULL_ALLOC_N(ndr, r->objects, ndr_get_array_size(ndr, &r->objects)); >+ size_objects_1 = ndr_get_array_size(ndr, &r->objects); >+ NDR_PULL_ALLOC_N(ndr, r->objects, size_objects_1); > _mem_save_objects_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); >- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { >+ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_SCALARS, &r->objects[cntr_objects_1])); > } >- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { >+ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_BUFFERS, &r->objects[cntr_objects_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_1, 0); >@@ -9229,6 +9417,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryCtr3(struct ndr_pull *ndr, i > uint32_t _ptr_error; > TALLOC_CTX *_mem_save_error_0; > uint32_t _ptr_objects; >+ uint32_t size_objects_1 = 0; > uint32_t cntr_objects_1; > TALLOC_CTX *_mem_save_objects_0; > TALLOC_CTX *_mem_save_objects_1; >@@ -9277,13 +9466,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryCtr3(struct ndr_pull *ndr, i > _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->objects)); >- NDR_PULL_ALLOC_N(ndr, r->objects, ndr_get_array_size(ndr, &r->objects)); >+ size_objects_1 = ndr_get_array_size(ndr, &r->objects); >+ NDR_PULL_ALLOC_N(ndr, r->objects, size_objects_1); > _mem_save_objects_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); >- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { >+ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_SCALARS, &r->objects[cntr_objects_1])); > } >- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { >+ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_BUFFERS, &r->objects[cntr_objects_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_1, 0); >@@ -9650,6 +9840,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaGetInfoRequest1(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaGetInfoRequest1 *r) > { > uint32_t _ptr_object_dn; >+ uint32_t size_object_dn_1 = 0; >+ uint32_t length_object_dn_1 = 0; > TALLOC_CTX *_mem_save_object_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -9669,11 +9861,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest1(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); >- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); >+ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); >+ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); >+ if (length_object_dn_1 > size_object_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); > } > } >@@ -9734,10 +9928,16 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaGetInfoRequest2 *r) > { > uint32_t _ptr_object_dn; >+ uint32_t size_object_dn_1 = 0; >+ uint32_t length_object_dn_1 = 0; > TALLOC_CTX *_mem_save_object_dn_0; > uint32_t _ptr_string1; >+ uint32_t size_string1_1 = 0; >+ uint32_t length_string1_1 = 0; > TALLOC_CTX *_mem_save_string1_0; > uint32_t _ptr_string2; >+ uint32_t size_string2_1 = 0; >+ uint32_t length_string2_1 = 0; > TALLOC_CTX *_mem_save_string2_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -9771,11 +9971,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); >- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); >+ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); >+ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); >+ if (length_object_dn_1 > size_object_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); > } > if (r->string1) { >@@ -9783,11 +9985,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->string1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string1)); >- if (ndr_get_array_length(ndr, &r->string1) > ndr_get_array_size(ndr, &r->string1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string1), ndr_get_array_length(ndr, &r->string1)); >+ size_string1_1 = ndr_get_array_size(ndr, &r->string1); >+ length_string1_1 = ndr_get_array_length(ndr, &r->string1); >+ if (length_string1_1 > size_string1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string1_1, length_string1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->string1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string1, ndr_get_array_length(ndr, &r->string1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_string1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string1, length_string1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string1_0, 0); > } > if (r->string2) { >@@ -9795,11 +9999,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->string2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string2)); >- if (ndr_get_array_length(ndr, &r->string2) > ndr_get_array_size(ndr, &r->string2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string2), ndr_get_array_length(ndr, &r->string2)); >+ size_string2_1 = ndr_get_array_size(ndr, &r->string2); >+ length_string2_1 = ndr_get_array_length(ndr, &r->string2); >+ if (length_string2_1 > size_string2_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string2_1, length_string2_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->string2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string2, ndr_get_array_length(ndr, &r->string2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_string2_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string2, length_string2_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string2_0, 0); > } > } >@@ -9986,12 +10192,20 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaNeighbour(struct ndr_push *nd > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaNeighbour *r) > { > uint32_t _ptr_naming_context_dn; >+ uint32_t size_naming_context_dn_1 = 0; >+ uint32_t length_naming_context_dn_1 = 0; > TALLOC_CTX *_mem_save_naming_context_dn_0; > uint32_t _ptr_source_dsa_obj_dn; >+ uint32_t size_source_dsa_obj_dn_1 = 0; >+ uint32_t length_source_dsa_obj_dn_1 = 0; > TALLOC_CTX *_mem_save_source_dsa_obj_dn_0; > uint32_t _ptr_source_dsa_address; >+ uint32_t size_source_dsa_address_1 = 0; >+ uint32_t length_source_dsa_address_1 = 0; > TALLOC_CTX *_mem_save_source_dsa_address_0; > uint32_t _ptr_transport_obj_dn; >+ uint32_t size_transport_obj_dn_1 = 0; >+ uint32_t length_transport_obj_dn_1 = 0; > TALLOC_CTX *_mem_save_transport_obj_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -10039,11 +10253,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->naming_context_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->naming_context_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->naming_context_dn)); >- if (ndr_get_array_length(ndr, &r->naming_context_dn) > ndr_get_array_size(ndr, &r->naming_context_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->naming_context_dn), ndr_get_array_length(ndr, &r->naming_context_dn)); >+ size_naming_context_dn_1 = ndr_get_array_size(ndr, &r->naming_context_dn); >+ length_naming_context_dn_1 = ndr_get_array_length(ndr, &r->naming_context_dn); >+ if (length_naming_context_dn_1 > size_naming_context_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_naming_context_dn_1, length_naming_context_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->naming_context_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->naming_context_dn, ndr_get_array_length(ndr, &r->naming_context_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_naming_context_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->naming_context_dn, length_naming_context_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_naming_context_dn_0, 0); > } > if (r->source_dsa_obj_dn) { >@@ -10051,11 +10267,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_obj_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_obj_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_obj_dn)); >- if (ndr_get_array_length(ndr, &r->source_dsa_obj_dn) > ndr_get_array_size(ndr, &r->source_dsa_obj_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_obj_dn), ndr_get_array_length(ndr, &r->source_dsa_obj_dn)); >+ size_source_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->source_dsa_obj_dn); >+ length_source_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->source_dsa_obj_dn); >+ if (length_source_dsa_obj_dn_1 > size_source_dsa_obj_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_obj_dn_1, length_source_dsa_obj_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_obj_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, length_source_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_obj_dn_0, 0); > } > if (r->source_dsa_address) { >@@ -10063,11 +10281,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_address)); >- if (ndr_get_array_length(ndr, &r->source_dsa_address) > ndr_get_array_size(ndr, &r->source_dsa_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_address), ndr_get_array_length(ndr, &r->source_dsa_address)); >+ size_source_dsa_address_1 = ndr_get_array_size(ndr, &r->source_dsa_address); >+ length_source_dsa_address_1 = ndr_get_array_length(ndr, &r->source_dsa_address); >+ if (length_source_dsa_address_1 > size_source_dsa_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_address_1, length_source_dsa_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, length_source_dsa_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_address_0, 0); > } > if (r->transport_obj_dn) { >@@ -10075,11 +10295,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->transport_obj_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->transport_obj_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->transport_obj_dn)); >- if (ndr_get_array_length(ndr, &r->transport_obj_dn) > ndr_get_array_size(ndr, &r->transport_obj_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->transport_obj_dn), ndr_get_array_length(ndr, &r->transport_obj_dn)); >+ size_transport_obj_dn_1 = ndr_get_array_size(ndr, &r->transport_obj_dn); >+ length_transport_obj_dn_1 = ndr_get_array_length(ndr, &r->transport_obj_dn); >+ if (length_transport_obj_dn_1 > size_transport_obj_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_obj_dn_1, length_transport_obj_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->transport_obj_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport_obj_dn, ndr_get_array_length(ndr, &r->transport_obj_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_obj_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport_obj_dn, length_transport_obj_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_obj_dn_0, 0); > } > } >@@ -10152,6 +10374,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaNeighbourCtr(struct ndr_push > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbourCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaNeighbourCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10159,10 +10382,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbourCtr(struct ndr_pull > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaNeighbour(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10172,9 +10396,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbourCtr(struct ndr_pull > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaNeighbour(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10222,6 +10447,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursorCtr(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursorCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursorCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10229,10 +10455,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursorCtr(struct ndr_pull *nd > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10292,6 +10519,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaObjMetaData(struct ndr_push * > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaData *r) > { > uint32_t _ptr_attribute_name; >+ uint32_t size_attribute_name_1 = 0; >+ uint32_t length_attribute_name_1 = 0; > TALLOC_CTX *_mem_save_attribute_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -10314,11 +10543,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); >- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); >+ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); >+ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); >+ if (length_attribute_name_1 > size_attribute_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); > } > } >@@ -10366,6 +10597,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaObjMetaDataCtr(struct ndr_pus > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaDataCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaDataCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10373,10 +10605,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaDataCtr(struct ndr_pul > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10386,9 +10619,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaDataCtr(struct ndr_pul > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10441,6 +10675,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaKccDsaFailure(struct ndr_push > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailure(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaKccDsaFailure *r) > { > uint32_t _ptr_dsa_obj_dn; >+ uint32_t size_dsa_obj_dn_1 = 0; >+ uint32_t length_dsa_obj_dn_1 = 0; > TALLOC_CTX *_mem_save_dsa_obj_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -10462,11 +10698,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailure(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->dsa_obj_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dsa_obj_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dsa_obj_dn)); >- if (ndr_get_array_length(ndr, &r->dsa_obj_dn) > ndr_get_array_size(ndr, &r->dsa_obj_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dsa_obj_dn), ndr_get_array_length(ndr, &r->dsa_obj_dn)); >+ size_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->dsa_obj_dn); >+ length_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->dsa_obj_dn); >+ if (length_dsa_obj_dn_1 > size_dsa_obj_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dsa_obj_dn_1, length_dsa_obj_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dsa_obj_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dsa_obj_dn, ndr_get_array_length(ndr, &r->dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dsa_obj_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dsa_obj_dn, length_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dsa_obj_dn_0, 0); > } > } >@@ -10513,6 +10751,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaKccDsaFailuresCtr(struct ndr_ > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailuresCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaKccDsaFailuresCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10520,10 +10759,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailuresCtr(struct ndr_ > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaKccDsaFailure(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10533,9 +10773,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailuresCtr(struct ndr_ > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaKccDsaFailure(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10789,10 +11030,16 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaOp(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOp(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaOp *r) > { > uint32_t _ptr_nc_dn; >+ uint32_t size_nc_dn_1 = 0; >+ uint32_t length_nc_dn_1 = 0; > TALLOC_CTX *_mem_save_nc_dn_0; > uint32_t _ptr_remote_dsa_obj_dn; >+ uint32_t size_remote_dsa_obj_dn_1 = 0; >+ uint32_t length_remote_dsa_obj_dn_1 = 0; > TALLOC_CTX *_mem_save_remote_dsa_obj_dn_0; > uint32_t _ptr_remote_dsa_address; >+ uint32_t size_remote_dsa_address_1 = 0; >+ uint32_t length_remote_dsa_address_1 = 0; > TALLOC_CTX *_mem_save_remote_dsa_address_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -10830,11 +11077,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOp(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->nc_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->nc_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->nc_dn)); >- if (ndr_get_array_length(ndr, &r->nc_dn) > ndr_get_array_size(ndr, &r->nc_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->nc_dn), ndr_get_array_length(ndr, &r->nc_dn)); >+ size_nc_dn_1 = ndr_get_array_size(ndr, &r->nc_dn); >+ length_nc_dn_1 = ndr_get_array_length(ndr, &r->nc_dn); >+ if (length_nc_dn_1 > size_nc_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_nc_dn_1, length_nc_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->nc_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->nc_dn, ndr_get_array_length(ndr, &r->nc_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_nc_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->nc_dn, length_nc_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_nc_dn_0, 0); > } > if (r->remote_dsa_obj_dn) { >@@ -10842,11 +11091,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOp(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->remote_dsa_obj_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->remote_dsa_obj_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->remote_dsa_obj_dn)); >- if (ndr_get_array_length(ndr, &r->remote_dsa_obj_dn) > ndr_get_array_size(ndr, &r->remote_dsa_obj_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote_dsa_obj_dn), ndr_get_array_length(ndr, &r->remote_dsa_obj_dn)); >+ size_remote_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->remote_dsa_obj_dn); >+ length_remote_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->remote_dsa_obj_dn); >+ if (length_remote_dsa_obj_dn_1 > size_remote_dsa_obj_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_dsa_obj_dn_1, length_remote_dsa_obj_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote_dsa_obj_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_obj_dn, ndr_get_array_length(ndr, &r->remote_dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_dsa_obj_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_obj_dn, length_remote_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_dsa_obj_dn_0, 0); > } > if (r->remote_dsa_address) { >@@ -10854,11 +11105,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOp(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->remote_dsa_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->remote_dsa_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->remote_dsa_address)); >- if (ndr_get_array_length(ndr, &r->remote_dsa_address) > ndr_get_array_size(ndr, &r->remote_dsa_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote_dsa_address), ndr_get_array_length(ndr, &r->remote_dsa_address)); >+ size_remote_dsa_address_1 = ndr_get_array_size(ndr, &r->remote_dsa_address); >+ length_remote_dsa_address_1 = ndr_get_array_length(ndr, &r->remote_dsa_address); >+ if (length_remote_dsa_address_1 > size_remote_dsa_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_dsa_address_1, length_remote_dsa_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote_dsa_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_address, ndr_get_array_length(ndr, &r->remote_dsa_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_dsa_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_address, length_remote_dsa_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_dsa_address_0, 0); > } > } >@@ -10921,6 +11174,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaOpCtr(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOpCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaOpCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10928,10 +11182,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOpCtr(struct ndr_pull *ndr, i > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->time)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaOp(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10941,9 +11196,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOpCtr(struct ndr_pull *ndr, i > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaOp(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11011,8 +11267,12 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaAttrValMetaData(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaData *r) > { > uint32_t _ptr_attribute_name; >+ uint32_t size_attribute_name_1 = 0; >+ uint32_t length_attribute_name_1 = 0; > TALLOC_CTX *_mem_save_attribute_name_0; > uint32_t _ptr_object_dn; >+ uint32_t size_object_dn_1 = 0; >+ uint32_t length_object_dn_1 = 0; > TALLOC_CTX *_mem_save_object_dn_0; > uint32_t _ptr_binary; > TALLOC_CTX *_mem_save_binary_0; >@@ -11052,11 +11312,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); >- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); >+ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); >+ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); >+ if (length_attribute_name_1 > size_attribute_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); > } > if (r->object_dn) { >@@ -11064,11 +11326,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); >- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); >+ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); >+ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); >+ if (length_object_dn_1 > size_object_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); > } > if (r->binary) { >@@ -11137,6 +11401,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaAttrValMetaDataCtr(struct ndr > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaDataCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaDataCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -11144,10 +11409,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaDataCtr(struct ndr > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->enumeration_context)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11157,9 +11423,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaDataCtr(struct ndr > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11207,6 +11474,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursor2Ctr(struct ndr_push *n > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor2Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor2Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -11214,10 +11482,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor2Ctr(struct ndr_pull *n > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->enumeration_context)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor2(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11275,6 +11544,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursor3(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor3 *r) > { > uint32_t _ptr_source_dsa_obj_dn; >+ uint32_t size_source_dsa_obj_dn_1 = 0; >+ uint32_t length_source_dsa_obj_dn_1 = 0; > TALLOC_CTX *_mem_save_source_dsa_obj_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -11295,11 +11566,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_obj_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_obj_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_obj_dn)); >- if (ndr_get_array_length(ndr, &r->source_dsa_obj_dn) > ndr_get_array_size(ndr, &r->source_dsa_obj_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_obj_dn), ndr_get_array_length(ndr, &r->source_dsa_obj_dn)); >+ size_source_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->source_dsa_obj_dn); >+ length_source_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->source_dsa_obj_dn); >+ if (length_source_dsa_obj_dn_1 > size_source_dsa_obj_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_obj_dn_1, length_source_dsa_obj_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_obj_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, length_source_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_obj_dn_0, 0); > } > } >@@ -11345,6 +11618,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursor3Ctr(struct ndr_push *n > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor3Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -11352,10 +11626,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3Ctr(struct ndr_pull *n > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->enumeration_context)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor3(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11365,9 +11640,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3Ctr(struct ndr_pull *n > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor3(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11428,8 +11704,12 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaObjMetaData2(struct ndr_push > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaData2 *r) > { > uint32_t _ptr_attribute_name; >+ uint32_t size_attribute_name_1 = 0; >+ uint32_t length_attribute_name_1 = 0; > TALLOC_CTX *_mem_save_attribute_name_0; > uint32_t _ptr_originating_dsa_dn; >+ uint32_t size_originating_dsa_dn_1 = 0; >+ uint32_t length_originating_dsa_dn_1 = 0; > TALLOC_CTX *_mem_save_originating_dsa_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -11458,11 +11738,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); >- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); >+ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); >+ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); >+ if (length_attribute_name_1 > size_attribute_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); > } > if (r->originating_dsa_dn) { >@@ -11470,11 +11752,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->originating_dsa_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->originating_dsa_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->originating_dsa_dn)); >- if (ndr_get_array_length(ndr, &r->originating_dsa_dn) > ndr_get_array_size(ndr, &r->originating_dsa_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->originating_dsa_dn), ndr_get_array_length(ndr, &r->originating_dsa_dn)); >+ size_originating_dsa_dn_1 = ndr_get_array_size(ndr, &r->originating_dsa_dn); >+ length_originating_dsa_dn_1 = ndr_get_array_length(ndr, &r->originating_dsa_dn); >+ if (length_originating_dsa_dn_1 > size_originating_dsa_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_originating_dsa_dn_1, length_originating_dsa_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_originating_dsa_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, length_originating_dsa_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_originating_dsa_dn_0, 0); > } > } >@@ -11528,6 +11812,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaObjMetaData2Ctr(struct ndr_pu > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaData2Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -11535,10 +11820,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2Ctr(struct ndr_pu > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->enumeration_context)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData2(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11548,9 +11834,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2Ctr(struct ndr_pu > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData2(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11625,12 +11912,18 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaAttrValMetaData2(struct ndr_p > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaData2 *r) > { > uint32_t _ptr_attribute_name; >+ uint32_t size_attribute_name_1 = 0; >+ uint32_t length_attribute_name_1 = 0; > TALLOC_CTX *_mem_save_attribute_name_0; > uint32_t _ptr_object_dn; >+ uint32_t size_object_dn_1 = 0; >+ uint32_t length_object_dn_1 = 0; > TALLOC_CTX *_mem_save_object_dn_0; > uint32_t _ptr_binary; > TALLOC_CTX *_mem_save_binary_0; > uint32_t _ptr_originating_dsa_dn; >+ uint32_t size_originating_dsa_dn_1 = 0; >+ uint32_t length_originating_dsa_dn_1 = 0; > TALLOC_CTX *_mem_save_originating_dsa_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -11674,11 +11967,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); >- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); >+ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); >+ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); >+ if (length_attribute_name_1 > size_attribute_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); > } > if (r->object_dn) { >@@ -11686,11 +11981,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); >- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); >+ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); >+ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); >+ if (length_object_dn_1 > size_object_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); > } > if (r->binary) { >@@ -11704,11 +12001,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->originating_dsa_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->originating_dsa_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->originating_dsa_dn)); >- if (ndr_get_array_length(ndr, &r->originating_dsa_dn) > ndr_get_array_size(ndr, &r->originating_dsa_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->originating_dsa_dn), ndr_get_array_length(ndr, &r->originating_dsa_dn)); >+ size_originating_dsa_dn_1 = ndr_get_array_size(ndr, &r->originating_dsa_dn); >+ length_originating_dsa_dn_1 = ndr_get_array_length(ndr, &r->originating_dsa_dn); >+ if (length_originating_dsa_dn_1 > size_originating_dsa_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_originating_dsa_dn_1, length_originating_dsa_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_originating_dsa_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, length_originating_dsa_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_originating_dsa_dn_0, 0); > } > } >@@ -11777,6 +12076,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaAttrValMetaData2Ctr(struct nd > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaData2Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -11784,10 +12084,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2Ctr(struct nd > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->enumeration_context)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData2(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11797,9 +12098,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2Ctr(struct nd > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData2(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11907,6 +12209,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaConnection04Ctr(struct ndr_pu > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaConnection04Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaConnection04Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -11917,10 +12220,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaConnection04Ctr(struct ndr_pu > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaConnection04(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11982,6 +12286,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplica06(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsReplica06(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplica06 *r) > { > uint32_t _ptr_str1; >+ uint32_t size_str1_1 = 0; >+ uint32_t length_str1_1 = 0; > TALLOC_CTX *_mem_save_str1_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -12006,11 +12312,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplica06(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->str1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->str1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->str1)); >- if (ndr_get_array_length(ndr, &r->str1) > ndr_get_array_size(ndr, &r->str1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->str1), ndr_get_array_length(ndr, &r->str1)); >+ size_str1_1 = ndr_get_array_size(ndr, &r->str1); >+ length_str1_1 = ndr_get_array_length(ndr, &r->str1); >+ if (length_str1_1 > size_str1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_str1_1, length_str1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->str1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str1, ndr_get_array_length(ndr, &r->str1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_str1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str1, length_str1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_str1_0, 0); > } > } >@@ -12060,6 +12368,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplica06Ctr(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_drsuapi_DsReplica06Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplica06Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -12070,10 +12379,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplica06Ctr(struct ndr_pull *ndr, i > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplica06(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -12083,9 +12393,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplica06Ctr(struct ndr_pull *ndr, i > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplica06(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -12289,20 +12600,35 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_neighbours_0; >+ uint32_t _ptr_neighbours; > TALLOC_CTX *_mem_save_cursors_0; >+ uint32_t _ptr_cursors; > TALLOC_CTX *_mem_save_objmetadata_0; >+ uint32_t _ptr_objmetadata; > TALLOC_CTX *_mem_save_connectfailures_0; >+ uint32_t _ptr_connectfailures; > TALLOC_CTX *_mem_save_linkfailures_0; >+ uint32_t _ptr_linkfailures; > TALLOC_CTX *_mem_save_pendingops_0; >+ uint32_t _ptr_pendingops; > TALLOC_CTX *_mem_save_attrvalmetadata_0; >+ uint32_t _ptr_attrvalmetadata; > TALLOC_CTX *_mem_save_cursors2_0; >+ uint32_t _ptr_cursors2; > TALLOC_CTX *_mem_save_cursors3_0; >+ uint32_t _ptr_cursors3; > TALLOC_CTX *_mem_save_objmetadata2_0; >+ uint32_t _ptr_objmetadata2; > TALLOC_CTX *_mem_save_attrvalmetadata2_0; >+ uint32_t _ptr_attrvalmetadata2; > TALLOC_CTX *_mem_save_neighbours02_0; >+ uint32_t _ptr_neighbours02; > TALLOC_CTX *_mem_save_connections04_0; >+ uint32_t _ptr_connections04; > TALLOC_CTX *_mem_save_cursors05_0; >+ uint32_t _ptr_cursors05; > TALLOC_CTX *_mem_save_i06_0; >+ uint32_t _ptr_i06; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -12312,7 +12638,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case DRSUAPI_DS_REPLICA_INFO_NEIGHBORS: { >- uint32_t _ptr_neighbours; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_neighbours)); > if (_ptr_neighbours) { > NDR_PULL_ALLOC(ndr, r->neighbours); >@@ -12322,7 +12647,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_CURSORS: { >- uint32_t _ptr_cursors; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors)); > if (_ptr_cursors) { > NDR_PULL_ALLOC(ndr, r->cursors); >@@ -12332,7 +12656,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_OBJ_METADATA: { >- uint32_t _ptr_objmetadata; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_objmetadata)); > if (_ptr_objmetadata) { > NDR_PULL_ALLOC(ndr, r->objmetadata); >@@ -12342,7 +12665,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_KCC_DSA_CONNECT_FAILURES: { >- uint32_t _ptr_connectfailures; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_connectfailures)); > if (_ptr_connectfailures) { > NDR_PULL_ALLOC(ndr, r->connectfailures); >@@ -12352,7 +12674,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_KCC_DSA_LINK_FAILURES: { >- uint32_t _ptr_linkfailures; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_linkfailures)); > if (_ptr_linkfailures) { > NDR_PULL_ALLOC(ndr, r->linkfailures); >@@ -12362,7 +12683,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_PENDING_OPS: { >- uint32_t _ptr_pendingops; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_pendingops)); > if (_ptr_pendingops) { > NDR_PULL_ALLOC(ndr, r->pendingops); >@@ -12372,7 +12692,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_ATTRIBUTE_VALUE_METADATA: { >- uint32_t _ptr_attrvalmetadata; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_attrvalmetadata)); > if (_ptr_attrvalmetadata) { > NDR_PULL_ALLOC(ndr, r->attrvalmetadata); >@@ -12382,7 +12701,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_CURSORS2: { >- uint32_t _ptr_cursors2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors2)); > if (_ptr_cursors2) { > NDR_PULL_ALLOC(ndr, r->cursors2); >@@ -12392,7 +12710,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_CURSORS3: { >- uint32_t _ptr_cursors3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors3)); > if (_ptr_cursors3) { > NDR_PULL_ALLOC(ndr, r->cursors3); >@@ -12402,7 +12719,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_OBJ_METADATA2: { >- uint32_t _ptr_objmetadata2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_objmetadata2)); > if (_ptr_objmetadata2) { > NDR_PULL_ALLOC(ndr, r->objmetadata2); >@@ -12412,7 +12728,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_ATTRIBUTE_VALUE_METADATA2: { >- uint32_t _ptr_attrvalmetadata2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_attrvalmetadata2)); > if (_ptr_attrvalmetadata2) { > NDR_PULL_ALLOC(ndr, r->attrvalmetadata2); >@@ -12422,7 +12737,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_NEIGHBORS02: { >- uint32_t _ptr_neighbours02; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_neighbours02)); > if (_ptr_neighbours02) { > NDR_PULL_ALLOC(ndr, r->neighbours02); >@@ -12432,7 +12746,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_CONNECTIONS04: { >- uint32_t _ptr_connections04; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_connections04)); > if (_ptr_connections04) { > NDR_PULL_ALLOC(ndr, r->connections04); >@@ -12442,7 +12755,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_CURSORS05: { >- uint32_t _ptr_cursors05; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors05)); > if (_ptr_cursors05) { > NDR_PULL_ALLOC(ndr, r->cursors05); >@@ -12452,7 +12764,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_06: { >- uint32_t _ptr_i06; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_i06)); > if (_ptr_i06) { > NDR_PULL_ALLOC(ndr, r->i06); >@@ -12860,6 +13171,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetMemberships2Request1(struct ndr_p > static enum ndr_err_code ndr_pull_drsuapi_DsGetMemberships2Request1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetMemberships2Request1 *r) > { > uint32_t _ptr_req_array; >+ uint32_t size_req_array_1 = 0; > uint32_t cntr_req_array_1; > TALLOC_CTX *_mem_save_req_array_0; > TALLOC_CTX *_mem_save_req_array_1; >@@ -12883,10 +13195,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMemberships2Request1(struct ndr_p > _mem_save_req_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->req_array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->req_array)); >- NDR_PULL_ALLOC_N(ndr, r->req_array, ndr_get_array_size(ndr, &r->req_array)); >+ size_req_array_1 = ndr_get_array_size(ndr, &r->req_array); >+ NDR_PULL_ALLOC_N(ndr, r->req_array, size_req_array_1); > _mem_save_req_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->req_array, 0); >- for (cntr_req_array_1 = 0; cntr_req_array_1 < r->num_req; cntr_req_array_1++) { >+ for (cntr_req_array_1 = 0; cntr_req_array_1 < size_req_array_1; cntr_req_array_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_req_array)); > if (_ptr_req_array) { > NDR_PULL_ALLOC(ndr, r->req_array[cntr_req_array_1]); >@@ -12894,7 +13207,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMemberships2Request1(struct ndr_p > r->req_array[cntr_req_array_1] = NULL; > } > } >- for (cntr_req_array_1 = 0; cntr_req_array_1 < r->num_req; cntr_req_array_1++) { >+ for (cntr_req_array_1 = 0; cntr_req_array_1 < size_req_array_1; cntr_req_array_1++) { > if (r->req_array[cntr_req_array_1]) { > _mem_save_req_array_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->req_array[cntr_req_array_1], 0); >@@ -13077,6 +13390,7 @@ static enum ndr_err_code ndr_push_drsuapi_QuerySitesByCostCtr1(struct ndr_push * > static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_QuerySitesByCostCtr1 *r) > { > uint32_t _ptr_info; >+ uint32_t size_info_1 = 0; > uint32_t cntr_info_1; > TALLOC_CTX *_mem_save_info_0; > TALLOC_CTX *_mem_save_info_1; >@@ -13100,10 +13414,11 @@ static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostCtr1(struct ndr_pull * > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->info)); >- NDR_PULL_ALLOC_N(ndr, r->info, ndr_get_array_size(ndr, &r->info)); >+ size_info_1 = ndr_get_array_size(ndr, &r->info); >+ NDR_PULL_ALLOC_N(ndr, r->info, size_info_1); > _mem_save_info_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info, 0); >- for (cntr_info_1 = 0; cntr_info_1 < r->num_info; cntr_info_1++) { >+ for (cntr_info_1 = 0; cntr_info_1 < size_info_1; cntr_info_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsSiteCostInfo(ndr, NDR_SCALARS, &r->info[cntr_info_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_1, 0); >@@ -13257,9 +13572,14 @@ static enum ndr_err_code ndr_push_drsuapi_QuerySitesByCostRequest1(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_QuerySitesByCostRequest1 *r) > { > uint32_t _ptr_site_from; >+ uint32_t size_site_from_1 = 0; >+ uint32_t length_site_from_1 = 0; > TALLOC_CTX *_mem_save_site_from_0; > uint32_t _ptr_site_to; >+ uint32_t size_site_to_1 = 0; > uint32_t cntr_site_to_1; >+ uint32_t size_site_to_3 = 0; >+ uint32_t length_site_to_3 = 0; > TALLOC_CTX *_mem_save_site_to_0; > TALLOC_CTX *_mem_save_site_to_1; > TALLOC_CTX *_mem_save_site_to_2; >@@ -13290,21 +13610,24 @@ static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostRequest1(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->site_from, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_from)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_from)); >- if (ndr_get_array_length(ndr, &r->site_from) > ndr_get_array_size(ndr, &r->site_from)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_from), ndr_get_array_length(ndr, &r->site_from)); >+ size_site_from_1 = ndr_get_array_size(ndr, &r->site_from); >+ length_site_from_1 = ndr_get_array_length(ndr, &r->site_from); >+ if (length_site_from_1 > size_site_from_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_from_1, length_site_from_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_from), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_from, ndr_get_array_length(ndr, &r->site_from), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_from_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_from, length_site_from_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_from_0, 0); > } > if (r->site_to) { > _mem_save_site_to_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->site_to, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_to)); >- NDR_PULL_ALLOC_N(ndr, r->site_to, ndr_get_array_size(ndr, &r->site_to)); >+ size_site_to_1 = ndr_get_array_size(ndr, &r->site_to); >+ NDR_PULL_ALLOC_N(ndr, r->site_to, size_site_to_1); > _mem_save_site_to_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->site_to, 0); >- for (cntr_site_to_1 = 0; cntr_site_to_1 < r->num_req; cntr_site_to_1++) { >+ for (cntr_site_to_1 = 0; cntr_site_to_1 < size_site_to_1; cntr_site_to_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_site_to)); > if (_ptr_site_to) { > NDR_PULL_ALLOC(ndr, r->site_to[cntr_site_to_1]); >@@ -13312,17 +13635,19 @@ static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostRequest1(struct ndr_pu > r->site_to[cntr_site_to_1] = NULL; > } > } >- for (cntr_site_to_1 = 0; cntr_site_to_1 < r->num_req; cntr_site_to_1++) { >+ for (cntr_site_to_1 = 0; cntr_site_to_1 < size_site_to_1; cntr_site_to_1++) { > if (r->site_to[cntr_site_to_1]) { > _mem_save_site_to_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->site_to[cntr_site_to_1], 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_to[cntr_site_to_1])); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_to[cntr_site_to_1])); >- if (ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]) > ndr_get_array_size(ndr, &r->site_to[cntr_site_to_1])) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_to[cntr_site_to_1]), ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1])); >+ size_site_to_3 = ndr_get_array_size(ndr, &r->site_to[cntr_site_to_1]); >+ length_site_to_3 = ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]); >+ if (length_site_to_3 > size_site_to_3) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_to_3, length_site_to_3); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_to[cntr_site_to_1], ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_to_3, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_to[cntr_site_to_1], length_site_to_3, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_to_2, 0); > } > } >diff --git a/librpc/gen_ndr/ndr_dssetup.c b/librpc/gen_ndr/ndr_dssetup.c >index 27b839b..2d6b130 100644 >--- a/librpc/gen_ndr/ndr_dssetup.c >+++ b/librpc/gen_ndr/ndr_dssetup.c >@@ -96,10 +96,16 @@ static enum ndr_err_code ndr_push_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_pull *ndr, int ndr_flags, struct dssetup_DsRolePrimaryDomInfoBasic *r) > { > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > uint32_t _ptr_dns_domain; >+ uint32_t size_dns_domain_1 = 0; >+ uint32_t length_dns_domain_1 = 0; > TALLOC_CTX *_mem_save_dns_domain_0; > uint32_t _ptr_forest; >+ uint32_t size_forest_1 = 0; >+ uint32_t length_forest_1 = 0; > TALLOC_CTX *_mem_save_forest_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -132,11 +138,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->dns_domain) { >@@ -144,11 +152,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->dns_domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_domain)); >- if (ndr_get_array_length(ndr, &r->dns_domain) > ndr_get_array_size(ndr, &r->dns_domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_domain), ndr_get_array_length(ndr, &r->dns_domain)); >+ size_dns_domain_1 = ndr_get_array_size(ndr, &r->dns_domain); >+ length_dns_domain_1 = ndr_get_array_length(ndr, &r->dns_domain); >+ if (length_dns_domain_1 > size_dns_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_domain_1, length_dns_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain, ndr_get_array_length(ndr, &r->dns_domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain, length_dns_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_domain_0, 0); > } > if (r->forest) { >@@ -156,11 +166,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->forest, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->forest)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->forest)); >- if (ndr_get_array_length(ndr, &r->forest) > ndr_get_array_size(ndr, &r->forest)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->forest), ndr_get_array_length(ndr, &r->forest)); >+ size_forest_1 = ndr_get_array_size(ndr, &r->forest); >+ length_forest_1 = ndr_get_array_length(ndr, &r->forest); >+ if (length_forest_1 > size_forest_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_forest_1, length_forest_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->forest), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest, ndr_get_array_length(ndr, &r->forest), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_forest_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest, length_forest_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_0, 0); > } > } >diff --git a/librpc/gen_ndr/ndr_echo.c b/librpc/gen_ndr/ndr_echo.c >index 4c54ff4..3536291 100644 >--- a/librpc/gen_ndr/ndr_echo.c >+++ b/librpc/gen_ndr/ndr_echo.c >@@ -616,16 +616,18 @@ static enum ndr_err_code ndr_push_echo_Surrounding(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_echo_Surrounding(struct ndr_pull *ndr, int ndr_flags, struct echo_Surrounding *r) > { >+ uint32_t size_surrounding_0 = 0; > uint32_t cntr_surrounding_0; > TALLOC_CTX *_mem_save_surrounding_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->surrounding)); > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->x)); >- NDR_PULL_ALLOC_N(ndr, r->surrounding, ndr_get_array_size(ndr, &r->surrounding)); >+ size_surrounding_0 = ndr_get_array_size(ndr, &r->surrounding); >+ NDR_PULL_ALLOC_N(ndr, r->surrounding, size_surrounding_0); > _mem_save_surrounding_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->surrounding, 0); >- for (cntr_surrounding_0 = 0; cntr_surrounding_0 < r->x; cntr_surrounding_0++) { >+ for (cntr_surrounding_0 = 0; cntr_surrounding_0 < size_surrounding_0; cntr_surrounding_0++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->surrounding[cntr_surrounding_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_surrounding_0, 0); >@@ -735,21 +737,25 @@ static enum ndr_err_code ndr_push_echo_EchoData(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_echo_EchoData(struct ndr_pull *ndr, int flags, struct echo_EchoData *r) > { >+ uint32_t size_in_data_0 = 0; >+ uint32_t size_out_data_0 = 0; > if (flags & NDR_IN) { > ZERO_STRUCT(r->out); > > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.len)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.in_data)); >- NDR_PULL_ALLOC_N(ndr, r->in.in_data, ndr_get_array_size(ndr, &r->in.in_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.in_data, ndr_get_array_size(ndr, &r->in.in_data))); >+ size_in_data_0 = ndr_get_array_size(ndr, &r->in.in_data); >+ NDR_PULL_ALLOC_N(ndr, r->in.in_data, size_in_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.in_data, size_in_data_0)); > if (r->in.in_data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.in_data, r->in.len)); > } > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.out_data)); >- NDR_PULL_ALLOC_N(ndr, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data))); >+ size_out_data_0 = ndr_get_array_size(ndr, &r->out.out_data); >+ NDR_PULL_ALLOC_N(ndr, r->out.out_data, size_out_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, size_out_data_0)); > if (r->out.out_data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.out_data, r->in.len)); > } >@@ -794,11 +800,13 @@ static enum ndr_err_code ndr_push_echo_SinkData(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_echo_SinkData(struct ndr_pull *ndr, int flags, struct echo_SinkData *r) > { >+ uint32_t size_data_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.len)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); >+ size_data_0 = ndr_get_array_size(ndr, &r->in.data); >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_0)); > if (r->in.data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.data, r->in.len)); > } >@@ -844,6 +852,7 @@ static enum ndr_err_code ndr_push_echo_SourceData(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_echo_SourceData(struct ndr_pull *ndr, int flags, struct echo_SourceData *r) > { >+ uint32_t size_data_0 = 0; > if (flags & NDR_IN) { > ZERO_STRUCT(r->out); > >@@ -851,8 +860,9 @@ static enum ndr_err_code ndr_pull_echo_SourceData(struct ndr_pull *ndr, int flag > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); >+ size_data_0 = ndr_get_array_size(ndr, &r->out.data); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_0)); > if (r->out.data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.data, r->in.len)); > } >@@ -910,7 +920,11 @@ static enum ndr_err_code ndr_push_echo_TestCall(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_echo_TestCall(struct ndr_pull *ndr, int flags, struct echo_TestCall *r) > { >+ uint32_t size_s1_1 = 0; >+ uint32_t length_s1_1 = 0; > uint32_t _ptr_s2; >+ uint32_t size_s2_2 = 0; >+ uint32_t length_s2_2 = 0; > TALLOC_CTX *_mem_save_s2_0; > TALLOC_CTX *_mem_save_s2_1; > if (flags & NDR_IN) { >@@ -918,11 +932,13 @@ static enum ndr_err_code ndr_pull_echo_TestCall(struct ndr_pull *ndr, int flags, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.s1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.s1)); >- if (ndr_get_array_length(ndr, &r->in.s1) > ndr_get_array_size(ndr, &r->in.s1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.s1), ndr_get_array_length(ndr, &r->in.s1)); >+ size_s1_1 = ndr_get_array_size(ndr, &r->in.s1); >+ length_s1_1 = ndr_get_array_length(ndr, &r->in.s1); >+ if (length_s1_1 > size_s1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_s1_1, length_s1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.s1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.s1, ndr_get_array_length(ndr, &r->in.s1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_s1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.s1, length_s1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.s2); > ZERO_STRUCTP(r->out.s2); > } >@@ -943,11 +959,13 @@ static enum ndr_err_code ndr_pull_echo_TestCall(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, *r->out.s2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.s2)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.s2)); >- if (ndr_get_array_length(ndr, r->out.s2) > ndr_get_array_size(ndr, r->out.s2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.s2), ndr_get_array_length(ndr, r->out.s2)); >+ size_s2_2 = ndr_get_array_size(ndr, r->out.s2); >+ length_s2_2 = ndr_get_array_length(ndr, r->out.s2); >+ if (length_s2_2 > size_s2_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_s2_2, length_s2_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.s2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.s2, ndr_get_array_length(ndr, r->out.s2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_s2_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.s2, length_s2_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s2_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s2_0, LIBNDR_FLAG_REF_ALLOC); >diff --git a/librpc/gen_ndr/ndr_epmapper.c b/librpc/gen_ndr/ndr_epmapper.c >index 5c3abe7..3898700 100644 >--- a/librpc/gen_ndr/ndr_epmapper.c >+++ b/librpc/gen_ndr/ndr_epmapper.c >@@ -1590,6 +1590,7 @@ static enum ndr_err_code ndr_push_epm_tower(struct ndr_push *ndr, int ndr_flags, > > static enum ndr_err_code ndr_pull_epm_tower(struct ndr_pull *ndr, int ndr_flags, struct epm_tower *r) > { >+ uint32_t size_floors_0 = 0; > uint32_t cntr_floors_0; > TALLOC_CTX *_mem_save_floors_0; > { >@@ -1598,10 +1599,11 @@ static enum ndr_err_code ndr_pull_epm_tower(struct ndr_pull *ndr, int ndr_flags, > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_floors)); >- NDR_PULL_ALLOC_N(ndr, r->floors, r->num_floors); >+ size_floors_0 = r->num_floors; >+ NDR_PULL_ALLOC_N(ndr, r->floors, size_floors_0); > _mem_save_floors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->floors, 0); >- for (cntr_floors_0 = 0; cntr_floors_0 < r->num_floors; cntr_floors_0++) { >+ for (cntr_floors_0 = 0; cntr_floors_0 < size_floors_0; cntr_floors_0++) { > NDR_CHECK(ndr_pull_epm_floor(ndr, NDR_SCALARS, &r->floors[cntr_floors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_floors_0, 0); >@@ -1712,6 +1714,7 @@ static enum ndr_err_code ndr_pull_epm_entry_t(struct ndr_pull *ndr, int ndr_flag > { > uint32_t _ptr_tower; > TALLOC_CTX *_mem_save_tower_0; >+ uint32_t size_annotation_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->object)); >@@ -1723,7 +1726,8 @@ static enum ndr_err_code ndr_pull_epm_entry_t(struct ndr_pull *ndr, int ndr_flag > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__annotation_offset)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__annotation_length)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->annotation, r->__annotation_length, sizeof(uint8_t), CH_DOS)); >+ size_annotation_0 = r->__annotation_length; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->annotation, size_annotation_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -1867,18 +1871,20 @@ static enum ndr_err_code ndr_push_epm_Insert(struct ndr_push *ndr, int flags, co > > static enum ndr_err_code ndr_pull_epm_Insert(struct ndr_pull *ndr, int flags, struct epm_Insert *r) > { >+ uint32_t size_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_entries_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.num_ents)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.entries)); >- NDR_PULL_ALLOC_N(ndr, r->in.entries, ndr_get_array_size(ndr, &r->in.entries)); >+ size_entries_0 = ndr_get_array_size(ndr, &r->in.entries); >+ NDR_PULL_ALLOC_N(ndr, r->in.entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->in.entries[cntr_entries_0])); > } >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->in.entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -1948,18 +1954,20 @@ static enum ndr_err_code ndr_push_epm_Delete(struct ndr_push *ndr, int flags, co > > static enum ndr_err_code ndr_pull_epm_Delete(struct ndr_pull *ndr, int flags, struct epm_Delete *r) > { >+ uint32_t size_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_entries_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.num_ents)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.entries)); >- NDR_PULL_ALLOC_N(ndr, r->in.entries, ndr_get_array_size(ndr, &r->in.entries)); >+ size_entries_0 = ndr_get_array_size(ndr, &r->in.entries); >+ NDR_PULL_ALLOC_N(ndr, r->in.entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->in.entries[cntr_entries_0])); > } >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->in.entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -2053,6 +2061,8 @@ static enum ndr_err_code ndr_pull_epm_Lookup(struct ndr_pull *ndr, int flags, st > { > uint32_t _ptr_object; > uint32_t _ptr_interface_id; >+ uint32_t size_entries_0 = 0; >+ uint32_t length_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_object_0; > TALLOC_CTX *_mem_save_interface_id_0; >@@ -2118,16 +2128,18 @@ static enum ndr_err_code ndr_pull_epm_Lookup(struct ndr_pull *ndr, int flags, st > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_num_ents_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.entries)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.entries)); >- if (ndr_get_array_length(ndr, &r->out.entries) > ndr_get_array_size(ndr, &r->out.entries)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.entries), ndr_get_array_length(ndr, &r->out.entries)); >+ size_entries_0 = ndr_get_array_size(ndr, &r->out.entries); >+ length_entries_0 = ndr_get_array_length(ndr, &r->out.entries); >+ if (length_entries_0 > size_entries_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_entries_0, length_entries_0); > } >- NDR_PULL_ALLOC_N(ndr, r->out.entries, ndr_get_array_size(ndr, &r->out.entries)); >+ NDR_PULL_ALLOC_N(ndr, r->out.entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < ndr_get_array_length(ndr, &r->out.entries); cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < length_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->out.entries[cntr_entries_0])); > } >- for (cntr_entries_0 = 0; cntr_entries_0 < ndr_get_array_length(ndr, &r->out.entries); cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < length_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->out.entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -2246,6 +2258,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_epm_Map(struct ndr_pull *ndr, int flags, str > { > uint32_t _ptr_object; > uint32_t _ptr_map_tower; >+ uint32_t size_towers_0 = 0; >+ uint32_t length_towers_0 = 0; > uint32_t cntr_towers_0; > TALLOC_CTX *_mem_save_object_0; > TALLOC_CTX *_mem_save_map_tower_0; >@@ -2309,16 +2323,18 @@ _PUBLIC_ enum ndr_err_code ndr_pull_epm_Map(struct ndr_pull *ndr, int flags, str > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_num_towers_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.towers)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.towers)); >- if (ndr_get_array_length(ndr, &r->out.towers) > ndr_get_array_size(ndr, &r->out.towers)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.towers), ndr_get_array_length(ndr, &r->out.towers)); >+ size_towers_0 = ndr_get_array_size(ndr, &r->out.towers); >+ length_towers_0 = ndr_get_array_length(ndr, &r->out.towers); >+ if (length_towers_0 > size_towers_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_towers_0, length_towers_0); > } >- NDR_PULL_ALLOC_N(ndr, r->out.towers, ndr_get_array_size(ndr, &r->out.towers)); >+ NDR_PULL_ALLOC_N(ndr, r->out.towers, size_towers_0); > _mem_save_towers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.towers, 0); >- for (cntr_towers_0 = 0; cntr_towers_0 < ndr_get_array_length(ndr, &r->out.towers); cntr_towers_0++) { >+ for (cntr_towers_0 = 0; cntr_towers_0 < length_towers_0; cntr_towers_0++) { > NDR_CHECK(ndr_pull_epm_twr_p_t(ndr, NDR_SCALARS, &r->out.towers[cntr_towers_0])); > } >- for (cntr_towers_0 = 0; cntr_towers_0 < ndr_get_array_length(ndr, &r->out.towers); cntr_towers_0++) { >+ for (cntr_towers_0 = 0; cntr_towers_0 < length_towers_0; cntr_towers_0++) { > NDR_CHECK(ndr_pull_epm_twr_p_t(ndr, NDR_BUFFERS, &r->out.towers[cntr_towers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_towers_0, 0); >diff --git a/librpc/gen_ndr/ndr_eventlog.c b/librpc/gen_ndr/ndr_eventlog.c >index e0ac6d2..f56389b 100644 >--- a/librpc/gen_ndr/ndr_eventlog.c >+++ b/librpc/gen_ndr/ndr_eventlog.c >@@ -156,6 +156,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_eventlog_Record_tdb(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_eventlog_Record_tdb(struct ndr_pull *ndr, int ndr_flags, struct eventlog_Record_tdb *r) > { >+ uint32_t size_reserved_0 = 0; >+ uint32_t size_strings_0 = 0; > uint32_t cntr_strings_0; > TALLOC_CTX *_mem_save_strings_0; > { >@@ -164,7 +166,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_eventlog_Record_tdb(struct ndr_pull *ndr, in > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->reserved, 4, sizeof(uint8_t), CH_DOS)); >+ size_reserved_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->reserved, size_reserved_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->record_number)); > NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->time_generated)); > NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->time_written)); >@@ -202,10 +205,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_eventlog_Record_tdb(struct ndr_pull *ndr, in > { > uint32_t _flags_save_string = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM|LIBNDR_FLAG_ALIGN2); >- NDR_PULL_ALLOC_N(ndr, r->strings, r->num_of_strings); >+ size_strings_0 = r->num_of_strings; >+ NDR_PULL_ALLOC_N(ndr, r->strings, size_strings_0); > _mem_save_strings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->strings, 0); >- for (cntr_strings_0 = 0; cntr_strings_0 < r->num_of_strings; cntr_strings_0++) { >+ for (cntr_strings_0 = 0; cntr_strings_0 < size_strings_0; cntr_strings_0++) { > NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->strings[cntr_strings_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_strings_0, 0); >@@ -322,10 +326,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_EVENTLOGHEADER(struct ndr_push *ndr, int ndr > > _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOGHEADER(struct ndr_pull *ndr, int ndr_flags, struct EVENTLOGHEADER *r) > { >+ uint32_t size_Signature_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->HeaderSize)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, 4, sizeof(uint8_t), CH_DOS)); >+ size_Signature_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, size_Signature_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->MajorVersion)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->MinorVersion)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->StartOffset)); >@@ -441,12 +447,16 @@ _PUBLIC_ enum ndr_err_code ndr_push_EVENTLOGRECORD(struct ndr_push *ndr, int ndr > > _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOGRECORD(struct ndr_pull *ndr, int ndr_flags, struct EVENTLOGRECORD *r) > { >+ uint32_t size_Reserved_0 = 0; >+ uint32_t size_Strings_0 = 0; > uint32_t cntr_Strings_0; > TALLOC_CTX *_mem_save_Strings_0; >+ uint32_t size_Data_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Length)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Reserved, 4, sizeof(uint8_t), CH_DOS)); >+ size_Reserved_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Reserved, size_Reserved_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->RecordNumber)); > NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->TimeGenerated)); > NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->TimeWritten)); >@@ -487,10 +497,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOGRECORD(struct ndr_pull *ndr, int ndr > { > uint32_t _flags_save_string = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM|LIBNDR_FLAG_ALIGN2); >- NDR_PULL_ALLOC_N(ndr, r->Strings, r->NumStrings); >+ size_Strings_0 = r->NumStrings; >+ NDR_PULL_ALLOC_N(ndr, r->Strings, size_Strings_0); > _mem_save_Strings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->Strings, 0); >- for (cntr_Strings_0 = 0; cntr_Strings_0 < r->NumStrings; cntr_Strings_0++) { >+ for (cntr_Strings_0 = 0; cntr_Strings_0 < size_Strings_0; cntr_Strings_0++) { > NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->Strings[cntr_Strings_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Strings_0, 0); >@@ -499,8 +510,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOGRECORD(struct ndr_pull *ndr, int ndr > { > uint32_t _flags_save_uint8 = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); >- NDR_PULL_ALLOC_N(ndr, r->Data, r->DataLength); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Data, r->DataLength)); >+ size_Data_0 = r->DataLength; >+ NDR_PULL_ALLOC_N(ndr, r->Data, size_Data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Data, size_Data_0)); > ndr->flags = _flags_save_uint8; > } > { >@@ -648,15 +660,17 @@ _PUBLIC_ enum ndr_err_code ndr_push_EVENTLOG_EVT_FILE(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOG_EVT_FILE(struct ndr_pull *ndr, int ndr_flags, struct EVENTLOG_EVT_FILE *r) > { >+ uint32_t size_records_0 = 0; > uint32_t cntr_records_0; > TALLOC_CTX *_mem_save_records_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_EVENTLOGHEADER(ndr, NDR_SCALARS, &r->hdr)); >- NDR_PULL_ALLOC_N(ndr, r->records, r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber); >+ size_records_0 = r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; >+ NDR_PULL_ALLOC_N(ndr, r->records, size_records_0); > _mem_save_records_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->records, 0); >- for (cntr_records_0 = 0; cntr_records_0 < r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; cntr_records_0++) { >+ for (cntr_records_0 = 0; cntr_records_0 < size_records_0; cntr_records_0++) { > NDR_CHECK(ndr_pull_EVENTLOGRECORD(ndr, NDR_SCALARS, &r->records[cntr_records_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_records_0, 0); >@@ -664,9 +678,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOG_EVT_FILE(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_records_0 = r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; > _mem_save_records_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->records, 0); >- for (cntr_records_0 = 0; cntr_records_0 < r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; cntr_records_0++) { >+ for (cntr_records_0 = 0; cntr_records_0 < size_records_0; cntr_records_0++) { > NDR_CHECK(ndr_pull_EVENTLOGRECORD(ndr, NDR_BUFFERS, &r->records[cntr_records_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_records_0, 0); >@@ -1612,6 +1627,7 @@ static enum ndr_err_code ndr_push_eventlog_ReadEventLogW(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_eventlog_ReadEventLogW(struct ndr_pull *ndr, int flags, struct eventlog_ReadEventLogW *r) > { >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_sent_size_0; > TALLOC_CTX *_mem_save_real_size_0; >@@ -1640,10 +1656,11 @@ static enum ndr_err_code ndr_pull_eventlog_ReadEventLogW(struct ndr_pull *ndr, i > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->out.data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.sent_size); > } >@@ -1773,8 +1790,10 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventW(struct ndr_pull *ndr, in > { > uint32_t _ptr_user_sid; > uint32_t _ptr_strings; >+ uint32_t size_strings_1 = 0; > uint32_t cntr_strings_1; > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > uint32_t _ptr_record_number; > uint32_t _ptr_time_written; > TALLOC_CTX *_mem_save_handle_0; >@@ -1837,12 +1856,13 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventW(struct ndr_pull *ndr, in > _mem_save_strings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.strings)); >- NDR_PULL_ALLOC_N(ndr, r->in.strings, ndr_get_array_size(ndr, &r->in.strings)); >+ size_strings_1 = ndr_get_array_size(ndr, &r->in.strings); >+ NDR_PULL_ALLOC_N(ndr, r->in.strings, size_strings_1); > _mem_save_strings_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); >- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { >+ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { > } >- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { >+ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_strings)); > if (_ptr_strings) { > NDR_PULL_ALLOC(ndr, r->in.strings[cntr_strings_1]); >@@ -1869,8 +1889,9 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventW(struct ndr_pull *ndr, in > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->in.data); >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.flags)); >@@ -2465,6 +2486,7 @@ static enum ndr_err_code ndr_push_eventlog_GetLogInformation(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_eventlog_GetLogInformation(struct ndr_pull *ndr, int flags, struct eventlog_GetLogInformation *r) > { >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_bytes_needed_0; > if (flags & NDR_IN) { >@@ -2489,10 +2511,11 @@ static enum ndr_err_code ndr_pull_eventlog_GetLogInformation(struct ndr_pull *nd > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.bytes_needed); > } >@@ -2671,8 +2694,10 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventAndSourceW(struct ndr_pull > { > uint32_t _ptr_user_sid; > uint32_t _ptr_strings; >+ uint32_t size_strings_1 = 0; > uint32_t cntr_strings_1; > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > uint32_t _ptr_record_number; > uint32_t _ptr_time_written; > TALLOC_CTX *_mem_save_handle_0; >@@ -2743,12 +2768,13 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventAndSourceW(struct ndr_pull > _mem_save_strings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.strings)); >- NDR_PULL_ALLOC_N(ndr, r->in.strings, ndr_get_array_size(ndr, &r->in.strings)); >+ size_strings_1 = ndr_get_array_size(ndr, &r->in.strings); >+ NDR_PULL_ALLOC_N(ndr, r->in.strings, size_strings_1); > _mem_save_strings_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); >- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { >+ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { > } >- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { >+ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_strings)); > if (_ptr_strings) { > NDR_PULL_ALLOC(ndr, r->in.strings[cntr_strings_1]); >@@ -2775,8 +2801,9 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventAndSourceW(struct ndr_pull > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->in.data); >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.flags)); >diff --git a/librpc/gen_ndr/ndr_krb5pac.c b/librpc/gen_ndr/ndr_krb5pac.c >index 1f5ed95..31e9f04 100644 >--- a/librpc/gen_ndr/ndr_krb5pac.c >+++ b/librpc/gen_ndr/ndr_krb5pac.c >@@ -22,11 +22,13 @@ static enum ndr_err_code ndr_push_PAC_LOGON_NAME(struct ndr_push *ndr, int ndr_f > > static enum ndr_err_code ndr_pull_PAC_LOGON_NAME(struct ndr_pull *ndr, int ndr_flags, struct PAC_LOGON_NAME *r) > { >+ uint32_t size_account_name_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->logon_time)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, r->size, sizeof(uint8_t), CH_UTF16)); >+ size_account_name_0 = r->size; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, size_account_name_0, sizeof(uint8_t), CH_UTF16)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -469,25 +471,28 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_DATA(struct ndr_push *ndr, int ndr_flags > > _PUBLIC_ enum ndr_err_code ndr_pull_PAC_DATA(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA *r) > { >+ uint32_t size_buffers_0 = 0; > uint32_t cntr_buffers_0; > TALLOC_CTX *_mem_save_buffers_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_buffers)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); >- NDR_PULL_ALLOC_N(ndr, r->buffers, r->num_buffers); >+ size_buffers_0 = r->num_buffers; >+ NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_0); > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_buffers_0 = r->num_buffers; > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); >@@ -636,25 +641,28 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_DATA_RAW(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_PAC_DATA_RAW(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA_RAW *r) > { >+ uint32_t size_buffers_0 = 0; > uint32_t cntr_buffers_0; > TALLOC_CTX *_mem_save_buffers_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_buffers)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); >- NDR_PULL_ALLOC_N(ndr, r->buffers, r->num_buffers); >+ size_buffers_0 = r->num_buffers; >+ NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_0); > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER_RAW(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_buffers_0 = r->num_buffers; > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER_RAW(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); >diff --git a/librpc/gen_ndr/ndr_lsa.c b/librpc/gen_ndr/ndr_lsa.c >index f1b87ec..f1fc10e 100644 >--- a/librpc/gen_ndr/ndr_lsa.c >+++ b/librpc/gen_ndr/ndr_lsa.c >@@ -28,6 +28,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_String(struct ndr_push *ndr, int ndr_fla > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_String(struct ndr_pull *ndr, int ndr_flags, struct lsa_String *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -47,10 +49,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_String(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -101,6 +105,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_StringLarge(struct ndr_push *ndr, int nd > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_StringLarge(struct ndr_pull *ndr, int ndr_flags, struct lsa_StringLarge *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -120,10 +126,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_StringLarge(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -177,6 +185,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_Strings(struct ndr_push *ndr, int ndr_fl > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_Strings(struct ndr_pull *ndr, int ndr_flags, struct lsa_Strings *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -196,13 +205,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_Strings(struct ndr_pull *ndr, int ndr_fl > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -262,6 +272,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_AsciiString(struct ndr_push *ndr, int nd > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiString(struct ndr_pull *ndr, int ndr_flags, struct lsa_AsciiString *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -281,10 +293,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiString(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -335,6 +349,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_AsciiStringLarge(struct ndr_push *ndr, i > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiStringLarge(struct ndr_pull *ndr, int ndr_flags, struct lsa_AsciiStringLarge *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -354,10 +370,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiStringLarge(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -411,6 +429,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_BinaryString(struct ndr_push *ndr, int n > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_BinaryString(struct ndr_pull *ndr, int ndr_flags, struct lsa_BinaryString *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; >+ uint32_t length_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -432,13 +452,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_BinaryString(struct ndr_pull *ndr, int n > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->array)); >- if (ndr_get_array_length(ndr, &r->array) > ndr_get_array_size(ndr, &r->array)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->array), ndr_get_array_length(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ length_array_1 = ndr_get_array_length(ndr, &r->array); >+ if (length_array_1 > size_array_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_array_1, length_array_1); > } >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < ndr_get_array_length(ndr, &r->array); cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < length_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -577,6 +599,7 @@ static enum ndr_err_code ndr_push_lsa_PrivArray(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_lsa_PrivArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_PrivArray *r) > { > uint32_t _ptr_privs; >+ uint32_t size_privs_1 = 0; > uint32_t cntr_privs_1; > TALLOC_CTX *_mem_save_privs_0; > TALLOC_CTX *_mem_save_privs_1; >@@ -596,13 +619,14 @@ static enum ndr_err_code ndr_pull_lsa_PrivArray(struct ndr_pull *ndr, int ndr_fl > _mem_save_privs_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privs, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->privs)); >- NDR_PULL_ALLOC_N(ndr, r->privs, ndr_get_array_size(ndr, &r->privs)); >+ size_privs_1 = ndr_get_array_size(ndr, &r->privs); >+ NDR_PULL_ALLOC_N(ndr, r->privs, size_privs_1); > _mem_save_privs_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privs, 0); >- for (cntr_privs_1 = 0; cntr_privs_1 < r->count; cntr_privs_1++) { >+ for (cntr_privs_1 = 0; cntr_privs_1 < size_privs_1; cntr_privs_1++) { > NDR_CHECK(ndr_pull_lsa_PrivEntry(ndr, NDR_SCALARS, &r->privs[cntr_privs_1])); > } >- for (cntr_privs_1 = 0; cntr_privs_1 < r->count; cntr_privs_1++) { >+ for (cntr_privs_1 = 0; cntr_privs_1 < size_privs_1; cntr_privs_1++) { > NDR_CHECK(ndr_pull_lsa_PrivEntry(ndr, NDR_BUFFERS, &r->privs[cntr_privs_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privs_1, 0); >@@ -717,6 +741,8 @@ static enum ndr_err_code ndr_pull_lsa_ObjectAttribute(struct ndr_pull *ndr, int > uint32_t _ptr_root_dir; > TALLOC_CTX *_mem_save_root_dir_0; > uint32_t _ptr_object_name; >+ uint32_t size_object_name_1 = 0; >+ uint32_t length_object_name_1 = 0; > TALLOC_CTX *_mem_save_object_name_0; > uint32_t _ptr_sec_desc; > TALLOC_CTX *_mem_save_sec_desc_0; >@@ -764,11 +790,13 @@ static enum ndr_err_code ndr_pull_lsa_ObjectAttribute(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->object_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_name)); >- if (ndr_get_array_length(ndr, &r->object_name) > ndr_get_array_size(ndr, &r->object_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_name), ndr_get_array_length(ndr, &r->object_name)); >+ size_object_name_1 = ndr_get_array_size(ndr, &r->object_name); >+ length_object_name_1 = ndr_get_array_length(ndr, &r->object_name); >+ if (length_object_name_1 > size_object_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_name_1, length_object_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_name, ndr_get_array_length(ndr, &r->object_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_name, length_object_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_name_0, 0); > } > if (r->sec_desc) { >@@ -1029,6 +1057,7 @@ static enum ndr_err_code ndr_push_lsa_AuditEventsInfo(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_lsa_AuditEventsInfo(struct ndr_pull *ndr, int ndr_flags, struct lsa_AuditEventsInfo *r) > { > uint32_t _ptr_settings; >+ uint32_t size_settings_1 = 0; > uint32_t cntr_settings_1; > TALLOC_CTX *_mem_save_settings_0; > TALLOC_CTX *_mem_save_settings_1; >@@ -1049,10 +1078,11 @@ static enum ndr_err_code ndr_pull_lsa_AuditEventsInfo(struct ndr_pull *ndr, int > _mem_save_settings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->settings, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->settings)); >- NDR_PULL_ALLOC_N(ndr, r->settings, ndr_get_array_size(ndr, &r->settings)); >+ size_settings_1 = ndr_get_array_size(ndr, &r->settings); >+ NDR_PULL_ALLOC_N(ndr, r->settings, size_settings_1); > _mem_save_settings_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->settings, 0); >- for (cntr_settings_1 = 0; cntr_settings_1 < r->count; cntr_settings_1++) { >+ for (cntr_settings_1 = 0; cntr_settings_1 < size_settings_1; cntr_settings_1++) { > NDR_CHECK(ndr_pull_lsa_PolicyAuditPolicy(ndr, NDR_SCALARS, &r->settings[cntr_settings_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_settings_1, 0); >@@ -1939,6 +1969,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_SidArray(struct ndr_push *ndr, int ndr_f > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_SidArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_SidArray *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -1961,13 +1992,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_SidArray(struct ndr_pull *ndr, int ndr_f > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_SidPtr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_SidPtr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -2030,6 +2062,7 @@ static enum ndr_err_code ndr_push_lsa_DomainList(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_lsa_DomainList(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainList *r) > { > uint32_t _ptr_domains; >+ uint32_t size_domains_1 = 0; > uint32_t cntr_domains_1; > TALLOC_CTX *_mem_save_domains_0; > TALLOC_CTX *_mem_save_domains_1; >@@ -2049,13 +2082,14 @@ static enum ndr_err_code ndr_pull_lsa_DomainList(struct ndr_pull *ndr, int ndr_f > _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); >- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); >+ size_domains_1 = ndr_get_array_size(ndr, &r->domains); >+ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); > _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); > } >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); >@@ -2186,6 +2220,7 @@ static enum ndr_err_code ndr_push_lsa_TransSidArray(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_lsa_TransSidArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -2208,10 +2243,11 @@ static enum ndr_err_code ndr_pull_lsa_TransSidArray(struct ndr_pull *ndr, int nd > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -2275,6 +2311,7 @@ static enum ndr_err_code ndr_push_lsa_RefDomainList(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_lsa_RefDomainList(struct ndr_pull *ndr, int ndr_flags, struct lsa_RefDomainList *r) > { > uint32_t _ptr_domains; >+ uint32_t size_domains_1 = 0; > uint32_t cntr_domains_1; > TALLOC_CTX *_mem_save_domains_0; > TALLOC_CTX *_mem_save_domains_1; >@@ -2298,13 +2335,14 @@ static enum ndr_err_code ndr_pull_lsa_RefDomainList(struct ndr_pull *ndr, int nd > _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); >- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); >+ size_domains_1 = ndr_get_array_size(ndr, &r->domains); >+ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); > _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); > } >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); >@@ -2438,6 +2476,7 @@ static enum ndr_err_code ndr_push_lsa_TransNameArray(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_lsa_TransNameArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransNameArray *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -2460,13 +2499,14 @@ static enum ndr_err_code ndr_pull_lsa_TransNameArray(struct ndr_pull *ndr, int n > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -2558,6 +2598,7 @@ static enum ndr_err_code ndr_push_lsa_PrivilegeSet(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_lsa_PrivilegeSet(struct ndr_pull *ndr, int ndr_flags, struct lsa_PrivilegeSet *r) > { >+ uint32_t size_set_0 = 0; > uint32_t cntr_set_0; > TALLOC_CTX *_mem_save_set_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2568,10 +2609,11 @@ static enum ndr_err_code ndr_pull_lsa_PrivilegeSet(struct ndr_pull *ndr, int ndr > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown)); >- NDR_PULL_ALLOC_N(ndr, r->set, ndr_get_array_size(ndr, &r->set)); >+ size_set_0 = ndr_get_array_size(ndr, &r->set); >+ NDR_PULL_ALLOC_N(ndr, r->set, size_set_0); > _mem_save_set_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->set, 0); >- for (cntr_set_0 = 0; cntr_set_0 < r->count; cntr_set_0++) { >+ for (cntr_set_0 = 0; cntr_set_0 < size_set_0; cntr_set_0++) { > NDR_CHECK(ndr_pull_lsa_LUIDAttribute(ndr, NDR_SCALARS, &r->set[cntr_set_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_set_0, 0); >@@ -2633,6 +2675,8 @@ static enum ndr_err_code ndr_push_lsa_DATA_BUF(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_lsa_DATA_BUF(struct ndr_pull *ndr, int ndr_flags, struct lsa_DATA_BUF *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; >+ uint32_t length_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -2655,11 +2699,13 @@ static enum ndr_err_code ndr_pull_lsa_DATA_BUF(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); >- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ length_data_1 = ndr_get_array_length(ndr, &r->data); >+ if (length_data_1 > size_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_length(ndr, &r->data))); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, length_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -2719,6 +2765,7 @@ static enum ndr_err_code ndr_push_lsa_DATA_BUF2(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_lsa_DATA_BUF2(struct ndr_pull *ndr, int ndr_flags, struct lsa_DATA_BUF2 *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -2742,8 +2789,9 @@ static enum ndr_err_code ndr_pull_lsa_DATA_BUF2(struct ndr_pull *ndr, int ndr_fl > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -2948,6 +2996,7 @@ static enum ndr_err_code ndr_push_lsa_TrustDomainInfoControllers(struct ndr_push > static enum ndr_err_code ndr_pull_lsa_TrustDomainInfoControllers(struct ndr_pull *ndr, int ndr_flags, struct lsa_TrustDomainInfoControllers *r) > { > uint32_t _ptr_netbios_names; >+ uint32_t size_netbios_names_1 = 0; > uint32_t cntr_netbios_names_1; > TALLOC_CTX *_mem_save_netbios_names_0; > TALLOC_CTX *_mem_save_netbios_names_1; >@@ -2967,13 +3016,14 @@ static enum ndr_err_code ndr_pull_lsa_TrustDomainInfoControllers(struct ndr_pull > _mem_save_netbios_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_names)); >- NDR_PULL_ALLOC_N(ndr, r->netbios_names, ndr_get_array_size(ndr, &r->netbios_names)); >+ size_netbios_names_1 = ndr_get_array_size(ndr, &r->netbios_names); >+ NDR_PULL_ALLOC_N(ndr, r->netbios_names, size_netbios_names_1); > _mem_save_netbios_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_names, 0); >- for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < r->entries; cntr_netbios_names_1++) { >+ for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < size_netbios_names_1; cntr_netbios_names_1++) { > NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_SCALARS, &r->netbios_names[cntr_netbios_names_1])); > } >- for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < r->entries; cntr_netbios_names_1++) { >+ for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < size_netbios_names_1; cntr_netbios_names_1++) { > NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_BUFFERS, &r->netbios_names[cntr_netbios_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_names_1, 0); >@@ -3587,6 +3637,7 @@ static enum ndr_err_code ndr_push_lsa_TrustDomainInfoInfoEx2Internal(struct ndr_ > static enum ndr_err_code ndr_pull_lsa_TrustDomainInfoInfoEx2Internal(struct ndr_pull *ndr, int ndr_flags, struct lsa_TrustDomainInfoInfoEx2Internal *r) > { > uint32_t _ptr_forest_trust_data; >+ uint32_t size_forest_trust_data_1 = 0; > TALLOC_CTX *_mem_save_forest_trust_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3606,8 +3657,9 @@ static enum ndr_err_code ndr_pull_lsa_TrustDomainInfoInfoEx2Internal(struct ndr_ > _mem_save_forest_trust_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->forest_trust_data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->forest_trust_data)); >- NDR_PULL_ALLOC_N(ndr, r->forest_trust_data, ndr_get_array_size(ndr, &r->forest_trust_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->forest_trust_data, ndr_get_array_size(ndr, &r->forest_trust_data))); >+ size_forest_trust_data_1 = ndr_get_array_size(ndr, &r->forest_trust_data); >+ NDR_PULL_ALLOC_N(ndr, r->forest_trust_data, size_forest_trust_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->forest_trust_data, size_forest_trust_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_trust_data_0, 0); > } > if (r->forest_trust_data) { >@@ -4098,6 +4150,7 @@ static enum ndr_err_code ndr_push_lsa_RightSet(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_lsa_RightSet(struct ndr_pull *ndr, int ndr_flags, struct lsa_RightSet *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -4120,13 +4173,14 @@ static enum ndr_err_code ndr_pull_lsa_RightSet(struct ndr_pull *ndr, int ndr_fla > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -4189,6 +4243,7 @@ static enum ndr_err_code ndr_push_lsa_DomainListEx(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_lsa_DomainListEx(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainListEx *r) > { > uint32_t _ptr_domains; >+ uint32_t size_domains_1 = 0; > uint32_t cntr_domains_1; > TALLOC_CTX *_mem_save_domains_0; > TALLOC_CTX *_mem_save_domains_1; >@@ -4208,13 +4263,14 @@ static enum ndr_err_code ndr_pull_lsa_DomainListEx(struct ndr_pull *ndr, int ndr > _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); >- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); >+ size_domains_1 = ndr_get_array_size(ndr, &r->domains); >+ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); > _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_TrustDomainInfoInfoEx(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); > } >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_TrustDomainInfoInfoEx(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); >@@ -4318,6 +4374,7 @@ static enum ndr_err_code ndr_push_lsa_DomainInfoEfs(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_lsa_DomainInfoEfs(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainInfoEfs *r) > { > uint32_t _ptr_efs_blob; >+ uint32_t size_efs_blob_1 = 0; > TALLOC_CTX *_mem_save_efs_blob_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4335,8 +4392,9 @@ static enum ndr_err_code ndr_pull_lsa_DomainInfoEfs(struct ndr_pull *ndr, int nd > _mem_save_efs_blob_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->efs_blob, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->efs_blob)); >- NDR_PULL_ALLOC_N(ndr, r->efs_blob, ndr_get_array_size(ndr, &r->efs_blob)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->efs_blob, ndr_get_array_size(ndr, &r->efs_blob))); >+ size_efs_blob_1 = ndr_get_array_size(ndr, &r->efs_blob); >+ NDR_PULL_ALLOC_N(ndr, r->efs_blob, size_efs_blob_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->efs_blob, size_efs_blob_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_efs_blob_0, 0); > } > if (r->efs_blob) { >@@ -4524,6 +4582,7 @@ static enum ndr_err_code ndr_push_lsa_TransNameArray2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_lsa_TransNameArray2(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransNameArray2 *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -4546,13 +4605,14 @@ static enum ndr_err_code ndr_pull_lsa_TransNameArray2(struct ndr_pull *ndr, int > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName2(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName2(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -4703,6 +4763,7 @@ static enum ndr_err_code ndr_push_lsa_TransSidArray2(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_lsa_TransSidArray2(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray2 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -4725,10 +4786,11 @@ static enum ndr_err_code ndr_pull_lsa_TransSidArray2(struct ndr_pull *ndr, int n > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid2(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -4853,6 +4915,7 @@ static enum ndr_err_code ndr_push_lsa_TransSidArray3(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_lsa_TransSidArray3(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray3 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -4875,13 +4938,14 @@ static enum ndr_err_code ndr_pull_lsa_TransSidArray3(struct ndr_pull *ndr, int n > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid3(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid3(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -4938,6 +5002,7 @@ static enum ndr_err_code ndr_push_lsa_ForestTrustBinaryData(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_lsa_ForestTrustBinaryData(struct ndr_pull *ndr, int ndr_flags, struct lsa_ForestTrustBinaryData *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4958,8 +5023,9 @@ static enum ndr_err_code ndr_pull_lsa_ForestTrustBinaryData(struct ndr_pull *ndr > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -5274,6 +5340,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_ForestTrustInformation(struct ndr_push * > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_ForestTrustInformation(struct ndr_pull *ndr, int ndr_flags, struct lsa_ForestTrustInformation *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -5297,10 +5364,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_ForestTrustInformation(struct ndr_pull * > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_entries)); > if (_ptr_entries) { > NDR_PULL_ALLOC(ndr, r->entries[cntr_entries_1]); >@@ -5308,7 +5376,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_ForestTrustInformation(struct ndr_pull * > r->entries[cntr_entries_1] = NULL; > } > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > if (r->entries[cntr_entries_1]) { > _mem_save_entries_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries[cntr_entries_1], 0); >@@ -6617,6 +6685,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_LookupNames(struct ndr_push *ndr, int fl > > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames(struct ndr_pull *ndr, int flags, struct lsa_LookupNames *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_handle_0; >@@ -6640,13 +6709,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames(struct ndr_pull *ndr, int fl > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -9680,6 +9750,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_OpenPolicy2(struct ndr_push *ndr, int fl > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_OpenPolicy2(struct ndr_pull *ndr, int flags, struct lsa_OpenPolicy2 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_attr_0; > TALLOC_CTX *_mem_save_handle_0; >@@ -9697,11 +9769,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_OpenPolicy2(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -9812,6 +9886,8 @@ static enum ndr_err_code ndr_push_lsa_GetUserName(struct ndr_push *ndr, int flag > static enum ndr_err_code ndr_pull_lsa_GetUserName(struct ndr_pull *ndr, int flags, struct lsa_GetUserName *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > uint32_t _ptr_account_name; > uint32_t _ptr_authority_name; > TALLOC_CTX *_mem_save_system_name_0; >@@ -9833,11 +9909,13 @@ static enum ndr_err_code ndr_pull_lsa_GetUserName(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -11247,6 +11325,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_LookupNames2(struct ndr_push *ndr, int f > > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames2(struct ndr_pull *ndr, int flags, struct lsa_LookupNames2 *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_handle_0; >@@ -11270,13 +11349,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames2(struct ndr_pull *ndr, int f > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -11901,6 +11981,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_LookupNames3(struct ndr_push *ndr, int f > > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames3(struct ndr_pull *ndr, int flags, struct lsa_LookupNames3 *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_handle_0; >@@ -11924,13 +12005,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames3(struct ndr_pull *ndr, int f > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -12647,6 +12729,7 @@ static enum ndr_err_code ndr_push_lsa_LookupNames4(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_lsa_LookupNames4(struct ndr_pull *ndr, int flags, struct lsa_LookupNames4 *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_names_0; >@@ -12662,13 +12745,14 @@ static enum ndr_err_code ndr_pull_lsa_LookupNames4(struct ndr_pull *ndr, int fla > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >diff --git a/librpc/gen_ndr/ndr_misc.c b/librpc/gen_ndr/ndr_misc.c >index 99cb045..2b067df 100644 >--- a/librpc/gen_ndr/ndr_misc.c >+++ b/librpc/gen_ndr/ndr_misc.c >@@ -21,13 +21,17 @@ _PUBLIC_ enum ndr_err_code ndr_push_GUID(struct ndr_push *ndr, int ndr_flags, co > > _PUBLIC_ enum ndr_err_code ndr_pull_GUID(struct ndr_pull *ndr, int ndr_flags, struct GUID *r) > { >+ uint32_t size_clock_seq_0 = 0; >+ uint32_t size_node_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->time_low)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->time_mid)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->time_hi_and_version)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->clock_seq, 2)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->node, 6)); >+ size_clock_seq_0 = 2; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->clock_seq, size_clock_seq_0)); >+ size_node_0 = 6; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->node, size_node_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >diff --git a/librpc/gen_ndr/ndr_named_pipe_auth.c b/librpc/gen_ndr/ndr_named_pipe_auth.c >index 18eadf9..b64a987 100644 >--- a/librpc/gen_ndr/ndr_named_pipe_auth.c >+++ b/librpc/gen_ndr/ndr_named_pipe_auth.c >@@ -58,16 +58,25 @@ static enum ndr_err_code ndr_push_named_pipe_auth_req_info2(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_named_pipe_auth_req_info2(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req_info2 *r) > { > uint32_t _ptr_client_name; >+ uint32_t size_client_name_1 = 0; >+ uint32_t length_client_name_1 = 0; > TALLOC_CTX *_mem_save_client_name_0; > uint32_t _ptr_client_addr; >+ uint32_t size_client_addr_1 = 0; >+ uint32_t length_client_addr_1 = 0; > TALLOC_CTX *_mem_save_client_addr_0; > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_server_addr; >+ uint32_t size_server_addr_1 = 0; >+ uint32_t length_server_addr_1 = 0; > TALLOC_CTX *_mem_save_server_addr_0; > uint32_t _ptr_sam_info3; > TALLOC_CTX *_mem_save_sam_info3_0; > uint32_t _ptr_session_key; >+ uint32_t size_session_key_1 = 0; > TALLOC_CTX *_mem_save_session_key_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -118,11 +127,13 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info2(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->client_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_name)); >- if (ndr_get_array_length(ndr, &r->client_name) > ndr_get_array_size(ndr, &r->client_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_name), ndr_get_array_length(ndr, &r->client_name)); >+ size_client_name_1 = ndr_get_array_size(ndr, &r->client_name); >+ length_client_name_1 = ndr_get_array_length(ndr, &r->client_name); >+ if (length_client_name_1 > size_client_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_name_1, length_client_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_name, ndr_get_array_length(ndr, &r->client_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_name, length_client_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_name_0, 0); > } > if (r->client_addr) { >@@ -130,11 +141,13 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info2(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->client_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_addr)); >- if (ndr_get_array_length(ndr, &r->client_addr) > ndr_get_array_size(ndr, &r->client_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_addr), ndr_get_array_length(ndr, &r->client_addr)); >+ size_client_addr_1 = ndr_get_array_size(ndr, &r->client_addr); >+ length_client_addr_1 = ndr_get_array_length(ndr, &r->client_addr); >+ if (length_client_addr_1 > size_client_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_addr_1, length_client_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_addr), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_addr, ndr_get_array_length(ndr, &r->client_addr), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_addr_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_addr, length_client_addr_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_addr_0, 0); > } > if (r->server_name) { >@@ -142,11 +155,13 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info2(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->server_addr) { >@@ -154,11 +169,13 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info2(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->server_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_addr)); >- if (ndr_get_array_length(ndr, &r->server_addr) > ndr_get_array_size(ndr, &r->server_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_addr), ndr_get_array_length(ndr, &r->server_addr)); >+ size_server_addr_1 = ndr_get_array_size(ndr, &r->server_addr); >+ length_server_addr_1 = ndr_get_array_length(ndr, &r->server_addr); >+ if (length_server_addr_1 > size_server_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_addr_1, length_server_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_addr), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_addr, ndr_get_array_length(ndr, &r->server_addr), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_addr_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_addr, length_server_addr_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_addr_0, 0); > } > if (r->sam_info3) { >@@ -171,8 +188,9 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info2(struct ndr_pull *ndr > _mem_save_session_key_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->session_key, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->session_key)); >- NDR_PULL_ALLOC_N(ndr, r->session_key, ndr_get_array_size(ndr, &r->session_key)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->session_key, ndr_get_array_size(ndr, &r->session_key))); >+ size_session_key_1 = ndr_get_array_size(ndr, &r->session_key); >+ NDR_PULL_ALLOC_N(ndr, r->session_key, size_session_key_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->session_key, size_session_key_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_session_key_0, 0); > } > if (r->session_key) { >@@ -288,18 +306,28 @@ static enum ndr_err_code ndr_push_named_pipe_auth_req_info3(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_named_pipe_auth_req_info3(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req_info3 *r) > { > uint32_t _ptr_client_name; >+ uint32_t size_client_name_1 = 0; >+ uint32_t length_client_name_1 = 0; > TALLOC_CTX *_mem_save_client_name_0; > uint32_t _ptr_client_addr; >+ uint32_t size_client_addr_1 = 0; >+ uint32_t length_client_addr_1 = 0; > TALLOC_CTX *_mem_save_client_addr_0; > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_server_addr; >+ uint32_t size_server_addr_1 = 0; >+ uint32_t length_server_addr_1 = 0; > TALLOC_CTX *_mem_save_server_addr_0; > uint32_t _ptr_sam_info3; > TALLOC_CTX *_mem_save_sam_info3_0; > uint32_t _ptr_session_key; >+ uint32_t size_session_key_1 = 0; > TALLOC_CTX *_mem_save_session_key_0; > uint32_t _ptr_gssapi_delegated_creds; >+ uint32_t size_gssapi_delegated_creds_1 = 0; > TALLOC_CTX *_mem_save_gssapi_delegated_creds_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -357,11 +385,13 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info3(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->client_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_name)); >- if (ndr_get_array_length(ndr, &r->client_name) > ndr_get_array_size(ndr, &r->client_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_name), ndr_get_array_length(ndr, &r->client_name)); >+ size_client_name_1 = ndr_get_array_size(ndr, &r->client_name); >+ length_client_name_1 = ndr_get_array_length(ndr, &r->client_name); >+ if (length_client_name_1 > size_client_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_name_1, length_client_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_name, ndr_get_array_length(ndr, &r->client_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_name, length_client_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_name_0, 0); > } > if (r->client_addr) { >@@ -369,11 +399,13 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info3(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->client_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_addr)); >- if (ndr_get_array_length(ndr, &r->client_addr) > ndr_get_array_size(ndr, &r->client_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_addr), ndr_get_array_length(ndr, &r->client_addr)); >+ size_client_addr_1 = ndr_get_array_size(ndr, &r->client_addr); >+ length_client_addr_1 = ndr_get_array_length(ndr, &r->client_addr); >+ if (length_client_addr_1 > size_client_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_addr_1, length_client_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_addr), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_addr, ndr_get_array_length(ndr, &r->client_addr), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_addr_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_addr, length_client_addr_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_addr_0, 0); > } > if (r->server_name) { >@@ -381,11 +413,13 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info3(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->server_addr) { >@@ -393,11 +427,13 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info3(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->server_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_addr)); >- if (ndr_get_array_length(ndr, &r->server_addr) > ndr_get_array_size(ndr, &r->server_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_addr), ndr_get_array_length(ndr, &r->server_addr)); >+ size_server_addr_1 = ndr_get_array_size(ndr, &r->server_addr); >+ length_server_addr_1 = ndr_get_array_length(ndr, &r->server_addr); >+ if (length_server_addr_1 > size_server_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_addr_1, length_server_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_addr), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_addr, ndr_get_array_length(ndr, &r->server_addr), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_addr_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_addr, length_server_addr_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_addr_0, 0); > } > if (r->sam_info3) { >@@ -410,16 +446,18 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info3(struct ndr_pull *ndr > _mem_save_session_key_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->session_key, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->session_key)); >- NDR_PULL_ALLOC_N(ndr, r->session_key, ndr_get_array_size(ndr, &r->session_key)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->session_key, ndr_get_array_size(ndr, &r->session_key))); >+ size_session_key_1 = ndr_get_array_size(ndr, &r->session_key); >+ NDR_PULL_ALLOC_N(ndr, r->session_key, size_session_key_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->session_key, size_session_key_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_session_key_0, 0); > } > if (r->gssapi_delegated_creds) { > _mem_save_gssapi_delegated_creds_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->gssapi_delegated_creds, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->gssapi_delegated_creds)); >- NDR_PULL_ALLOC_N(ndr, r->gssapi_delegated_creds, ndr_get_array_size(ndr, &r->gssapi_delegated_creds)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->gssapi_delegated_creds, ndr_get_array_size(ndr, &r->gssapi_delegated_creds))); >+ size_gssapi_delegated_creds_1 = ndr_get_array_size(ndr, &r->gssapi_delegated_creds); >+ NDR_PULL_ALLOC_N(ndr, r->gssapi_delegated_creds, size_gssapi_delegated_creds_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->gssapi_delegated_creds, size_gssapi_delegated_creds_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_gssapi_delegated_creds_0, 0); > } > if (r->session_key) { >@@ -641,6 +679,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_named_pipe_auth_req(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req *r) > { >+ uint32_t size_magic_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > { >@@ -649,7 +688,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); > ndr->flags = _flags_save_uint32; > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, 4, sizeof(uint8_t), CH_DOS)); >+ size_magic_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, size_magic_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->level)); > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->info, r->level)); > NDR_CHECK(ndr_pull_named_pipe_auth_req_info(ndr, NDR_SCALARS, &r->info)); >@@ -902,6 +942,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_named_pipe_auth_rep(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep *r) > { >+ uint32_t size_magic_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > { >@@ -910,7 +951,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); > ndr->flags = _flags_save_uint32; > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, 4, sizeof(uint8_t), CH_DOS)); >+ size_magic_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, size_magic_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->level)); > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->info, r->level)); > NDR_CHECK(ndr_pull_named_pipe_auth_rep_info(ndr, NDR_SCALARS, &r->info)); >diff --git a/librpc/gen_ndr/ndr_nbt.c b/librpc/gen_ndr/ndr_nbt.c >index bffb25a..3080ab2 100644 >--- a/librpc/gen_ndr/ndr_nbt.c >+++ b/librpc/gen_ndr/ndr_nbt.c >@@ -247,15 +247,17 @@ static enum ndr_err_code ndr_push_nbt_rdata_netbios(struct ndr_push *ndr, int nd > > static enum ndr_err_code ndr_pull_nbt_rdata_netbios(struct ndr_pull *ndr, int ndr_flags, struct nbt_rdata_netbios *r) > { >+ uint32_t size_addresses_0 = 0; > uint32_t cntr_addresses_0; > TALLOC_CTX *_mem_save_addresses_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); >- NDR_PULL_ALLOC_N(ndr, r->addresses, r->length / 6); >+ size_addresses_0 = r->length / 6; >+ NDR_PULL_ALLOC_N(ndr, r->addresses, size_addresses_0); > _mem_save_addresses_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->addresses, 0); >- for (cntr_addresses_0 = 0; cntr_addresses_0 < r->length / 6; cntr_addresses_0++) { >+ for (cntr_addresses_0 = 0; cntr_addresses_0 < size_addresses_0; cntr_addresses_0++) { > NDR_CHECK(ndr_pull_nbt_rdata_address(ndr, NDR_SCALARS, &r->addresses[cntr_addresses_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_0, 0); >@@ -318,9 +320,11 @@ static enum ndr_err_code ndr_push_nbt_statistics(struct ndr_push *ndr, int ndr_f > > static enum ndr_err_code ndr_pull_nbt_statistics(struct ndr_pull *ndr, int ndr_flags, struct nbt_statistics *r) > { >+ uint32_t size_unit_id_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unit_id, 6)); >+ size_unit_id_0 = 6; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unit_id, size_unit_id_0)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->jumpers)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->test_result)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->version_number)); >@@ -390,9 +394,11 @@ static enum ndr_err_code ndr_push_nbt_status_name(struct ndr_push *ndr, int ndr_ > > static enum ndr_err_code ndr_pull_nbt_status_name(struct ndr_pull *ndr, int ndr_flags, struct nbt_status_name *r) > { >+ uint32_t size_name_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, 15, sizeof(uint8_t), CH_DOS)); >+ size_name_0 = 15; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, size_name_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_nbt_name_type(ndr, NDR_SCALARS, &r->type)); > NDR_CHECK(ndr_pull_nb_flags(ndr, NDR_SCALARS, &r->nb_flags)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 2)); >@@ -432,16 +438,18 @@ static enum ndr_err_code ndr_push_nbt_rdata_status(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_nbt_rdata_status(struct ndr_pull *ndr, int ndr_flags, struct nbt_rdata_status *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > TALLOC_CTX *_mem_save_names_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_names)); >- NDR_PULL_ALLOC_N(ndr, r->names, r->num_names); >+ size_names_0 = r->num_names; >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_nbt_status_name(ndr, NDR_SCALARS, &r->names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -489,11 +497,13 @@ static enum ndr_err_code ndr_push_nbt_rdata_data(struct ndr_push *ndr, int ndr_f > > static enum ndr_err_code ndr_pull_nbt_rdata_data(struct ndr_pull *ndr, int ndr_flags, struct nbt_rdata_data *r) > { >+ uint32_t size_data_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); >- NDR_PULL_ALLOC_N(ndr, r->data, r->length); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, r->length)); >+ size_data_0 = r->length; >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 2)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -691,12 +701,16 @@ _PUBLIC_ enum ndr_err_code ndr_push_nbt_name_packet(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_nbt_name_packet(struct ndr_pull *ndr, int ndr_flags, struct nbt_name_packet *r) > { >+ uint32_t size_questions_0 = 0; > uint32_t cntr_questions_0; > TALLOC_CTX *_mem_save_questions_0; >+ uint32_t size_answers_0 = 0; > uint32_t cntr_answers_0; > TALLOC_CTX *_mem_save_answers_0; >+ uint32_t size_nsrecs_0 = 0; > uint32_t cntr_nsrecs_0; > TALLOC_CTX *_mem_save_nsrecs_0; >+ uint32_t size_additional_0 = 0; > uint32_t cntr_additional_0; > TALLOC_CTX *_mem_save_additional_0; > { >@@ -710,31 +724,35 @@ _PUBLIC_ enum ndr_err_code ndr_pull_nbt_name_packet(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->ancount)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->nscount)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->arcount)); >- NDR_PULL_ALLOC_N(ndr, r->questions, r->qdcount); >+ size_questions_0 = r->qdcount; >+ NDR_PULL_ALLOC_N(ndr, r->questions, size_questions_0); > _mem_save_questions_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->questions, 0); >- for (cntr_questions_0 = 0; cntr_questions_0 < r->qdcount; cntr_questions_0++) { >+ for (cntr_questions_0 = 0; cntr_questions_0 < size_questions_0; cntr_questions_0++) { > NDR_CHECK(ndr_pull_nbt_name_question(ndr, NDR_SCALARS, &r->questions[cntr_questions_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_questions_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->answers, r->ancount); >+ size_answers_0 = r->ancount; >+ NDR_PULL_ALLOC_N(ndr, r->answers, size_answers_0); > _mem_save_answers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->answers, 0); >- for (cntr_answers_0 = 0; cntr_answers_0 < r->ancount; cntr_answers_0++) { >+ for (cntr_answers_0 = 0; cntr_answers_0 < size_answers_0; cntr_answers_0++) { > NDR_CHECK(ndr_pull_nbt_res_rec(ndr, NDR_SCALARS, &r->answers[cntr_answers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_answers_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->nsrecs, r->nscount); >+ size_nsrecs_0 = r->nscount; >+ NDR_PULL_ALLOC_N(ndr, r->nsrecs, size_nsrecs_0); > _mem_save_nsrecs_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->nsrecs, 0); >- for (cntr_nsrecs_0 = 0; cntr_nsrecs_0 < r->nscount; cntr_nsrecs_0++) { >+ for (cntr_nsrecs_0 = 0; cntr_nsrecs_0 < size_nsrecs_0; cntr_nsrecs_0++) { > NDR_CHECK(ndr_pull_nbt_res_rec(ndr, NDR_SCALARS, &r->nsrecs[cntr_nsrecs_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_nsrecs_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->additional, r->arcount); >+ size_additional_0 = r->arcount; >+ NDR_PULL_ALLOC_N(ndr, r->additional, size_additional_0); > _mem_save_additional_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->additional, 0); >- for (cntr_additional_0 = 0; cntr_additional_0 < r->arcount; cntr_additional_0++) { >+ for (cntr_additional_0 = 0; cntr_additional_0 < size_additional_0; cntr_additional_0++) { > NDR_CHECK(ndr_pull_nbt_res_rec(ndr, NDR_SCALARS, &r->additional[cntr_additional_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_additional_0, 0); >@@ -1117,6 +1135,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_dgram_smb_packet(struct ndr_push *ndr, int n > > _PUBLIC_ enum ndr_err_code ndr_pull_dgram_smb_packet(struct ndr_pull *ndr, int ndr_flags, struct dgram_smb_packet *r) > { >+ uint32_t size_signature_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN|LIBNDR_FLAG_LITTLE_ENDIAN|LIBNDR_PRINT_ARRAY_HEX); >@@ -1129,7 +1148,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dgram_smb_packet(struct ndr_pull *ndr, int n > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->flags)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->flags2)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->pid_high)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->signature, 8)); >+ size_signature_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->signature, size_signature_0)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->reserved)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->tid)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->pid)); >@@ -2355,6 +2375,7 @@ static enum ndr_err_code ndr_push_NETLOGON_DB_CHANGE(struct ndr_push *ndr, int n > > static enum ndr_err_code ndr_pull_NETLOGON_DB_CHANGE(struct ndr_pull *ndr, int ndr_flags, struct NETLOGON_DB_CHANGE *r) > { >+ uint32_t size_dbchange_0 = 0; > uint32_t cntr_dbchange_0; > TALLOC_CTX *_mem_save_dbchange_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2394,10 +2415,11 @@ static enum ndr_err_code ndr_pull_NETLOGON_DB_CHANGE(struct ndr_pull *ndr, int n > ndr->flags = _flags_save_string; > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->db_count)); >- NDR_PULL_ALLOC_N(ndr, r->dbchange, r->db_count); >+ size_dbchange_0 = r->db_count; >+ NDR_PULL_ALLOC_N(ndr, r->dbchange, size_dbchange_0); > _mem_save_dbchange_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->dbchange, 0); >- for (cntr_dbchange_0 = 0; cntr_dbchange_0 < r->db_count; cntr_dbchange_0++) { >+ for (cntr_dbchange_0 = 0; cntr_dbchange_0 < size_dbchange_0; cntr_dbchange_0++) { > NDR_CHECK(ndr_pull_nbt_db_change_info(ndr, NDR_SCALARS, &r->dbchange[cntr_dbchange_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dbchange_0, 0); >@@ -2674,11 +2696,13 @@ static enum ndr_err_code ndr_push_nbt_browse_host_announcement(struct ndr_push * > > static enum ndr_err_code ndr_pull_nbt_browse_host_announcement(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_host_announcement *r) > { >+ uint32_t size_ServerName_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->UpdateCount)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Periodicity)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, 16, sizeof(uint8_t), CH_DOS)); >+ size_ServerName_0 = 16; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, size_ServerName_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMajor)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMinor)); > NDR_CHECK(ndr_pull_svcctl_ServerType(ndr, NDR_SCALARS, &r->ServerType)); >@@ -2868,16 +2892,18 @@ static enum ndr_err_code ndr_push_nbt_browse_backup_list_response(struct ndr_pus > > static enum ndr_err_code ndr_pull_nbt_browse_backup_list_response(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_backup_list_response *r) > { >+ uint32_t size_BackupServerList_0 = 0; > uint32_t cntr_BackupServerList_0; > TALLOC_CTX *_mem_save_BackupServerList_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->BackupCount)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Token)); >- NDR_PULL_ALLOC_N(ndr, r->BackupServerList, r->BackupCount); >+ size_BackupServerList_0 = r->BackupCount; >+ NDR_PULL_ALLOC_N(ndr, r->BackupServerList, size_BackupServerList_0); > _mem_save_BackupServerList_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->BackupServerList, 0); >- for (cntr_BackupServerList_0 = 0; cntr_BackupServerList_0 < r->BackupCount; cntr_BackupServerList_0++) { >+ for (cntr_BackupServerList_0 = 0; cntr_BackupServerList_0 < size_BackupServerList_0; cntr_BackupServerList_0++) { > NDR_CHECK(ndr_pull_nbt_name(ndr, NDR_SCALARS, &r->BackupServerList[cntr_BackupServerList_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_BackupServerList_0, 0); >@@ -2976,11 +3002,13 @@ static enum ndr_err_code ndr_push_nbt_browse_domain_announcement(struct ndr_push > > static enum ndr_err_code ndr_pull_nbt_browse_domain_announcement(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_domain_announcement *r) > { >+ uint32_t size_ServerName_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->UpdateCount)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Periodicity)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, 16, sizeof(uint8_t), CH_DOS)); >+ size_ServerName_0 = 16; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, size_ServerName_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMajor)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMinor)); > NDR_CHECK(ndr_pull_svcctl_ServerType(ndr, NDR_SCALARS, &r->ServerType)); >@@ -3115,11 +3143,13 @@ static enum ndr_err_code ndr_push_nbt_browse_local_master_announcement(struct nd > > static enum ndr_err_code ndr_pull_nbt_browse_local_master_announcement(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_local_master_announcement *r) > { >+ uint32_t size_ServerName_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->UpdateCount)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Periodicity)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, 16, sizeof(uint8_t), CH_DOS)); >+ size_ServerName_0 = 16; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, size_ServerName_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMajor)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMinor)); > NDR_CHECK(ndr_pull_svcctl_ServerType(ndr, NDR_SCALARS, &r->ServerType)); >diff --git a/librpc/gen_ndr/ndr_netlogon.c b/librpc/gen_ndr/ndr_netlogon.c >index 0ea551d..d29bf15 100644 >--- a/librpc/gen_ndr/ndr_netlogon.c >+++ b/librpc/gen_ndr/ndr_netlogon.c >@@ -62,12 +62,20 @@ static enum ndr_err_code ndr_push_netr_UasInfo(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_UasInfo *r) > { > uint32_t _ptr_account_name; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; > TALLOC_CTX *_mem_save_account_name_0; > uint32_t _ptr_computer; >+ uint32_t size_computer_1 = 0; >+ uint32_t length_computer_1 = 0; > TALLOC_CTX *_mem_save_computer_0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > uint32_t _ptr_script_path; >+ uint32_t size_script_path_1 = 0; >+ uint32_t length_script_path_1 = 0; > TALLOC_CTX *_mem_save_script_path_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -115,11 +123,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->account_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->account_name)); >- if (ndr_get_array_length(ndr, &r->account_name) > ndr_get_array_size(ndr, &r->account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->account_name), ndr_get_array_length(ndr, &r->account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_name_0, 0); > } > if (r->computer) { >@@ -127,11 +137,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->computer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->computer)); >- if (ndr_get_array_length(ndr, &r->computer) > ndr_get_array_size(ndr, &r->computer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer), ndr_get_array_length(ndr, &r->computer)); >+ size_computer_1 = ndr_get_array_size(ndr, &r->computer); >+ length_computer_1 = ndr_get_array_length(ndr, &r->computer); >+ if (length_computer_1 > size_computer_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_1, length_computer_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer, ndr_get_array_length(ndr, &r->computer), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer, length_computer_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_0, 0); > } > if (r->domain) { >@@ -139,11 +151,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->script_path) { >@@ -151,11 +165,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->script_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->script_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->script_path)); >- if (ndr_get_array_length(ndr, &r->script_path) > ndr_get_array_size(ndr, &r->script_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->script_path), ndr_get_array_length(ndr, &r->script_path)); >+ size_script_path_1 = ndr_get_array_size(ndr, &r->script_path); >+ length_script_path_1 = ndr_get_array_length(ndr, &r->script_path); >+ if (length_script_path_1 > size_script_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_script_path_1, length_script_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->script_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->script_path, ndr_get_array_length(ndr, &r->script_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_script_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->script_path, length_script_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_script_path_0, 0); > } > } >@@ -442,6 +458,8 @@ static enum ndr_err_code ndr_push_netr_ChallengeResponse(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_ChallengeResponse(struct ndr_pull *ndr, int ndr_flags, struct netr_ChallengeResponse *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; >+ uint32_t length_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -464,11 +482,13 @@ static enum ndr_err_code ndr_pull_netr_ChallengeResponse(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); >- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ length_data_1 = ndr_get_array_length(ndr, &r->data); >+ if (length_data_1 > size_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_length(ndr, &r->data))); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, length_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -528,13 +548,15 @@ static enum ndr_err_code ndr_push_netr_NetworkInfo(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_netr_NetworkInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_NetworkInfo *r) > { >+ uint32_t size_challenge_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_netr_IdentityInfo(ndr, NDR_SCALARS, &r->identity_info)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->challenge, 8)); >+ size_challenge_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->challenge, size_challenge_0)); > NDR_CHECK(ndr_pull_netr_ChallengeResponse(ndr, NDR_SCALARS, &r->nt)); > NDR_CHECK(ndr_pull_netr_ChallengeResponse(ndr, NDR_SCALARS, &r->lm)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); >@@ -594,6 +616,7 @@ static enum ndr_err_code ndr_push_netr_GenericInfo(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_netr_GenericInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_GenericInfo *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -618,8 +641,9 @@ static enum ndr_err_code ndr_pull_netr_GenericInfo(struct ndr_pull *ndr, int ndr > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -778,8 +802,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_password_0; >+ uint32_t _ptr_password; > TALLOC_CTX *_mem_save_network_0; >+ uint32_t _ptr_network; > TALLOC_CTX *_mem_save_generic_0; >+ uint32_t _ptr_generic; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint1632(ndr, NDR_SCALARS, &_level)); >@@ -789,7 +816,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case NetlogonInteractiveInformation: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -799,7 +825,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonNetworkInformation: { >- uint32_t _ptr_network; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_network)); > if (_ptr_network) { > NDR_PULL_ALLOC(ndr, r->network); >@@ -809,7 +834,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonServiceInformation: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -819,7 +843,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonGenericInformation: { >- uint32_t _ptr_generic; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_generic)); > if (_ptr_generic) { > NDR_PULL_ALLOC(ndr, r->generic); >@@ -829,7 +852,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonInteractiveTransitiveInformation: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -839,7 +861,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonNetworkTransitiveInformation: { >- uint32_t _ptr_network; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_network)); > if (_ptr_network) { > NDR_PULL_ALLOC(ndr, r->network); >@@ -849,7 +870,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonServiceTransitiveInformation: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -1027,12 +1047,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_UserSessionKey(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_netr_UserSessionKey(struct ndr_pull *ndr, int ndr_flags, struct netr_UserSessionKey *r) > { >+ uint32_t size_key_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, 16)); >+ size_key_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, size_key_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -1074,12 +1096,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_LMSessionKey(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_netr_LMSessionKey(struct ndr_pull *ndr, int ndr_flags, struct netr_LMSessionKey *r) > { >+ uint32_t size_key_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, 8)); >+ size_key_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, size_key_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -1189,6 +1213,7 @@ static enum ndr_err_code ndr_pull_netr_SamBaseInfo(struct ndr_pull *ndr, int ndr > { > uint32_t _ptr_domain_sid; > TALLOC_CTX *_mem_save_domain_sid_0; >+ uint32_t size_unknown_0 = 0; > uint32_t cntr_unknown_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -1221,7 +1246,8 @@ static enum ndr_err_code ndr_pull_netr_SamBaseInfo(struct ndr_pull *ndr, int ndr > } > NDR_CHECK(ndr_pull_netr_LMSessionKey(ndr, NDR_SCALARS, &r->LMSessKey)); > NDR_CHECK(ndr_pull_samr_AcctFlags(ndr, NDR_SCALARS, &r->acct_flags)); >- for (cntr_unknown_0 = 0; cntr_unknown_0 < 7; cntr_unknown_0++) { >+ size_unknown_0 = 7; >+ for (cntr_unknown_0 = 0; cntr_unknown_0 < size_unknown_0; cntr_unknown_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown[cntr_unknown_0])); > } > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); >@@ -1411,6 +1437,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_SamInfo3(struct ndr_push *ndr, int ndr_ > _PUBLIC_ enum ndr_err_code ndr_pull_netr_SamInfo3(struct ndr_pull *ndr, int ndr_flags, struct netr_SamInfo3 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -1432,13 +1459,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_SamInfo3(struct ndr_pull *ndr, int ndr_ > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -1512,9 +1540,11 @@ static enum ndr_err_code ndr_push_netr_SamInfo6(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_netr_SamInfo6(struct ndr_pull *ndr, int ndr_flags, struct netr_SamInfo6 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >+ uint32_t size_unknown4_0 = 0; > uint32_t cntr_unknown4_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -1528,7 +1558,8 @@ static enum ndr_err_code ndr_pull_netr_SamInfo6(struct ndr_pull *ndr, int ndr_fl > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->forest)); > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->principle)); >- for (cntr_unknown4_0 = 0; cntr_unknown4_0 < 20; cntr_unknown4_0++) { >+ size_unknown4_0 = 20; >+ for (cntr_unknown4_0 = 0; cntr_unknown4_0 < size_unknown4_0; cntr_unknown4_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown4[cntr_unknown4_0])); > } > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); >@@ -1539,13 +1570,14 @@ static enum ndr_err_code ndr_pull_netr_SamInfo6(struct ndr_pull *ndr, int ndr_fl > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -1643,9 +1675,12 @@ static enum ndr_err_code ndr_push_netr_PacInfo(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_PacInfo *r) > { > uint32_t _ptr_pac; >+ uint32_t size_pac_1 = 0; > TALLOC_CTX *_mem_save_pac_0; > uint32_t _ptr_auth; >+ uint32_t size_auth_1 = 0; > TALLOC_CTX *_mem_save_auth_0; >+ uint32_t size_expansionroom_0 = 0; > uint32_t cntr_expansionroom_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -1667,7 +1702,8 @@ static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_fla > r->auth = NULL; > } > NDR_CHECK(ndr_pull_netr_UserSessionKey(ndr, NDR_SCALARS, &r->user_session_key)); >- for (cntr_expansionroom_0 = 0; cntr_expansionroom_0 < 10; cntr_expansionroom_0++) { >+ size_expansionroom_0 = 10; >+ for (cntr_expansionroom_0 = 0; cntr_expansionroom_0 < size_expansionroom_0; cntr_expansionroom_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->expansionroom[cntr_expansionroom_0])); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->unknown1)); >@@ -1681,8 +1717,9 @@ static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_fla > _mem_save_pac_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->pac, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->pac)); >- NDR_PULL_ALLOC_N(ndr, r->pac, ndr_get_array_size(ndr, &r->pac)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pac, ndr_get_array_size(ndr, &r->pac))); >+ size_pac_1 = ndr_get_array_size(ndr, &r->pac); >+ NDR_PULL_ALLOC_N(ndr, r->pac, size_pac_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pac, size_pac_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pac_0, 0); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->logon_domain)); >@@ -1692,8 +1729,9 @@ static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_fla > _mem_save_auth_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->auth, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->auth)); >- NDR_PULL_ALLOC_N(ndr, r->auth, ndr_get_array_size(ndr, &r->auth)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->auth, ndr_get_array_size(ndr, &r->auth))); >+ size_auth_1 = ndr_get_array_size(ndr, &r->auth); >+ NDR_PULL_ALLOC_N(ndr, r->auth, size_auth_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->auth, size_auth_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_auth_0, 0); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->unknown1)); >@@ -1775,6 +1813,7 @@ static enum ndr_err_code ndr_push_netr_GenericInfo2(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_GenericInfo2(struct ndr_pull *ndr, int ndr_flags, struct netr_GenericInfo2 *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -1795,8 +1834,9 @@ static enum ndr_err_code ndr_pull_netr_GenericInfo2(struct ndr_pull *ndr, int nd > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -1903,10 +1943,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_sam2_0; >+ uint32_t _ptr_sam2; > TALLOC_CTX *_mem_save_sam3_0; >+ uint32_t _ptr_sam3; > TALLOC_CTX *_mem_save_pac_0; >+ uint32_t _ptr_pac; > TALLOC_CTX *_mem_save_generic_0; >+ uint32_t _ptr_generic; > TALLOC_CTX *_mem_save_sam6_0; >+ uint32_t _ptr_sam6; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); >@@ -1916,7 +1961,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case NetlogonValidationSamInfo: { >- uint32_t _ptr_sam2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam2)); > if (_ptr_sam2) { > NDR_PULL_ALLOC(ndr, r->sam2); >@@ -1926,7 +1970,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case NetlogonValidationSamInfo2: { >- uint32_t _ptr_sam3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam3)); > if (_ptr_sam3) { > NDR_PULL_ALLOC(ndr, r->sam3); >@@ -1936,7 +1979,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case 4: { >- uint32_t _ptr_pac; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_pac)); > if (_ptr_pac) { > NDR_PULL_ALLOC(ndr, r->pac); >@@ -1946,7 +1988,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case NetlogonValidationGenericInfo2: { >- uint32_t _ptr_generic; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_generic)); > if (_ptr_generic) { > NDR_PULL_ALLOC(ndr, r->generic); >@@ -1956,7 +1997,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case NetlogonValidationSamInfo4: { >- uint32_t _ptr_sam6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam6)); > if (_ptr_sam6) { > NDR_PULL_ALLOC(ndr, r->sam6); >@@ -2098,12 +2138,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_Credential(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_netr_Credential(struct ndr_pull *ndr, int ndr_flags, struct netr_Credential *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 8)); >+ size_data_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -2194,6 +2236,8 @@ static enum ndr_err_code ndr_push_netr_DELTA_DELETE_USER(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_DELTA_DELETE_USER(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_DELETE_USER *r) > { > uint32_t _ptr_account_name; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; > TALLOC_CTX *_mem_save_account_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -2219,11 +2263,13 @@ static enum ndr_err_code ndr_pull_netr_DELTA_DELETE_USER(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->account_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->account_name)); >- if (ndr_get_array_length(ndr, &r->account_name) > ndr_get_array_size(ndr, &r->account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->account_name), ndr_get_array_length(ndr, &r->account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_name_0, 0); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->unknown1)); >@@ -2317,6 +2363,8 @@ static enum ndr_err_code ndr_push_netr_PasswordHistory(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_netr_PasswordHistory(struct ndr_pull *ndr, int ndr_flags, struct netr_PasswordHistory *r) > { >+ uint32_t size_nt_history_0 = 0; >+ uint32_t size_lm_history_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->nt_length)); >@@ -2325,10 +2373,12 @@ static enum ndr_err_code ndr_pull_netr_PasswordHistory(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm_length)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm_size)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->lm_flags)); >- NDR_PULL_ALLOC_N(ndr, r->nt_history, r->nt_length); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nt_history, r->nt_length)); >- NDR_PULL_ALLOC_N(ndr, r->lm_history, r->lm_length); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->lm_history, r->lm_length)); >+ size_nt_history_0 = r->nt_length; >+ NDR_PULL_ALLOC_N(ndr, r->nt_history, size_nt_history_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nt_history, size_nt_history_0)); >+ size_lm_history_0 = r->lm_length; >+ NDR_PULL_ALLOC_N(ndr, r->lm_history, size_lm_history_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->lm_history, size_lm_history_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -2487,6 +2537,7 @@ static enum ndr_err_code ndr_push_netr_USER_PRIVATE_INFO(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_USER_PRIVATE_INFO(struct ndr_pull *ndr, int ndr_flags, struct netr_USER_PRIVATE_INFO *r) > { > uint32_t _ptr_SensitiveData; >+ uint32_t size_SensitiveData_1 = 0; > TALLOC_CTX *_mem_save_SensitiveData_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -2513,8 +2564,9 @@ static enum ndr_err_code ndr_pull_netr_USER_PRIVATE_INFO(struct ndr_pull *ndr, i > _mem_save_SensitiveData_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->SensitiveData, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->SensitiveData)); >- NDR_PULL_ALLOC_N(ndr, r->SensitiveData, ndr_get_array_size(ndr, &r->SensitiveData)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SensitiveData, ndr_get_array_size(ndr, &r->SensitiveData))); >+ size_SensitiveData_1 = ndr_get_array_size(ndr, &r->SensitiveData); >+ NDR_PULL_ALLOC_N(ndr, r->SensitiveData, size_SensitiveData_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SensitiveData, size_SensitiveData_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_SensitiveData_0, 0); > } > ndr->flags = _flags_save_uint8; >@@ -3004,10 +3056,12 @@ static enum ndr_err_code ndr_push_netr_DELTA_GROUP_MEMBER(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_DELTA_GROUP_MEMBER(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_GROUP_MEMBER *r) > { > uint32_t _ptr_rids; >+ uint32_t size_rids_1 = 0; > uint32_t cntr_rids_1; > TALLOC_CTX *_mem_save_rids_0; > TALLOC_CTX *_mem_save_rids_1; > uint32_t _ptr_attribs; >+ uint32_t size_attribs_1 = 0; > uint32_t cntr_attribs_1; > TALLOC_CTX *_mem_save_attribs_0; > TALLOC_CTX *_mem_save_attribs_1; >@@ -3037,10 +3091,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_GROUP_MEMBER(struct ndr_pull *ndr, > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); >- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); >+ size_rids_1 = ndr_get_array_size(ndr, &r->rids); >+ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); > _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); >- for (cntr_rids_1 = 0; cntr_rids_1 < r->num_rids; cntr_rids_1++) { >+ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); >@@ -3050,10 +3105,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_GROUP_MEMBER(struct ndr_pull *ndr, > _mem_save_attribs_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attribs, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribs)); >- NDR_PULL_ALLOC_N(ndr, r->attribs, ndr_get_array_size(ndr, &r->attribs)); >+ size_attribs_1 = ndr_get_array_size(ndr, &r->attribs); >+ NDR_PULL_ALLOC_N(ndr, r->attribs, size_attribs_1); > _mem_save_attribs_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attribs, 0); >- for (cntr_attribs_1 = 0; cntr_attribs_1 < r->num_rids; cntr_attribs_1++) { >+ for (cntr_attribs_1 = 0; cntr_attribs_1 < size_attribs_1; cntr_attribs_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->attribs[cntr_attribs_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribs_1, 0); >@@ -3333,6 +3389,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_POLICY(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_DELTA_POLICY(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_POLICY *r) > { > uint32_t _ptr_eventauditoptions; >+ uint32_t size_eventauditoptions_1 = 0; > uint32_t cntr_eventauditoptions_1; > TALLOC_CTX *_mem_save_eventauditoptions_0; > TALLOC_CTX *_mem_save_eventauditoptions_1; >@@ -3377,10 +3434,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_POLICY(struct ndr_pull *ndr, int nd > _mem_save_eventauditoptions_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->eventauditoptions, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->eventauditoptions)); >- NDR_PULL_ALLOC_N(ndr, r->eventauditoptions, ndr_get_array_size(ndr, &r->eventauditoptions)); >+ size_eventauditoptions_1 = ndr_get_array_size(ndr, &r->eventauditoptions); >+ NDR_PULL_ALLOC_N(ndr, r->eventauditoptions, size_eventauditoptions_1); > _mem_save_eventauditoptions_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->eventauditoptions, 0); >- for (cntr_eventauditoptions_1 = 0; cntr_eventauditoptions_1 < r->maxauditeventcount + 1; cntr_eventauditoptions_1++) { >+ for (cntr_eventauditoptions_1 = 0; cntr_eventauditoptions_1 < size_eventauditoptions_1; cntr_eventauditoptions_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->eventauditoptions[cntr_eventauditoptions_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventauditoptions_1, 0); >@@ -3495,6 +3553,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_TRUSTED_DOMAIN(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_netr_DELTA_TRUSTED_DOMAIN(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_TRUSTED_DOMAIN *r) > { > uint32_t _ptr_controller_names; >+ uint32_t size_controller_names_1 = 0; > uint32_t cntr_controller_names_1; > TALLOC_CTX *_mem_save_controller_names_0; > TALLOC_CTX *_mem_save_controller_names_1; >@@ -3526,13 +3585,14 @@ static enum ndr_err_code ndr_pull_netr_DELTA_TRUSTED_DOMAIN(struct ndr_pull *ndr > _mem_save_controller_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->controller_names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->controller_names)); >- NDR_PULL_ALLOC_N(ndr, r->controller_names, ndr_get_array_size(ndr, &r->controller_names)); >+ size_controller_names_1 = ndr_get_array_size(ndr, &r->controller_names); >+ NDR_PULL_ALLOC_N(ndr, r->controller_names, size_controller_names_1); > _mem_save_controller_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->controller_names, 0); >- for (cntr_controller_names_1 = 0; cntr_controller_names_1 < r->num_controllers; cntr_controller_names_1++) { >+ for (cntr_controller_names_1 = 0; cntr_controller_names_1 < size_controller_names_1; cntr_controller_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->controller_names[cntr_controller_names_1])); > } >- for (cntr_controller_names_1 = 0; cntr_controller_names_1 < r->num_controllers; cntr_controller_names_1++) { >+ for (cntr_controller_names_1 = 0; cntr_controller_names_1 < size_controller_names_1; cntr_controller_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->controller_names[cntr_controller_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_controller_names_1, 0); >@@ -3669,10 +3729,12 @@ static enum ndr_err_code ndr_push_netr_DELTA_ACCOUNT(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_netr_DELTA_ACCOUNT(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_ACCOUNT *r) > { > uint32_t _ptr_privilege_attrib; >+ uint32_t size_privilege_attrib_1 = 0; > uint32_t cntr_privilege_attrib_1; > TALLOC_CTX *_mem_save_privilege_attrib_0; > TALLOC_CTX *_mem_save_privilege_attrib_1; > uint32_t _ptr_privilege_name; >+ uint32_t size_privilege_name_1 = 0; > uint32_t cntr_privilege_name_1; > TALLOC_CTX *_mem_save_privilege_name_0; > TALLOC_CTX *_mem_save_privilege_name_1; >@@ -3711,10 +3773,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ACCOUNT(struct ndr_pull *ndr, int n > _mem_save_privilege_attrib_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_attrib, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->privilege_attrib)); >- NDR_PULL_ALLOC_N(ndr, r->privilege_attrib, ndr_get_array_size(ndr, &r->privilege_attrib)); >+ size_privilege_attrib_1 = ndr_get_array_size(ndr, &r->privilege_attrib); >+ NDR_PULL_ALLOC_N(ndr, r->privilege_attrib, size_privilege_attrib_1); > _mem_save_privilege_attrib_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_attrib, 0); >- for (cntr_privilege_attrib_1 = 0; cntr_privilege_attrib_1 < r->privilege_entries; cntr_privilege_attrib_1++) { >+ for (cntr_privilege_attrib_1 = 0; cntr_privilege_attrib_1 < size_privilege_attrib_1; cntr_privilege_attrib_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->privilege_attrib[cntr_privilege_attrib_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privilege_attrib_1, 0); >@@ -3724,13 +3787,14 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ACCOUNT(struct ndr_pull *ndr, int n > _mem_save_privilege_name_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->privilege_name)); >- NDR_PULL_ALLOC_N(ndr, r->privilege_name, ndr_get_array_size(ndr, &r->privilege_name)); >+ size_privilege_name_1 = ndr_get_array_size(ndr, &r->privilege_name); >+ NDR_PULL_ALLOC_N(ndr, r->privilege_name, size_privilege_name_1); > _mem_save_privilege_name_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_name, 0); >- for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < r->privilege_entries; cntr_privilege_name_1++) { >+ for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < size_privilege_name_1; cntr_privilege_name_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->privilege_name[cntr_privilege_name_1])); > } >- for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < r->privilege_entries; cntr_privilege_name_1++) { >+ for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < size_privilege_name_1; cntr_privilege_name_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->privilege_name[cntr_privilege_name_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privilege_name_1, 0); >@@ -3891,6 +3955,8 @@ static enum ndr_err_code ndr_push_netr_CIPHER_VALUE(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_CIPHER_VALUE(struct ndr_pull *ndr, int ndr_flags, struct netr_CIPHER_VALUE *r) > { > uint32_t _ptr_cipher_data; >+ uint32_t size_cipher_data_1 = 0; >+ uint32_t length_cipher_data_1 = 0; > TALLOC_CTX *_mem_save_cipher_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3910,11 +3976,13 @@ static enum ndr_err_code ndr_pull_netr_CIPHER_VALUE(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->cipher_data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->cipher_data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->cipher_data)); >- if (ndr_get_array_length(ndr, &r->cipher_data) > ndr_get_array_size(ndr, &r->cipher_data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->cipher_data), ndr_get_array_length(ndr, &r->cipher_data)); >+ size_cipher_data_1 = ndr_get_array_size(ndr, &r->cipher_data); >+ length_cipher_data_1 = ndr_get_array_length(ndr, &r->cipher_data); >+ if (length_cipher_data_1 > size_cipher_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_cipher_data_1, length_cipher_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->cipher_data, ndr_get_array_size(ndr, &r->cipher_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->cipher_data, ndr_get_array_length(ndr, &r->cipher_data))); >+ NDR_PULL_ALLOC_N(ndr, r->cipher_data, size_cipher_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->cipher_data, length_cipher_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cipher_data_0, 0); > } > if (r->cipher_data) { >@@ -4297,21 +4365,37 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_domain_0; >+ uint32_t _ptr_domain; > TALLOC_CTX *_mem_save_group_0; >+ uint32_t _ptr_group; > TALLOC_CTX *_mem_save_rename_group_0; >+ uint32_t _ptr_rename_group; > TALLOC_CTX *_mem_save_user_0; >+ uint32_t _ptr_user; > TALLOC_CTX *_mem_save_rename_user_0; >+ uint32_t _ptr_rename_user; > TALLOC_CTX *_mem_save_group_member_0; >+ uint32_t _ptr_group_member; > TALLOC_CTX *_mem_save_alias_0; >+ uint32_t _ptr_alias; > TALLOC_CTX *_mem_save_rename_alias_0; >+ uint32_t _ptr_rename_alias; > TALLOC_CTX *_mem_save_alias_member_0; >+ uint32_t _ptr_alias_member; > TALLOC_CTX *_mem_save_policy_0; >+ uint32_t _ptr_policy; > TALLOC_CTX *_mem_save_trusted_domain_0; >+ uint32_t _ptr_trusted_domain; > TALLOC_CTX *_mem_save_account_0; >+ uint32_t _ptr_account; > TALLOC_CTX *_mem_save_secret_0; >+ uint32_t _ptr_secret; > TALLOC_CTX *_mem_save_delete_group_0; >+ uint32_t _ptr_delete_group; > TALLOC_CTX *_mem_save_delete_user_0; >+ uint32_t _ptr_delete_user; > TALLOC_CTX *_mem_save_modified_count_0; >+ uint32_t _ptr_modified_count; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint1632(ndr, NDR_SCALARS, &_level)); >@@ -4321,7 +4405,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case NETR_DELTA_DOMAIN: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -4331,7 +4414,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_GROUP: { >- uint32_t _ptr_group; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group)); > if (_ptr_group) { > NDR_PULL_ALLOC(ndr, r->group); >@@ -4344,7 +4426,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_RENAME_GROUP: { >- uint32_t _ptr_rename_group; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_group)); > if (_ptr_rename_group) { > NDR_PULL_ALLOC(ndr, r->rename_group); >@@ -4354,7 +4435,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_USER: { >- uint32_t _ptr_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); > if (_ptr_user) { > NDR_PULL_ALLOC(ndr, r->user); >@@ -4367,7 +4447,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_RENAME_USER: { >- uint32_t _ptr_rename_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_user)); > if (_ptr_rename_user) { > NDR_PULL_ALLOC(ndr, r->rename_user); >@@ -4377,7 +4456,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_GROUP_MEMBER: { >- uint32_t _ptr_group_member; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_member)); > if (_ptr_group_member) { > NDR_PULL_ALLOC(ndr, r->group_member); >@@ -4387,7 +4465,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_ALIAS: { >- uint32_t _ptr_alias; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_alias)); > if (_ptr_alias) { > NDR_PULL_ALLOC(ndr, r->alias); >@@ -4400,7 +4477,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_RENAME_ALIAS: { >- uint32_t _ptr_rename_alias; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_alias)); > if (_ptr_rename_alias) { > NDR_PULL_ALLOC(ndr, r->rename_alias); >@@ -4410,7 +4486,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_ALIAS_MEMBER: { >- uint32_t _ptr_alias_member; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_alias_member)); > if (_ptr_alias_member) { > NDR_PULL_ALLOC(ndr, r->alias_member); >@@ -4420,7 +4495,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_POLICY: { >- uint32_t _ptr_policy; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_policy)); > if (_ptr_policy) { > NDR_PULL_ALLOC(ndr, r->policy); >@@ -4430,7 +4504,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_TRUSTED_DOMAIN: { >- uint32_t _ptr_trusted_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_trusted_domain)); > if (_ptr_trusted_domain) { > NDR_PULL_ALLOC(ndr, r->trusted_domain); >@@ -4444,7 +4517,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_ACCOUNT: { >- uint32_t _ptr_account; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_account)); > if (_ptr_account) { > NDR_PULL_ALLOC(ndr, r->account); >@@ -4458,7 +4530,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_SECRET: { >- uint32_t _ptr_secret; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_secret)); > if (_ptr_secret) { > NDR_PULL_ALLOC(ndr, r->secret); >@@ -4472,7 +4543,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_DELETE_GROUP2: { >- uint32_t _ptr_delete_group; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_delete_group)); > if (_ptr_delete_group) { > NDR_PULL_ALLOC(ndr, r->delete_group); >@@ -4482,7 +4552,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_DELETE_USER2: { >- uint32_t _ptr_delete_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_delete_user)); > if (_ptr_delete_user) { > NDR_PULL_ALLOC(ndr, r->delete_user); >@@ -4492,7 +4561,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_MODIFY_COUNT: { >- uint32_t _ptr_modified_count; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_modified_count)); > if (_ptr_modified_count) { > NDR_PULL_ALLOC(ndr, r->modified_count); >@@ -5058,7 +5126,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_sid_0; >+ uint32_t _ptr_sid; > TALLOC_CTX *_mem_save_name_0; >+ uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint1632(ndr, NDR_SCALARS, &_level)); >@@ -5116,7 +5188,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_POLICY: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -5126,7 +5197,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_TRUSTED_DOMAIN: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -5136,7 +5206,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_DELETE_TRUST: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -5146,7 +5215,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_ACCOUNT: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -5156,7 +5224,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_DELETE_ACCOUNT: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -5166,7 +5233,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_SECRET: { >- uint32_t _ptr_name; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_name)); > if (_ptr_name) { > NDR_PULL_ALLOC(ndr, r->name); >@@ -5176,7 +5242,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_DELETE_SECRET: { >- uint32_t _ptr_name; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_name)); > if (_ptr_name) { > NDR_PULL_ALLOC(ndr, r->name); >@@ -5289,11 +5354,13 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > break; >@@ -5304,11 +5371,13 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > break; >@@ -5536,6 +5605,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_ENUM_ARRAY(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_netr_DELTA_ENUM_ARRAY(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_ENUM_ARRAY *r) > { > uint32_t _ptr_delta_enum; >+ uint32_t size_delta_enum_1 = 0; > uint32_t cntr_delta_enum_1; > TALLOC_CTX *_mem_save_delta_enum_0; > TALLOC_CTX *_mem_save_delta_enum_1; >@@ -5555,13 +5625,14 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ENUM_ARRAY(struct ndr_pull *ndr, in > _mem_save_delta_enum_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->delta_enum, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->delta_enum)); >- NDR_PULL_ALLOC_N(ndr, r->delta_enum, ndr_get_array_size(ndr, &r->delta_enum)); >+ size_delta_enum_1 = ndr_get_array_size(ndr, &r->delta_enum); >+ NDR_PULL_ALLOC_N(ndr, r->delta_enum, size_delta_enum_1); > _mem_save_delta_enum_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->delta_enum, 0); >- for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < r->num_deltas; cntr_delta_enum_1++) { >+ for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < size_delta_enum_1; cntr_delta_enum_1++) { > NDR_CHECK(ndr_pull_netr_DELTA_ENUM(ndr, NDR_SCALARS, &r->delta_enum[cntr_delta_enum_1])); > } >- for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < r->num_deltas; cntr_delta_enum_1++) { >+ for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < size_delta_enum_1; cntr_delta_enum_1++) { > NDR_CHECK(ndr_pull_netr_DELTA_ENUM(ndr, NDR_BUFFERS, &r->delta_enum[cntr_delta_enum_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_delta_enum_1, 0); >@@ -5619,12 +5690,14 @@ static enum ndr_err_code ndr_push_netr_UAS_INFO_0(struct ndr_push *ndr, int ndr_ > > static enum ndr_err_code ndr_pull_netr_UAS_INFO_0(struct ndr_pull *ndr, int ndr_flags, struct netr_UAS_INFO_0 *r) > { >+ uint32_t size_computer_name_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->computer_name, 16)); >+ size_computer_name_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->computer_name, size_computer_name_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->timecreated)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->serial_number)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); >@@ -5781,6 +5854,8 @@ static enum ndr_err_code ndr_push_netr_NETLOGON_INFO_2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_2(struct ndr_pull *ndr, int ndr_flags, struct netr_NETLOGON_INFO_2 *r) > { > uint32_t _ptr_trusted_dc_name; >+ uint32_t size_trusted_dc_name_1 = 0; >+ uint32_t length_trusted_dc_name_1 = 0; > TALLOC_CTX *_mem_save_trusted_dc_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -5801,11 +5876,13 @@ static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->trusted_dc_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_dc_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->trusted_dc_name)); >- if (ndr_get_array_length(ndr, &r->trusted_dc_name) > ndr_get_array_size(ndr, &r->trusted_dc_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->trusted_dc_name), ndr_get_array_length(ndr, &r->trusted_dc_name)); >+ size_trusted_dc_name_1 = ndr_get_array_size(ndr, &r->trusted_dc_name); >+ length_trusted_dc_name_1 = ndr_get_array_length(ndr, &r->trusted_dc_name); >+ if (length_trusted_dc_name_1 > size_trusted_dc_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_dc_name_1, length_trusted_dc_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_dc_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, length_trusted_dc_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_dc_name_0, 0); > } > } >@@ -5906,8 +5983,12 @@ static enum ndr_err_code ndr_push_netr_NETLOGON_INFO_4(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_4(struct ndr_pull *ndr, int ndr_flags, struct netr_NETLOGON_INFO_4 *r) > { > uint32_t _ptr_trusted_dc_name; >+ uint32_t size_trusted_dc_name_1 = 0; >+ uint32_t length_trusted_dc_name_1 = 0; > TALLOC_CTX *_mem_save_trusted_dc_name_0; > uint32_t _ptr_trusted_domain_name; >+ uint32_t size_trusted_domain_name_1 = 0; >+ uint32_t length_trusted_domain_name_1 = 0; > TALLOC_CTX *_mem_save_trusted_domain_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -5931,11 +6012,13 @@ static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->trusted_dc_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_dc_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->trusted_dc_name)); >- if (ndr_get_array_length(ndr, &r->trusted_dc_name) > ndr_get_array_size(ndr, &r->trusted_dc_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->trusted_dc_name), ndr_get_array_length(ndr, &r->trusted_dc_name)); >+ size_trusted_dc_name_1 = ndr_get_array_size(ndr, &r->trusted_dc_name); >+ length_trusted_dc_name_1 = ndr_get_array_length(ndr, &r->trusted_dc_name); >+ if (length_trusted_dc_name_1 > size_trusted_dc_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_dc_name_1, length_trusted_dc_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_dc_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, length_trusted_dc_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_dc_name_0, 0); > } > if (r->trusted_domain_name) { >@@ -5943,11 +6026,13 @@ static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->trusted_domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->trusted_domain_name)); >- if (ndr_get_array_length(ndr, &r->trusted_domain_name) > ndr_get_array_size(ndr, &r->trusted_domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->trusted_domain_name), ndr_get_array_length(ndr, &r->trusted_domain_name)); >+ size_trusted_domain_name_1 = ndr_get_array_size(ndr, &r->trusted_domain_name); >+ length_trusted_domain_name_1 = ndr_get_array_length(ndr, &r->trusted_domain_name); >+ if (length_trusted_domain_name_1 > size_trusted_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_domain_name_1, length_trusted_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->trusted_domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_domain_name, ndr_get_array_length(ndr, &r->trusted_domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_domain_name, length_trusted_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_domain_name_0, 0); > } > } >@@ -6041,9 +6126,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -6053,7 +6142,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -6063,7 +6151,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -6073,7 +6160,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -6083,7 +6169,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -6343,7 +6428,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_domain_0; >+ uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_user_0; >+ uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -6353,7 +6444,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case NETLOGON_CONTROL_REDISCOVER: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -6363,7 +6453,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_TC_QUERY: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -6373,7 +6462,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_TRANSPORT_NOTIFY: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -6383,7 +6471,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_CHANGE_PASSWORD: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -6393,7 +6480,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_TC_VERIFY: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -6403,7 +6489,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_FIND_USER: { >- uint32_t _ptr_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); > if (_ptr_user) { > NDR_PULL_ALLOC(ndr, r->user); >@@ -6429,11 +6514,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6444,11 +6531,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6459,11 +6548,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6474,11 +6565,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6489,11 +6582,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6504,11 +6599,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > break; >@@ -6881,6 +6978,7 @@ static enum ndr_err_code ndr_push_netr_Blob(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_netr_Blob(struct ndr_pull *ndr, int ndr_flags, struct netr_Blob *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -6898,8 +6996,9 @@ static enum ndr_err_code ndr_pull_netr_Blob(struct ndr_pull *ndr, int ndr_flags, > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -7084,16 +7183,28 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_DsRGetDCNameInfo(struct ndr_push *ndr, > _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRGetDCNameInfo *r) > { > uint32_t _ptr_dc_unc; >+ uint32_t size_dc_unc_1 = 0; >+ uint32_t length_dc_unc_1 = 0; > TALLOC_CTX *_mem_save_dc_unc_0; > uint32_t _ptr_dc_address; >+ uint32_t size_dc_address_1 = 0; >+ uint32_t length_dc_address_1 = 0; > TALLOC_CTX *_mem_save_dc_address_0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_domain_name_0; > uint32_t _ptr_forest_name; >+ uint32_t size_forest_name_1 = 0; >+ uint32_t length_forest_name_1 = 0; > TALLOC_CTX *_mem_save_forest_name_0; > uint32_t _ptr_dc_site_name; >+ uint32_t size_dc_site_name_1 = 0; >+ uint32_t length_dc_site_name_1 = 0; > TALLOC_CTX *_mem_save_dc_site_name_0; > uint32_t _ptr_client_site_name; >+ uint32_t size_client_site_name_1 = 0; >+ uint32_t length_client_site_name_1 = 0; > TALLOC_CTX *_mem_save_client_site_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7144,11 +7255,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->dc_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_unc)); >- if (ndr_get_array_length(ndr, &r->dc_unc) > ndr_get_array_size(ndr, &r->dc_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_unc), ndr_get_array_length(ndr, &r->dc_unc)); >+ size_dc_unc_1 = ndr_get_array_size(ndr, &r->dc_unc); >+ length_dc_unc_1 = ndr_get_array_length(ndr, &r->dc_unc); >+ if (length_dc_unc_1 > size_dc_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_unc_1, length_dc_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_unc, ndr_get_array_length(ndr, &r->dc_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_unc, length_dc_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_unc_0, 0); > } > if (r->dc_address) { >@@ -7156,11 +7269,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->dc_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_address)); >- if (ndr_get_array_length(ndr, &r->dc_address) > ndr_get_array_size(ndr, &r->dc_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_address), ndr_get_array_length(ndr, &r->dc_address)); >+ size_dc_address_1 = ndr_get_array_size(ndr, &r->dc_address); >+ length_dc_address_1 = ndr_get_array_length(ndr, &r->dc_address); >+ if (length_dc_address_1 > size_dc_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_address_1, length_dc_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_address, ndr_get_array_length(ndr, &r->dc_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_address, length_dc_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_address_0, 0); > } > if (r->domain_name) { >@@ -7168,11 +7283,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); >- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > if (r->forest_name) { >@@ -7180,11 +7297,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->forest_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->forest_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->forest_name)); >- if (ndr_get_array_length(ndr, &r->forest_name) > ndr_get_array_size(ndr, &r->forest_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->forest_name), ndr_get_array_length(ndr, &r->forest_name)); >+ size_forest_name_1 = ndr_get_array_size(ndr, &r->forest_name); >+ length_forest_name_1 = ndr_get_array_length(ndr, &r->forest_name); >+ if (length_forest_name_1 > size_forest_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_forest_name_1, length_forest_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->forest_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest_name, ndr_get_array_length(ndr, &r->forest_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_forest_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest_name, length_forest_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_name_0, 0); > } > if (r->dc_site_name) { >@@ -7192,11 +7311,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->dc_site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_site_name)); >- if (ndr_get_array_length(ndr, &r->dc_site_name) > ndr_get_array_size(ndr, &r->dc_site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_site_name), ndr_get_array_length(ndr, &r->dc_site_name)); >+ size_dc_site_name_1 = ndr_get_array_size(ndr, &r->dc_site_name); >+ length_dc_site_name_1 = ndr_get_array_length(ndr, &r->dc_site_name); >+ if (length_dc_site_name_1 > size_dc_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_site_name_1, length_dc_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_site_name, ndr_get_array_length(ndr, &r->dc_site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_site_name, length_dc_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_site_name_0, 0); > } > if (r->client_site_name) { >@@ -7204,11 +7325,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->client_site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_site_name)); >- if (ndr_get_array_length(ndr, &r->client_site_name) > ndr_get_array_size(ndr, &r->client_site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_site_name), ndr_get_array_length(ndr, &r->client_site_name)); >+ size_client_site_name_1 = ndr_get_array_size(ndr, &r->client_site_name); >+ length_client_site_name_1 = ndr_get_array_length(ndr, &r->client_site_name); >+ if (length_client_site_name_1 > size_client_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_site_name_1, length_client_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_site_name, ndr_get_array_length(ndr, &r->client_site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_site_name, length_client_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_site_name_0, 0); > } > } >@@ -7466,6 +7589,7 @@ static enum ndr_err_code ndr_push_netr_LsaPolicyInformation(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_netr_LsaPolicyInformation(struct ndr_pull *ndr, int ndr_flags, struct netr_LsaPolicyInformation *r) > { > uint32_t _ptr_policy; >+ uint32_t size_policy_1 = 0; > TALLOC_CTX *_mem_save_policy_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7483,8 +7607,9 @@ static enum ndr_err_code ndr_pull_netr_LsaPolicyInformation(struct ndr_pull *ndr > _mem_save_policy_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->policy, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->policy)); >- NDR_PULL_ALLOC_N(ndr, r->policy, ndr_get_array_size(ndr, &r->policy)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->policy, ndr_get_array_size(ndr, &r->policy))); >+ size_policy_1 = ndr_get_array_size(ndr, &r->policy); >+ NDR_PULL_ALLOC_N(ndr, r->policy, size_policy_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->policy, size_policy_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_policy_0, 0); > } > if (r->policy) { >@@ -7760,16 +7885,28 @@ static enum ndr_err_code ndr_push_netr_WorkstationInformation(struct ndr_push *n > static enum ndr_err_code ndr_pull_netr_WorkstationInformation(struct ndr_pull *ndr, int ndr_flags, struct netr_WorkstationInformation *r) > { > uint32_t _ptr_dns_hostname; >+ uint32_t size_dns_hostname_1 = 0; >+ uint32_t length_dns_hostname_1 = 0; > TALLOC_CTX *_mem_save_dns_hostname_0; > uint32_t _ptr_sitename; >+ uint32_t size_sitename_1 = 0; >+ uint32_t length_sitename_1 = 0; > TALLOC_CTX *_mem_save_sitename_0; > uint32_t _ptr_dummy1; >+ uint32_t size_dummy1_1 = 0; >+ uint32_t length_dummy1_1 = 0; > TALLOC_CTX *_mem_save_dummy1_0; > uint32_t _ptr_dummy2; >+ uint32_t size_dummy2_1 = 0; >+ uint32_t length_dummy2_1 = 0; > TALLOC_CTX *_mem_save_dummy2_0; > uint32_t _ptr_dummy3; >+ uint32_t size_dummy3_1 = 0; >+ uint32_t length_dummy3_1 = 0; > TALLOC_CTX *_mem_save_dummy3_0; > uint32_t _ptr_dummy4; >+ uint32_t size_dummy4_1 = 0; >+ uint32_t length_dummy4_1 = 0; > TALLOC_CTX *_mem_save_dummy4_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7827,11 +7964,13 @@ static enum ndr_err_code ndr_pull_netr_WorkstationInformation(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->dns_hostname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_hostname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_hostname)); >- if (ndr_get_array_length(ndr, &r->dns_hostname) > ndr_get_array_size(ndr, &r->dns_hostname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_hostname), ndr_get_array_length(ndr, &r->dns_hostname)); >+ size_dns_hostname_1 = ndr_get_array_size(ndr, &r->dns_hostname); >+ length_dns_hostname_1 = ndr_get_array_length(ndr, &r->dns_hostname); >+ if (length_dns_hostname_1 > size_dns_hostname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_hostname_1, length_dns_hostname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_hostname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_hostname, ndr_get_array_length(ndr, &r->dns_hostname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_hostname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_hostname, length_dns_hostname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_hostname_0, 0); > } > if (r->sitename) { >@@ -7839,11 +7978,13 @@ static enum ndr_err_code ndr_pull_netr_WorkstationInformation(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sitename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->sitename)); >- if (ndr_get_array_length(ndr, &r->sitename) > ndr_get_array_size(ndr, &r->sitename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->sitename), ndr_get_array_length(ndr, &r->sitename)); >+ size_sitename_1 = ndr_get_array_size(ndr, &r->sitename); >+ length_sitename_1 = ndr_get_array_length(ndr, &r->sitename); >+ if (length_sitename_1 > size_sitename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sitename_1, length_sitename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->sitename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sitename, ndr_get_array_length(ndr, &r->sitename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sitename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sitename, length_sitename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sitename_0, 0); > } > if (r->dummy1) { >@@ -7851,11 +7992,13 @@ static enum ndr_err_code ndr_pull_netr_WorkstationInformation(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->dummy1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dummy1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dummy1)); >- if (ndr_get_array_length(ndr, &r->dummy1) > ndr_get_array_size(ndr, &r->dummy1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dummy1), ndr_get_array_length(ndr, &r->dummy1)); >+ size_dummy1_1 = ndr_get_array_size(ndr, &r->dummy1); >+ length_dummy1_1 = ndr_get_array_length(ndr, &r->dummy1); >+ if (length_dummy1_1 > size_dummy1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dummy1_1, length_dummy1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dummy1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy1, ndr_get_array_length(ndr, &r->dummy1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dummy1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy1, length_dummy1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dummy1_0, 0); > } > if (r->dummy2) { >@@ -7863,11 +8006,13 @@ static enum ndr_err_code ndr_pull_netr_WorkstationInformation(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->dummy2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dummy2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dummy2)); >- if (ndr_get_array_length(ndr, &r->dummy2) > ndr_get_array_size(ndr, &r->dummy2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dummy2), ndr_get_array_length(ndr, &r->dummy2)); >+ size_dummy2_1 = ndr_get_array_size(ndr, &r->dummy2); >+ length_dummy2_1 = ndr_get_array_length(ndr, &r->dummy2); >+ if (length_dummy2_1 > size_dummy2_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dummy2_1, length_dummy2_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dummy2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy2, ndr_get_array_length(ndr, &r->dummy2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dummy2_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy2, length_dummy2_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dummy2_0, 0); > } > if (r->dummy3) { >@@ -7875,11 +8020,13 @@ static enum ndr_err_code ndr_pull_netr_WorkstationInformation(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->dummy3, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dummy3)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dummy3)); >- if (ndr_get_array_length(ndr, &r->dummy3) > ndr_get_array_size(ndr, &r->dummy3)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dummy3), ndr_get_array_length(ndr, &r->dummy3)); >+ size_dummy3_1 = ndr_get_array_size(ndr, &r->dummy3); >+ length_dummy3_1 = ndr_get_array_length(ndr, &r->dummy3); >+ if (length_dummy3_1 > size_dummy3_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dummy3_1, length_dummy3_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dummy3), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy3, ndr_get_array_length(ndr, &r->dummy3), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dummy3_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy3, length_dummy3_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dummy3_0, 0); > } > if (r->dummy4) { >@@ -7887,11 +8034,13 @@ static enum ndr_err_code ndr_pull_netr_WorkstationInformation(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->dummy4, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dummy4)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dummy4)); >- if (ndr_get_array_length(ndr, &r->dummy4) > ndr_get_array_size(ndr, &r->dummy4)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dummy4), ndr_get_array_length(ndr, &r->dummy4)); >+ size_dummy4_1 = ndr_get_array_size(ndr, &r->dummy4); >+ length_dummy4_1 = ndr_get_array_length(ndr, &r->dummy4); >+ if (length_dummy4_1 > size_dummy4_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dummy4_1, length_dummy4_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dummy4), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy4, ndr_get_array_length(ndr, &r->dummy4), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dummy4_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy4, length_dummy4_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dummy4_0, 0); > } > NDR_CHECK(ndr_pull_netr_OsVersionContainer(ndr, NDR_BUFFERS, &r->os_version)); >@@ -8000,7 +8149,9 @@ static enum ndr_err_code ndr_pull_netr_WorkstationInfo(struct ndr_pull *ndr, int > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_workstation_info_0; >+ uint32_t _ptr_workstation_info; > TALLOC_CTX *_mem_save_lsa_policy_info_0; >+ uint32_t _ptr_lsa_policy_info; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -8010,7 +8161,6 @@ static enum ndr_err_code ndr_pull_netr_WorkstationInfo(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_workstation_info; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_workstation_info)); > if (_ptr_workstation_info) { > NDR_PULL_ALLOC(ndr, r->workstation_info); >@@ -8020,7 +8170,6 @@ static enum ndr_err_code ndr_pull_netr_WorkstationInfo(struct ndr_pull *ndr, int > break; } > > case 2: { >- uint32_t _ptr_lsa_policy_info; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_lsa_policy_info)); > if (_ptr_lsa_policy_info) { > NDR_PULL_ALLOC(ndr, r->lsa_policy_info); >@@ -8369,6 +8518,7 @@ static enum ndr_err_code ndr_push_netr_DomainInformation(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_DomainInformation(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainInformation *r) > { > uint32_t _ptr_trusted_domains; >+ uint32_t size_trusted_domains_1 = 0; > uint32_t cntr_trusted_domains_1; > TALLOC_CTX *_mem_save_trusted_domains_0; > TALLOC_CTX *_mem_save_trusted_domains_1; >@@ -8399,13 +8549,14 @@ static enum ndr_err_code ndr_pull_netr_DomainInformation(struct ndr_pull *ndr, i > _mem_save_trusted_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->trusted_domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_domains)); >- NDR_PULL_ALLOC_N(ndr, r->trusted_domains, ndr_get_array_size(ndr, &r->trusted_domains)); >+ size_trusted_domains_1 = ndr_get_array_size(ndr, &r->trusted_domains); >+ NDR_PULL_ALLOC_N(ndr, r->trusted_domains, size_trusted_domains_1); > _mem_save_trusted_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->trusted_domains, 0); >- for (cntr_trusted_domains_1 = 0; cntr_trusted_domains_1 < r->trusted_domain_count; cntr_trusted_domains_1++) { >+ for (cntr_trusted_domains_1 = 0; cntr_trusted_domains_1 < size_trusted_domains_1; cntr_trusted_domains_1++) { > NDR_CHECK(ndr_pull_netr_OneDomainInfo(ndr, NDR_SCALARS, &r->trusted_domains[cntr_trusted_domains_1])); > } >- for (cntr_trusted_domains_1 = 0; cntr_trusted_domains_1 < r->trusted_domain_count; cntr_trusted_domains_1++) { >+ for (cntr_trusted_domains_1 = 0; cntr_trusted_domains_1 < size_trusted_domains_1; cntr_trusted_domains_1++) { > NDR_CHECK(ndr_pull_netr_OneDomainInfo(ndr, NDR_BUFFERS, &r->trusted_domains[cntr_trusted_domains_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_domains_1, 0); >@@ -8503,7 +8654,9 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo(struct ndr_pull *ndr, int ndr_ > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_domain_info_0; >+ uint32_t _ptr_domain_info; > TALLOC_CTX *_mem_save_lsa_policy_info_0; >+ uint32_t _ptr_lsa_policy_info; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -8513,7 +8666,6 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo(struct ndr_pull *ndr, int ndr_ > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_domain_info; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_info)); > if (_ptr_domain_info) { > NDR_PULL_ALLOC(ndr, r->domain_info); >@@ -8523,7 +8675,6 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo(struct ndr_pull *ndr, int ndr_ > break; } > > case 2: { >- uint32_t _ptr_lsa_policy_info; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_lsa_policy_info)); > if (_ptr_lsa_policy_info) { > NDR_PULL_ALLOC(ndr, r->lsa_policy_info); >@@ -8612,12 +8763,14 @@ static enum ndr_err_code ndr_push_netr_CryptPassword(struct ndr_push *ndr, int n > > static enum ndr_err_code ndr_pull_netr_CryptPassword(struct ndr_pull *ndr, int ndr_flags, struct netr_CryptPassword *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 512)); >+ size_data_0 = 512; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } >@@ -8668,6 +8821,7 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesWCtr(struct ndr_push > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesWCtr(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddressToSitenamesWCtr *r) > { > uint32_t _ptr_sitename; >+ uint32_t size_sitename_1 = 0; > uint32_t cntr_sitename_1; > TALLOC_CTX *_mem_save_sitename_0; > TALLOC_CTX *_mem_save_sitename_1; >@@ -8687,13 +8841,14 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesWCtr(struct ndr_pull > _mem_save_sitename_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sitename)); >- NDR_PULL_ALLOC_N(ndr, r->sitename, ndr_get_array_size(ndr, &r->sitename)); >+ size_sitename_1 = ndr_get_array_size(ndr, &r->sitename); >+ NDR_PULL_ALLOC_N(ndr, r->sitename, size_sitename_1); > _mem_save_sitename_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sitename[cntr_sitename_1])); > } >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sitename[cntr_sitename_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sitename_1, 0); >@@ -8750,6 +8905,7 @@ static enum ndr_err_code ndr_push_netr_DsRAddress(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_netr_DsRAddress(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddress *r) > { > uint32_t _ptr_buffer; >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_buffer_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -8767,8 +8923,9 @@ static enum ndr_err_code ndr_pull_netr_DsRAddress(struct ndr_pull *ndr, int ndr_ > _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->buffer)); >- NDR_PULL_ALLOC_N(ndr, r->buffer, ndr_get_array_size(ndr, &r->buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, ndr_get_array_size(ndr, &r->buffer))); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->buffer); >+ NDR_PULL_ALLOC_N(ndr, r->buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, size_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > if (r->buffer) { >@@ -8884,8 +9041,12 @@ static enum ndr_err_code ndr_push_netr_DomainTrust(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_netr_DomainTrust(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainTrust *r) > { > uint32_t _ptr_netbios_name; >+ uint32_t size_netbios_name_1 = 0; >+ uint32_t length_netbios_name_1 = 0; > TALLOC_CTX *_mem_save_netbios_name_0; > uint32_t _ptr_dns_name; >+ uint32_t size_dns_name_1 = 0; >+ uint32_t length_dns_name_1 = 0; > TALLOC_CTX *_mem_save_dns_name_0; > uint32_t _ptr_sid; > TALLOC_CTX *_mem_save_sid_0; >@@ -8922,11 +9083,13 @@ static enum ndr_err_code ndr_pull_netr_DomainTrust(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); >- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); >+ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); >+ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); >+ if (length_netbios_name_1 > size_netbios_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); > } > if (r->dns_name) { >@@ -8934,11 +9097,13 @@ static enum ndr_err_code ndr_pull_netr_DomainTrust(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); >- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); >+ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); >+ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); >+ if (length_dns_name_1 > size_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); > } > if (r->sid) { >@@ -9007,6 +9172,7 @@ static enum ndr_err_code ndr_push_netr_DomainTrustList(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DomainTrustList(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainTrustList *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -9026,13 +9192,14 @@ static enum ndr_err_code ndr_pull_netr_DomainTrustList(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_netr_DomainTrust(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_netr_DomainTrust(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -9106,10 +9273,12 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesExWCtr(struct ndr_pu > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExWCtr(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddressToSitenamesExWCtr *r) > { > uint32_t _ptr_sitename; >+ uint32_t size_sitename_1 = 0; > uint32_t cntr_sitename_1; > TALLOC_CTX *_mem_save_sitename_0; > TALLOC_CTX *_mem_save_sitename_1; > uint32_t _ptr_subnetname; >+ uint32_t size_subnetname_1 = 0; > uint32_t cntr_subnetname_1; > TALLOC_CTX *_mem_save_subnetname_0; > TALLOC_CTX *_mem_save_subnetname_1; >@@ -9135,13 +9304,14 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExWCtr(struct ndr_pu > _mem_save_sitename_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sitename)); >- NDR_PULL_ALLOC_N(ndr, r->sitename, ndr_get_array_size(ndr, &r->sitename)); >+ size_sitename_1 = ndr_get_array_size(ndr, &r->sitename); >+ NDR_PULL_ALLOC_N(ndr, r->sitename, size_sitename_1); > _mem_save_sitename_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sitename[cntr_sitename_1])); > } >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sitename[cntr_sitename_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sitename_1, 0); >@@ -9151,13 +9321,14 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExWCtr(struct ndr_pu > _mem_save_subnetname_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->subnetname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->subnetname)); >- NDR_PULL_ALLOC_N(ndr, r->subnetname, ndr_get_array_size(ndr, &r->subnetname)); >+ size_subnetname_1 = ndr_get_array_size(ndr, &r->subnetname); >+ NDR_PULL_ALLOC_N(ndr, r->subnetname, size_subnetname_1); > _mem_save_subnetname_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->subnetname, 0); >- for (cntr_subnetname_1 = 0; cntr_subnetname_1 < r->count; cntr_subnetname_1++) { >+ for (cntr_subnetname_1 = 0; cntr_subnetname_1 < size_subnetname_1; cntr_subnetname_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->subnetname[cntr_subnetname_1])); > } >- for (cntr_subnetname_1 = 0; cntr_subnetname_1 < r->count; cntr_subnetname_1++) { >+ for (cntr_subnetname_1 = 0; cntr_subnetname_1 < size_subnetname_1; cntr_subnetname_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->subnetname[cntr_subnetname_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_subnetname_1, 0); >@@ -9239,6 +9410,7 @@ static enum ndr_err_code ndr_push_DcSitesCtr(struct ndr_push *ndr, int ndr_flags > static enum ndr_err_code ndr_pull_DcSitesCtr(struct ndr_pull *ndr, int ndr_flags, struct DcSitesCtr *r) > { > uint32_t _ptr_sites; >+ uint32_t size_sites_1 = 0; > uint32_t cntr_sites_1; > TALLOC_CTX *_mem_save_sites_0; > TALLOC_CTX *_mem_save_sites_1; >@@ -9258,13 +9430,14 @@ static enum ndr_err_code ndr_pull_DcSitesCtr(struct ndr_pull *ndr, int ndr_flags > _mem_save_sites_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sites, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sites)); >- NDR_PULL_ALLOC_N(ndr, r->sites, ndr_get_array_size(ndr, &r->sites)); >+ size_sites_1 = ndr_get_array_size(ndr, &r->sites); >+ NDR_PULL_ALLOC_N(ndr, r->sites, size_sites_1); > _mem_save_sites_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sites, 0); >- for (cntr_sites_1 = 0; cntr_sites_1 < r->num_sites; cntr_sites_1++) { >+ for (cntr_sites_1 = 0; cntr_sites_1 < size_sites_1; cntr_sites_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sites[cntr_sites_1])); > } >- for (cntr_sites_1 = 0; cntr_sites_1 < r->num_sites; cntr_sites_1++) { >+ for (cntr_sites_1 = 0; cntr_sites_1 < size_sites_1; cntr_sites_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sites[cntr_sites_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sites_1, 0); >@@ -9336,10 +9509,12 @@ static enum ndr_err_code ndr_push_netr_TrustInfo(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_netr_TrustInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_TrustInfo *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > uint32_t cntr_data_1; > TALLOC_CTX *_mem_save_data_0; > TALLOC_CTX *_mem_save_data_1; > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -9366,10 +9541,11 @@ static enum ndr_err_code ndr_pull_netr_TrustInfo(struct ndr_pull *ndr, int ndr_f > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); > _mem_save_data_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); >- for (cntr_data_1 = 0; cntr_data_1 < r->count; cntr_data_1++) { >+ for (cntr_data_1 = 0; cntr_data_1 < size_data_1; cntr_data_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->data[cntr_data_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_1, 0); >@@ -9379,13 +9555,14 @@ static enum ndr_err_code ndr_pull_netr_TrustInfo(struct ndr_pull *ndr, int ndr_f > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -9483,6 +9660,12 @@ static enum ndr_err_code ndr_push_netr_LogonUasLogon(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_LogonUasLogon(struct ndr_pull *ndr, int flags, struct netr_LogonUasLogon *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_workstation_1 = 0; >+ uint32_t length_workstation_1 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; >@@ -9501,27 +9684,33 @@ static enum ndr_err_code ndr_pull_netr_LogonUasLogon(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.workstation)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.workstation)); >- if (ndr_get_array_length(ndr, &r->in.workstation) > ndr_get_array_size(ndr, &r->in.workstation)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.workstation), ndr_get_array_length(ndr, &r->in.workstation)); >+ size_workstation_1 = ndr_get_array_size(ndr, &r->in.workstation); >+ length_workstation_1 = ndr_get_array_length(ndr, &r->in.workstation); >+ if (length_workstation_1 > size_workstation_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_1, length_workstation_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, length_workstation_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); > } >@@ -9631,6 +9820,12 @@ static enum ndr_err_code ndr_push_netr_LogonUasLogoff(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonUasLogoff(struct ndr_pull *ndr, int flags, struct netr_LogonUasLogoff *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_workstation_1 = 0; >+ uint32_t length_workstation_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -9647,27 +9842,33 @@ static enum ndr_err_code ndr_pull_netr_LogonUasLogoff(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.workstation)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.workstation)); >- if (ndr_get_array_length(ndr, &r->in.workstation) > ndr_get_array_size(ndr, &r->in.workstation)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.workstation), ndr_get_array_length(ndr, &r->in.workstation)); >+ size_workstation_1 = ndr_get_array_size(ndr, &r->in.workstation); >+ length_workstation_1 = ndr_get_array_length(ndr, &r->in.workstation); >+ if (length_workstation_1 > size_workstation_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_1, length_workstation_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, length_workstation_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); > } >@@ -9778,7 +9979,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogon(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_LogonSamLogon(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogon *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_credential; > uint32_t _ptr_return_authenticator; > TALLOC_CTX *_mem_save_server_name_0; >@@ -9802,11 +10007,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogon(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -9820,11 +10027,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogon(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); >@@ -10008,7 +10217,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogoff(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonSamLogoff(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogoff *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_credential; > uint32_t _ptr_return_authenticator; > TALLOC_CTX *_mem_save_server_name_0; >@@ -10029,11 +10242,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogoff(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -10047,11 +10262,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogoff(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); >@@ -10189,6 +10406,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_ServerReqChallenge(struct ndr_push *ndr > _PUBLIC_ enum ndr_err_code ndr_pull_netr_ServerReqChallenge(struct ndr_pull *ndr, int flags, struct netr_ServerReqChallenge *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -10206,20 +10427,24 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_ServerReqChallenge(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -10325,6 +10550,12 @@ static enum ndr_err_code ndr_push_netr_ServerAuthenticate(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerAuthenticate(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -10342,28 +10573,34 @@ static enum ndr_err_code ndr_pull_netr_ServerAuthenticate(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -10478,6 +10715,12 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordSet(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_ServerPasswordSet(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordSet *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -10496,28 +10739,34 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -10651,6 +10900,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseDeltas(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_netr_DatabaseDeltas(struct ndr_pull *ndr, int flags, struct netr_DatabaseDeltas *r) > { >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; >+ uint32_t size_computername_1 = 0; >+ uint32_t length_computername_1 = 0; > uint32_t _ptr_delta_enum_array; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -10662,18 +10915,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseDeltas(struct ndr_pull *ndr, int > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_1 > size_computername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -10857,6 +11114,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseSync(struct ndr_push *ndr, int fl > > static enum ndr_err_code ndr_pull_netr_DatabaseSync(struct ndr_pull *ndr, int flags, struct netr_DatabaseSync *r) > { >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; >+ uint32_t size_computername_1 = 0; >+ uint32_t length_computername_1 = 0; > uint32_t _ptr_delta_enum_array; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -10868,18 +11129,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseSync(struct ndr_pull *ndr, int fl > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_1 > size_computername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -11069,6 +11334,10 @@ static enum ndr_err_code ndr_push_netr_AccountDeltas(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_AccountDeltas(struct ndr_pull *ndr, int flags, struct netr_AccountDeltas *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; >+ uint32_t size_computername_1 = 0; >+ uint32_t length_computername_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_return_authenticator_0; > TALLOC_CTX *_mem_save_buffer_0; >@@ -11089,20 +11358,24 @@ static enum ndr_err_code ndr_pull_netr_AccountDeltas(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_1 > size_computername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.return_authenticator); >@@ -11300,6 +11573,10 @@ static enum ndr_err_code ndr_push_netr_AccountSync(struct ndr_push *ndr, int fla > static enum ndr_err_code ndr_pull_netr_AccountSync(struct ndr_pull *ndr, int flags, struct netr_AccountSync *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; >+ uint32_t size_computername_1 = 0; >+ uint32_t length_computername_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_return_authenticator_0; > TALLOC_CTX *_mem_save_buffer_0; >@@ -11321,20 +11598,24 @@ static enum ndr_err_code ndr_pull_netr_AccountSync(struct ndr_pull *ndr, int fla > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_1 > size_computername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.return_authenticator); >@@ -11522,8 +11803,14 @@ static enum ndr_err_code ndr_push_netr_GetDcName(struct ndr_push *ndr, int flags > > static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags, struct netr_GetDcName *r) > { >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > uint32_t _ptr_domainname; >+ uint32_t size_domainname_1 = 0; >+ uint32_t length_domainname_1 = 0; > uint32_t _ptr_dcname; >+ uint32_t size_dcname_2 = 0; >+ uint32_t length_dcname_2 = 0; > TALLOC_CTX *_mem_save_domainname_0; > TALLOC_CTX *_mem_save_dcname_0; > TALLOC_CTX *_mem_save_dcname_1; >@@ -11532,11 +11819,13 @@ static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domainname)); > if (_ptr_domainname) { > NDR_PULL_ALLOC(ndr, r->in.domainname); >@@ -11548,11 +11837,13 @@ static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags > NDR_PULL_SET_MEM_CTX(ndr, r->in.domainname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domainname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domainname)); >- if (ndr_get_array_length(ndr, &r->in.domainname) > ndr_get_array_size(ndr, &r->in.domainname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domainname), ndr_get_array_length(ndr, &r->in.domainname)); >+ size_domainname_1 = ndr_get_array_size(ndr, &r->in.domainname); >+ length_domainname_1 = ndr_get_array_length(ndr, &r->in.domainname); >+ if (length_domainname_1 > size_domainname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domainname_1, length_domainname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domainname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, length_domainname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domainname_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.dcname); >@@ -11575,11 +11866,13 @@ static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags > NDR_PULL_SET_MEM_CTX(ndr, *r->out.dcname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.dcname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.dcname)); >- if (ndr_get_array_length(ndr, r->out.dcname) > ndr_get_array_size(ndr, r->out.dcname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.dcname), ndr_get_array_length(ndr, r->out.dcname)); >+ size_dcname_2 = ndr_get_array_size(ndr, r->out.dcname); >+ length_dcname_2 = ndr_get_array_length(ndr, r->out.dcname); >+ if (length_dcname_2 > size_dcname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dcname_2, length_dcname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dcname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, length_dcname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -11655,6 +11948,8 @@ static enum ndr_err_code ndr_push_netr_LogonControl(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_netr_LogonControl(struct ndr_pull *ndr, int flags, struct netr_LogonControl *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_query_0; > if (flags & NDR_IN) { >@@ -11671,11 +11966,13 @@ static enum ndr_err_code ndr_pull_netr_LogonControl(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); >@@ -11768,8 +12065,14 @@ static enum ndr_err_code ndr_push_netr_GetAnyDCName(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int flags, struct netr_GetAnyDCName *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > uint32_t _ptr_domainname; >+ uint32_t size_domainname_1 = 0; >+ uint32_t length_domainname_1 = 0; > uint32_t _ptr_dcname; >+ uint32_t size_dcname_2 = 0; >+ uint32_t length_dcname_2 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_domainname_0; > TALLOC_CTX *_mem_save_dcname_0; >@@ -11788,11 +12091,13 @@ static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domainname)); >@@ -11806,11 +12111,13 @@ static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.domainname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domainname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domainname)); >- if (ndr_get_array_length(ndr, &r->in.domainname) > ndr_get_array_size(ndr, &r->in.domainname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domainname), ndr_get_array_length(ndr, &r->in.domainname)); >+ size_domainname_1 = ndr_get_array_size(ndr, &r->in.domainname); >+ length_domainname_1 = ndr_get_array_length(ndr, &r->in.domainname); >+ if (length_domainname_1 > size_domainname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domainname_1, length_domainname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domainname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, length_domainname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domainname_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.dcname); >@@ -11833,11 +12140,13 @@ static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, *r->out.dcname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.dcname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.dcname)); >- if (ndr_get_array_length(ndr, r->out.dcname) > ndr_get_array_size(ndr, r->out.dcname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.dcname), ndr_get_array_length(ndr, r->out.dcname)); >+ size_dcname_2 = ndr_get_array_size(ndr, r->out.dcname); >+ length_dcname_2 = ndr_get_array_length(ndr, r->out.dcname); >+ if (length_dcname_2 > size_dcname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dcname_2, length_dcname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dcname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, length_dcname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -11920,6 +12229,8 @@ static enum ndr_err_code ndr_push_netr_LogonControl2(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_LogonControl2(struct ndr_pull *ndr, int flags, struct netr_LogonControl2 *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_data_0; > TALLOC_CTX *_mem_save_query_0; >@@ -11937,11 +12248,13 @@ static enum ndr_err_code ndr_pull_netr_LogonControl2(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); >@@ -12061,6 +12374,12 @@ static enum ndr_err_code ndr_push_netr_ServerAuthenticate2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerAuthenticate2(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -12079,28 +12398,34 @@ static enum ndr_err_code ndr_pull_netr_ServerAuthenticate2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -12248,6 +12573,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseSync2(struct ndr_push *ndr, int f > > static enum ndr_err_code ndr_pull_netr_DatabaseSync2(struct ndr_pull *ndr, int flags, struct netr_DatabaseSync2 *r) > { >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; >+ uint32_t size_computername_1 = 0; >+ uint32_t length_computername_1 = 0; > uint32_t _ptr_delta_enum_array; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -12259,18 +12588,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseSync2(struct ndr_pull *ndr, int f > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_1 > size_computername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -12453,6 +12786,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseRedo(struct ndr_push *ndr, int fl > > static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int flags, struct netr_DatabaseRedo *r) > { >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; >+ uint32_t size_computername_1 = 0; >+ uint32_t length_computername_1 = 0; > uint32_t _ptr_delta_enum_array; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -12463,18 +12800,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int fl > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_1 > size_computername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -12616,6 +12957,8 @@ static enum ndr_err_code ndr_push_netr_LogonControl2Ex(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonControl2Ex(struct ndr_pull *ndr, int flags, struct netr_LogonControl2Ex *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_data_0; > TALLOC_CTX *_mem_save_query_0; >@@ -12633,11 +12976,13 @@ static enum ndr_err_code ndr_pull_netr_LogonControl2Ex(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); >@@ -12730,6 +13075,8 @@ static enum ndr_err_code ndr_push_netr_NetrEnumerateTrustedDomains(struct ndr_pu > static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomains(struct ndr_pull *ndr, int flags, struct netr_NetrEnumerateTrustedDomains *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_trusted_domains_blob_0; > if (flags & NDR_IN) { >@@ -12746,11 +13093,13 @@ static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomains(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.trusted_domains_blob); >@@ -12843,7 +13192,11 @@ static enum ndr_err_code ndr_push_netr_DsRGetDCName(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_netr_DsRGetDCName(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCName *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_site_guid; > uint32_t _ptr_info; >@@ -12867,11 +13220,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); >@@ -12885,11 +13240,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -13043,7 +13400,11 @@ static enum ndr_err_code ndr_push_netr_LogonGetCapabilities(struct ndr_push *ndr > > static enum ndr_err_code ndr_pull_netr_LogonGetCapabilities(struct ndr_pull *ndr, int flags, struct netr_LogonGetCapabilities *r) > { >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -13053,11 +13414,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetCapabilities(struct ndr_pull *ndr > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); > if (_ptr_computer_name) { > NDR_PULL_ALLOC(ndr, r->in.computer_name); >@@ -13069,11 +13432,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetCapabilities(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -13238,7 +13603,11 @@ static enum ndr_err_code ndr_push_netr_LogonGetTrustRid(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_netr_LogonGetTrustRid(struct ndr_pull *ndr, int flags, struct netr_LogonGetTrustRid *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_domain_name_0; > TALLOC_CTX *_mem_save_rid_0; >@@ -13256,11 +13625,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetTrustRid(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); >@@ -13274,11 +13645,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetTrustRid(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.rid); >@@ -13471,6 +13844,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_ServerAuthenticate3(struct ndr_push *nd > _PUBLIC_ enum ndr_err_code ndr_pull_netr_ServerAuthenticate3(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate3 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -13490,28 +13869,34 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_ServerAuthenticate3(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -13662,9 +14047,15 @@ static enum ndr_err_code ndr_push_netr_DsRGetDCNameEx(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCNameEx *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_domain_name_0; >@@ -13686,11 +14077,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); >@@ -13704,11 +14097,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -13734,11 +14129,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); >- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_DsRGetDCName_flags(ndr, NDR_SCALARS, &r->in.flags)); >@@ -13854,7 +14251,11 @@ static enum ndr_err_code ndr_push_netr_DsRGetSiteName(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DsRGetSiteName(struct ndr_pull *ndr, int flags, struct netr_DsRGetSiteName *r) > { > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_site; >+ uint32_t size_site_2 = 0; >+ uint32_t length_site_2 = 0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_site_0; > TALLOC_CTX *_mem_save_site_1; >@@ -13872,11 +14273,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetSiteName(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.site); >@@ -13899,11 +14302,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetSiteName(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, *r->out.site, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.site)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.site)); >- if (ndr_get_array_length(ndr, r->out.site) > ndr_get_array_size(ndr, r->out.site)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.site), ndr_get_array_length(ndr, r->out.site)); >+ size_site_2 = ndr_get_array_size(ndr, r->out.site); >+ length_site_2 = ndr_get_array_length(ndr, r->out.site); >+ if (length_site_2 > size_site_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_2, length_site_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.site), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.site, ndr_get_array_length(ndr, r->out.site), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.site, length_site_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_0, LIBNDR_FLAG_REF_ALLOC); >@@ -13997,7 +14402,11 @@ static enum ndr_err_code ndr_push_netr_LogonGetDomainInfo(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_netr_LogonGetDomainInfo(struct ndr_pull *ndr, int flags, struct netr_LogonGetDomainInfo *r) > { >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -14008,11 +14417,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetDomainInfo(struct ndr_pull *ndr, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); > if (_ptr_computer_name) { > NDR_PULL_ALLOC(ndr, r->in.computer_name); >@@ -14024,11 +14435,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetDomainInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -14181,6 +14594,12 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordSet2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordSet2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -14199,28 +14618,34 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -14346,6 +14771,12 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordGet(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_ServerPasswordGet(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordGet *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -14364,28 +14795,34 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordGet(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -14546,6 +14983,9 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesW(struct ndr_push *n > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesW(struct ndr_pull *ndr, int flags, struct netr_DsRAddressToSitenamesW *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_addresses_1 = 0; > uint32_t cntr_addresses_1; > uint32_t _ptr_ctr; > TALLOC_CTX *_mem_save_server_name_0; >@@ -14566,11 +15006,13 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); >@@ -14578,15 +15020,16 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesW(struct ndr_pull *n > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.addresses)); >+ size_addresses_1 = ndr_get_array_size(ndr, &r->in.addresses); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.addresses, ndr_get_array_size(ndr, &r->in.addresses)); >+ NDR_PULL_ALLOC_N(ndr, r->in.addresses, size_addresses_1); > } > _mem_save_addresses_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.addresses, 0); >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_SCALARS, &r->in.addresses[cntr_addresses_1])); > } >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_BUFFERS, &r->in.addresses[cntr_addresses_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_1, 0); >@@ -14725,10 +15168,18 @@ static enum ndr_err_code ndr_push_netr_DsRGetDCNameEx2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCNameEx2 *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_client_account; >+ uint32_t size_client_account_1 = 0; >+ uint32_t length_client_account_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_client_account_0; >@@ -14751,11 +15202,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client_account)); >@@ -14769,11 +15222,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.client_account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.client_account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.client_account)); >- if (ndr_get_array_length(ndr, &r->in.client_account) > ndr_get_array_size(ndr, &r->in.client_account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.client_account), ndr_get_array_length(ndr, &r->in.client_account)); >+ size_client_account_1 = ndr_get_array_size(ndr, &r->in.client_account); >+ length_client_account_1 = ndr_get_array_length(ndr, &r->in.client_account); >+ if (length_client_account_1 > size_client_account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_account_1, length_client_account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.client_account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client_account, ndr_get_array_length(ndr, &r->in.client_account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client_account, length_client_account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_account_0, 0); > } > NDR_CHECK(ndr_pull_samr_AcctFlags(ndr, NDR_SCALARS, &r->in.mask)); >@@ -14788,11 +15243,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -14818,11 +15275,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); >- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_DsRGetDCName_flags(ndr, NDR_SCALARS, &r->in.flags)); >@@ -14980,6 +15439,8 @@ static enum ndr_err_code ndr_push_netr_NetrEnumerateTrustedDomainsEx(struct ndr_ > static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomainsEx(struct ndr_pull *ndr, int flags, struct netr_NetrEnumerateTrustedDomainsEx *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_dom_trust_list_0; > if (flags & NDR_IN) { >@@ -14996,11 +15457,13 @@ static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomainsEx(struct ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.dom_trust_list); >@@ -15089,6 +15552,9 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesExW(struct ndr_push > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExW(struct ndr_pull *ndr, int flags, struct netr_DsRAddressToSitenamesExW *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_addresses_1 = 0; > uint32_t cntr_addresses_1; > uint32_t _ptr_ctr; > TALLOC_CTX *_mem_save_server_name_0; >@@ -15109,11 +15575,13 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExW(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); >@@ -15121,15 +15589,16 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExW(struct ndr_pull > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.addresses)); >+ size_addresses_1 = ndr_get_array_size(ndr, &r->in.addresses); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.addresses, ndr_get_array_size(ndr, &r->in.addresses)); >+ NDR_PULL_ALLOC_N(ndr, r->in.addresses, size_addresses_1); > } > _mem_save_addresses_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.addresses, 0); >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_SCALARS, &r->in.addresses[cntr_addresses_1])); > } >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_BUFFERS, &r->in.addresses[cntr_addresses_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_1, 0); >@@ -15241,6 +15710,8 @@ static enum ndr_err_code ndr_push_netr_DsrGetDcSiteCoverageW(struct ndr_push *nd > static enum ndr_err_code ndr_pull_netr_DsrGetDcSiteCoverageW(struct ndr_pull *ndr, int flags, struct netr_DsrGetDcSiteCoverageW *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_ctr; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_ctr_0; >@@ -15259,11 +15730,13 @@ static enum ndr_err_code ndr_pull_netr_DsrGetDcSiteCoverageW(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.ctr); >@@ -15380,7 +15853,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogonEx(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonSamLogonEx(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogonEx *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_logon_0; >@@ -15401,11 +15878,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -15419,11 +15898,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonInfoClass(ndr, NDR_SCALARS, &r->in.logon_level)); >@@ -15560,6 +16041,8 @@ static enum ndr_err_code ndr_push_netr_DsrEnumerateDomainTrusts(struct ndr_push > static enum ndr_err_code ndr_pull_netr_DsrEnumerateDomainTrusts(struct ndr_pull *ndr, int flags, struct netr_DsrEnumerateDomainTrusts *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_trusts_0; > if (flags & NDR_IN) { >@@ -15576,11 +16059,13 @@ static enum ndr_err_code ndr_pull_netr_DsrEnumerateDomainTrusts(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_TrustFlags(ndr, NDR_SCALARS, &r->in.trust_flags)); >@@ -15674,9 +16159,15 @@ static enum ndr_err_code ndr_push_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pull *ndr, int flags, struct netr_DsrDeregisterDNSHostRecords *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_dsa_guid; >+ uint32_t size_dns_host_1 = 0; >+ uint32_t length_dns_host_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_domain_0; > TALLOC_CTX *_mem_save_domain_guid_0; >@@ -15693,11 +16184,13 @@ static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); >@@ -15711,11 +16204,13 @@ static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain)); >- if (ndr_get_array_length(ndr, &r->in.domain) > ndr_get_array_size(ndr, &r->in.domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain), ndr_get_array_length(ndr, &r->in.domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->in.domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->in.domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -15744,11 +16239,13 @@ static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_host)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_host)); >- if (ndr_get_array_length(ndr, &r->in.dns_host) > ndr_get_array_size(ndr, &r->in.dns_host)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_host), ndr_get_array_length(ndr, &r->in.dns_host)); >+ size_dns_host_1 = ndr_get_array_size(ndr, &r->in.dns_host); >+ length_dns_host_1 = ndr_get_array_length(ndr, &r->in.dns_host); >+ if (length_dns_host_1 > size_dns_host_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_host_1, length_dns_host_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_host), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_host, ndr_get_array_length(ndr, &r->in.dns_host), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_host_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_host, length_dns_host_1, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -15856,6 +16353,12 @@ static enum ndr_err_code ndr_push_netr_ServerTrustPasswordsGet(struct ndr_push * > static enum ndr_err_code ndr_pull_netr_ServerTrustPasswordsGet(struct ndr_pull *ndr, int flags, struct netr_ServerTrustPasswordsGet *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -15875,28 +16378,34 @@ static enum ndr_err_code ndr_pull_netr_ServerTrustPasswordsGet(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -16025,7 +16534,11 @@ static enum ndr_err_code ndr_push_netr_DsRGetForestTrustInformation(struct ndr_p > static enum ndr_err_code ndr_pull_netr_DsRGetForestTrustInformation(struct ndr_pull *ndr, int flags, struct netr_DsRGetForestTrustInformation *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_trusted_domain_name; >+ uint32_t size_trusted_domain_name_1 = 0; >+ uint32_t length_trusted_domain_name_1 = 0; > uint32_t _ptr_forest_trust_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_trusted_domain_name_0; >@@ -16045,11 +16558,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetForestTrustInformation(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_trusted_domain_name)); >@@ -16063,11 +16578,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetForestTrustInformation(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.trusted_domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.trusted_domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.trusted_domain_name)); >- if (ndr_get_array_length(ndr, &r->in.trusted_domain_name) > ndr_get_array_size(ndr, &r->in.trusted_domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.trusted_domain_name), ndr_get_array_length(ndr, &r->in.trusted_domain_name)); >+ size_trusted_domain_name_1 = ndr_get_array_size(ndr, &r->in.trusted_domain_name); >+ length_trusted_domain_name_1 = ndr_get_array_length(ndr, &r->in.trusted_domain_name); >+ if (length_trusted_domain_name_1 > size_trusted_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_domain_name_1, length_trusted_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, length_trusted_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); >@@ -16184,6 +16701,10 @@ static enum ndr_err_code ndr_push_netr_GetForestTrustInformation(struct ndr_push > static enum ndr_err_code ndr_pull_netr_GetForestTrustInformation(struct ndr_pull *ndr, int flags, struct netr_GetForestTrustInformation *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_trusted_domain_name_1 = 0; >+ uint32_t length_trusted_domain_name_1 = 0; > uint32_t _ptr_forest_trust_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; >@@ -16204,20 +16725,24 @@ static enum ndr_err_code ndr_pull_netr_GetForestTrustInformation(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.trusted_domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.trusted_domain_name)); >- if (ndr_get_array_length(ndr, &r->in.trusted_domain_name) > ndr_get_array_size(ndr, &r->in.trusted_domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.trusted_domain_name), ndr_get_array_length(ndr, &r->in.trusted_domain_name)); >+ size_trusted_domain_name_1 = ndr_get_array_size(ndr, &r->in.trusted_domain_name); >+ length_trusted_domain_name_1 = ndr_get_array_length(ndr, &r->in.trusted_domain_name); >+ if (length_trusted_domain_name_1 > size_trusted_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_domain_name_1, length_trusted_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, length_trusted_domain_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -16374,7 +16899,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogonWithFlags(struct ndr_push *n > static enum ndr_err_code ndr_pull_netr_LogonSamLogonWithFlags(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogonWithFlags *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_credential; > uint32_t _ptr_return_authenticator; > TALLOC_CTX *_mem_save_server_name_0; >@@ -16399,11 +16928,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonWithFlags(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -16417,11 +16948,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonWithFlags(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); >@@ -16645,6 +17178,12 @@ static enum ndr_err_code ndr_push_netr_ServerGetTrustInfo(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerGetTrustInfo(struct ndr_pull *ndr, int flags, struct netr_ServerGetTrustInfo *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_trust_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; >@@ -16667,28 +17206,34 @@ static enum ndr_err_code ndr_pull_netr_ServerGetTrustInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >diff --git a/librpc/gen_ndr/ndr_ntlmssp.c b/librpc/gen_ndr/ndr_ntlmssp.c >index 130b8fe..0d54e4f 100644 >--- a/librpc/gen_ndr/ndr_ntlmssp.c >+++ b/librpc/gen_ndr/ndr_ntlmssp.c >@@ -170,12 +170,14 @@ static enum ndr_err_code ndr_push_VERSION(struct ndr_push *ndr, int ndr_flags, c > > static enum ndr_err_code ndr_pull_VERSION(struct ndr_pull *ndr, int ndr_flags, struct VERSION *r) > { >+ uint32_t size_Reserved_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); > NDR_CHECK(ndr_pull_ntlmssp_WindowsMajorVersion(ndr, NDR_SCALARS, &r->ProductMajorVersion)); > NDR_CHECK(ndr_pull_ntlmssp_WindowsMinorVersion(ndr, NDR_SCALARS, &r->ProductMinorVersion)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->ProductBuild)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Reserved, 3)); >+ size_Reserved_0 = 3; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Reserved, size_Reserved_0)); > NDR_CHECK(ndr_pull_ntlmssp_NTLMRevisionCurrent(ndr, NDR_SCALARS, &r->NTLMRevisionCurrent)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 2)); > } >@@ -319,13 +321,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_NEGOTIATE_MESSAGE(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_NEGOTIATE_MESSAGE(struct ndr_pull *ndr, int ndr_flags, struct NEGOTIATE_MESSAGE *r) > { >+ uint32_t size_Signature_0 = 0; > uint32_t _ptr_DomainName; > TALLOC_CTX *_mem_save_DomainName_0; > uint32_t _ptr_Workstation; > TALLOC_CTX *_mem_save_Workstation_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, 8, sizeof(uint8_t), CH_DOS)); >+ size_Signature_0 = 8; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, size_Signature_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_ntlmssp_MessageType(ndr, NDR_SCALARS, &r->MessageType)); > NDR_CHECK(ndr_pull_NEGOTIATE(ndr, NDR_SCALARS, &r->NegotiateFlags)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->DomainNameLen)); >@@ -486,13 +490,15 @@ static enum ndr_err_code ndr_push_Restriction_Encoding(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_Restriction_Encoding(struct ndr_pull *ndr, int ndr_flags, struct Restriction_Encoding *r) > { >+ uint32_t size_MachineId_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Size)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Z4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->IntegrityLevel)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->SubjectIntegrityLevel)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->MachineId, 32)); >+ size_MachineId_0 = 32; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->MachineId, size_MachineId_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -677,6 +683,7 @@ static enum ndr_err_code ndr_push_ntlmssp_AvValue(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_ntlmssp_AvValue(struct ndr_pull *ndr, int ndr_flags, union ntlmssp_AvValue *r) > { > int level; >+ uint32_t size_ChannelBindings_0 = 0; > { > uint32_t _flags_save_UNION = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN); >@@ -754,7 +761,8 @@ static enum ndr_err_code ndr_pull_ntlmssp_AvValue(struct ndr_pull *ndr, int ndr_ > break; } > > case MsvChannelBindings: { >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChannelBindings, 16)); >+ size_ChannelBindings_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChannelBindings, size_ChannelBindings_0)); > break; } > > default: { >@@ -1038,8 +1046,11 @@ _PUBLIC_ enum ndr_err_code ndr_push_CHALLENGE_MESSAGE(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_CHALLENGE_MESSAGE(struct ndr_pull *ndr, int ndr_flags, struct CHALLENGE_MESSAGE *r) > { >+ uint32_t size_Signature_0 = 0; > uint32_t _ptr_TargetName; > TALLOC_CTX *_mem_save_TargetName_0; >+ uint32_t size_ServerChallenge_0 = 0; >+ uint32_t size_Reserved_0 = 0; > uint32_t _ptr_TargetInfo; > TALLOC_CTX *_mem_save_TargetInfo_0; > { >@@ -1047,7 +1058,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_CHALLENGE_MESSAGE(struct ndr_pull *ndr, int > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, 8, sizeof(uint8_t), CH_DOS)); >+ size_Signature_0 = 8; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, size_Signature_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_ntlmssp_MessageType(ndr, NDR_SCALARS, &r->MessageType)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->TargetNameLen)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->TargetNameMaxLen)); >@@ -1064,8 +1076,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_CHALLENGE_MESSAGE(struct ndr_pull *ndr, int > ndr->flags = _flags_save_string; > } > NDR_CHECK(ndr_pull_NEGOTIATE(ndr, NDR_SCALARS, &r->NegotiateFlags)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ServerChallenge, 8)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Reserved, 8)); >+ size_ServerChallenge_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ServerChallenge, size_ServerChallenge_0)); >+ size_Reserved_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Reserved, size_Reserved_0)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->TargetInfoLen)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->TargetNameInfoMaxLen)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_TargetInfo)); >@@ -1176,12 +1190,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_LM_RESPONSE(struct ndr_push *ndr, int ndr_fl > > _PUBLIC_ enum ndr_err_code ndr_pull_LM_RESPONSE(struct ndr_pull *ndr, int ndr_flags, struct LM_RESPONSE *r) > { >+ uint32_t size_Response_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, 24)); >+ size_Response_0 = 24; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, size_Response_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -1224,13 +1240,17 @@ _PUBLIC_ enum ndr_err_code ndr_push_LMv2_RESPONSE(struct ndr_push *ndr, int ndr_ > > _PUBLIC_ enum ndr_err_code ndr_pull_LMv2_RESPONSE(struct ndr_pull *ndr, int ndr_flags, struct LMv2_RESPONSE *r) > { >+ uint32_t size_Response_0 = 0; >+ uint32_t size_ChallengeFromClient_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, 16)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChallengeFromClient, 8)); >+ size_Response_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, size_Response_0)); >+ size_ChallengeFromClient_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChallengeFromClient, size_ChallengeFromClient_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -1347,12 +1367,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_NTLM_RESPONSE(struct ndr_push *ndr, int ndr_ > > _PUBLIC_ enum ndr_err_code ndr_pull_NTLM_RESPONSE(struct ndr_pull *ndr, int ndr_flags, struct NTLM_RESPONSE *r) > { >+ uint32_t size_Response_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, 24)); >+ size_Response_0 = 24; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, size_Response_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -1416,6 +1438,7 @@ static enum ndr_err_code ndr_push_NTLMv2_CLIENT_CHALLENGE(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_NTLMv2_CLIENT_CHALLENGE(struct ndr_pull *ndr, int ndr_flags, struct NTLMv2_CLIENT_CHALLENGE *r) > { >+ uint32_t size_ChallengeFromClient_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); >@@ -1426,7 +1449,8 @@ static enum ndr_err_code ndr_pull_NTLMv2_CLIENT_CHALLENGE(struct ndr_pull *ndr, > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Reserved1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Reserved2)); > NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->TimeStamp)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChallengeFromClient, 8)); >+ size_ChallengeFromClient_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChallengeFromClient, size_ChallengeFromClient_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Reserved3)); > { > uint32_t _flags_save_AV_PAIR_LIST = ndr->flags; >@@ -1494,12 +1518,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_NTLMv2_RESPONSE(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_NTLMv2_RESPONSE(struct ndr_pull *ndr, int ndr_flags, struct NTLMv2_RESPONSE *r) > { >+ uint32_t size_Response_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, 16)); >+ size_Response_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, size_Response_0)); > NDR_CHECK(ndr_pull_NTLMv2_CLIENT_CHALLENGE(ndr, NDR_SCALARS, &r->Challenge)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } >@@ -1753,6 +1779,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_AUTHENTICATE_MESSAGE(struct ndr_push *ndr, i > > _PUBLIC_ enum ndr_err_code ndr_pull_AUTHENTICATE_MESSAGE(struct ndr_pull *ndr, int ndr_flags, struct AUTHENTICATE_MESSAGE *r) > { >+ uint32_t size_Signature_0 = 0; > uint32_t _ptr_LmChallengeResponse; > TALLOC_CTX *_mem_save_LmChallengeResponse_0; > uint32_t _ptr_NtChallengeResponse; >@@ -1770,7 +1797,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_AUTHENTICATE_MESSAGE(struct ndr_pull *ndr, i > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_REMAINING); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, 8, sizeof(uint8_t), CH_DOS)); >+ size_Signature_0 = 8; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, size_Signature_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_ntlmssp_MessageType(ndr, NDR_SCALARS, &r->MessageType)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->LmChallengeResponseLen)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->LmChallengeResponseMaxLen)); >@@ -2090,13 +2118,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_NTLMSSP_MESSAGE_SIGNATURE_NTLMv2(struct ndr_ > > _PUBLIC_ enum ndr_err_code ndr_pull_NTLMSSP_MESSAGE_SIGNATURE_NTLMv2(struct ndr_pull *ndr, int ndr_flags, struct NTLMSSP_MESSAGE_SIGNATURE_NTLMv2 *r) > { >+ uint32_t size_Checksum_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Version)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, 8)); >+ size_Checksum_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, size_Checksum_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->SeqNum)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } >diff --git a/librpc/gen_ndr/ndr_ntsvcs.c b/librpc/gen_ndr/ndr_ntsvcs.c >index 07a4a45..e4c2087 100644 >--- a/librpc/gen_ndr/ndr_ntsvcs.c >+++ b/librpc/gen_ndr/ndr_ntsvcs.c >@@ -54,11 +54,13 @@ static enum ndr_err_code ndr_push_PNP_HwProfInfo(struct ndr_push *ndr, int ndr_f > > static enum ndr_err_code ndr_pull_PNP_HwProfInfo(struct ndr_pull *ndr, int ndr_flags, struct PNP_HwProfInfo *r) > { >+ uint32_t size_friendly_name_0 = 0; > uint32_t cntr_friendly_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->profile_handle)); >- for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < 80; cntr_friendly_name_0++) { >+ size_friendly_name_0 = 80; >+ for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < size_friendly_name_0; cntr_friendly_name_0++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->friendly_name[cntr_friendly_name_0])); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->flags)); >@@ -375,14 +377,18 @@ static enum ndr_err_code ndr_push_PNP_ValidateDeviceInstance(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_PNP_ValidateDeviceInstance(struct ndr_pull *ndr, int flags, struct PNP_ValidateDeviceInstance *r) > { >+ uint32_t size_devicepath_1 = 0; >+ uint32_t length_devicepath_1 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); >- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); >+ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); >+ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); >+ if (length_devicepath_1 > size_devicepath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -579,6 +585,10 @@ static enum ndr_err_code ndr_push_PNP_GetDeviceList(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_PNP_GetDeviceList(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceList *r) > { > uint32_t _ptr_filter; >+ uint32_t size_filter_1 = 0; >+ uint32_t length_filter_1 = 0; >+ uint32_t size_buffer_1 = 0; >+ uint32_t length_buffer_1 = 0; > uint32_t cntr_buffer_1; > TALLOC_CTX *_mem_save_filter_0; > TALLOC_CTX *_mem_save_buffer_1; >@@ -597,11 +607,13 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceList(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.filter, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.filter)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.filter)); >- if (ndr_get_array_length(ndr, &r->in.filter) > ndr_get_array_size(ndr, &r->in.filter)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.filter), ndr_get_array_length(ndr, &r->in.filter)); >+ size_filter_1 = ndr_get_array_size(ndr, &r->in.filter); >+ length_filter_1 = ndr_get_array_length(ndr, &r->in.filter); >+ if (length_filter_1 > size_filter_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_filter_1, length_filter_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.filter), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.filter, ndr_get_array_length(ndr, &r->in.filter), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_filter_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.filter, length_filter_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_filter_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -620,15 +632,17 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceList(struct ndr_pull *ndr, int fl > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer)); >- if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); >+ length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer); >+ if (length_buffer_1 > size_buffer_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); > } > _mem_save_buffer_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.buffer, 0); >- for (cntr_buffer_1 = 0; cntr_buffer_1 < ndr_get_array_length(ndr, &r->out.buffer); cntr_buffer_1++) { >+ for (cntr_buffer_1 = 0; cntr_buffer_1 < length_buffer_1; cntr_buffer_1++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.buffer[cntr_buffer_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_1, 0); >@@ -725,6 +739,8 @@ static enum ndr_err_code ndr_push_PNP_GetDeviceListSize(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_PNP_GetDeviceListSize(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceListSize *r) > { > uint32_t _ptr_devicename; >+ uint32_t size_devicename_1 = 0; >+ uint32_t length_devicename_1 = 0; > TALLOC_CTX *_mem_save_devicename_0; > TALLOC_CTX *_mem_save_size_0; > if (flags & NDR_IN) { >@@ -741,11 +757,13 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceListSize(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.devicename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicename)); >- if (ndr_get_array_length(ndr, &r->in.devicename) > ndr_get_array_size(ndr, &r->in.devicename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicename), ndr_get_array_length(ndr, &r->in.devicename)); >+ size_devicename_1 = ndr_get_array_size(ndr, &r->in.devicename); >+ length_devicename_1 = ndr_get_array_length(ndr, &r->in.devicename); >+ if (length_devicename_1 > size_devicename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicename_1, length_devicename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicename, ndr_get_array_length(ndr, &r->in.devicename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicename, length_devicename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_devicename_0, 0); > } > NDR_CHECK(ndr_pull_PNP_GetIdListFlags(ndr, NDR_SCALARS, &r->in.flags)); >@@ -890,6 +908,10 @@ static enum ndr_err_code ndr_push_PNP_GetDeviceRegProp(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_PNP_GetDeviceRegProp(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceRegProp *r) > { >+ uint32_t size_devicepath_1 = 0; >+ uint32_t length_devicepath_1 = 0; >+ uint32_t size_buffer_1 = 0; >+ uint32_t length_buffer_1 = 0; > TALLOC_CTX *_mem_save_reg_data_type_0; > TALLOC_CTX *_mem_save_buffer_size_0; > TALLOC_CTX *_mem_save_needed_0; >@@ -898,11 +920,13 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceRegProp(struct ndr_pull *ndr, int > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); >- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); >+ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); >+ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); >+ if (length_devicepath_1 > size_devicepath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.property)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.reg_data_type); >@@ -945,13 +969,15 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceRegProp(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reg_data_type_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer)); >- if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); >+ length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer); >+ if (length_buffer_1 > size_buffer_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_length(ndr, &r->out.buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, length_buffer_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.buffer_size); > } >@@ -2154,9 +2180,15 @@ static enum ndr_err_code ndr_push_PNP_HwProfFlags(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flags, struct PNP_HwProfFlags *r) > { >+ uint32_t size_devicepath_1 = 0; >+ uint32_t length_devicepath_1 = 0; > uint32_t _ptr_veto_type; > uint32_t _ptr_unknown5; >+ uint32_t size_unknown5_1 = 0; >+ uint32_t length_unknown5_1 = 0; > uint32_t _ptr_unknown5a; >+ uint32_t size_unknown5a_2 = 0; >+ uint32_t length_unknown5a_2 = 0; > TALLOC_CTX *_mem_save_profile_flags_0; > TALLOC_CTX *_mem_save_veto_type_0; > TALLOC_CTX *_mem_save_unknown5_0; >@@ -2168,11 +2200,13 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.action)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); >- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); >+ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); >+ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); >+ if (length_devicepath_1 > size_devicepath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.config)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.profile_flags); >@@ -2204,11 +2238,13 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown5, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown5)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown5)); >- if (ndr_get_array_length(ndr, &r->in.unknown5) > ndr_get_array_size(ndr, &r->in.unknown5)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown5), ndr_get_array_length(ndr, &r->in.unknown5)); >+ size_unknown5_1 = ndr_get_array_size(ndr, &r->in.unknown5); >+ length_unknown5_1 = ndr_get_array_length(ndr, &r->in.unknown5); >+ if (length_unknown5_1 > size_unknown5_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown5_1, length_unknown5_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown5_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, length_unknown5_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_length)); >@@ -2256,11 +2292,13 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, *r->out.unknown5a, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.unknown5a)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.unknown5a)); >- if (ndr_get_array_length(ndr, r->out.unknown5a) > ndr_get_array_size(ndr, r->out.unknown5a)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.unknown5a), ndr_get_array_length(ndr, r->out.unknown5a)); >+ size_unknown5a_2 = ndr_get_array_size(ndr, r->out.unknown5a); >+ length_unknown5a_2 = ndr_get_array_length(ndr, r->out.unknown5a); >+ if (length_unknown5a_2 > size_unknown5a_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown5a_2, length_unknown5a_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.unknown5a), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.unknown5a, ndr_get_array_length(ndr, r->out.unknown5a), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown5a_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.unknown5a, length_unknown5a_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5a_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5a_0, 0); >diff --git a/librpc/gen_ndr/ndr_samr.c b/librpc/gen_ndr/ndr_samr.c >index 8e6e005..f93016b 100644 >--- a/librpc/gen_ndr/ndr_samr.c >+++ b/librpc/gen_ndr/ndr_samr.c >@@ -305,6 +305,7 @@ static enum ndr_err_code ndr_push_samr_SamArray(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_samr_SamArray(struct ndr_pull *ndr, int ndr_flags, struct samr_SamArray *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -324,13 +325,14 @@ static enum ndr_err_code ndr_pull_samr_SamArray(struct ndr_pull *ndr, int ndr_fl > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_SamEntry(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_SamEntry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -1252,6 +1254,7 @@ static enum ndr_err_code ndr_push_samr_Ids(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_samr_Ids(struct ndr_pull *ndr, int ndr_flags, struct samr_Ids *r) > { > uint32_t _ptr_ids; >+ uint32_t size_ids_1 = 0; > uint32_t cntr_ids_1; > TALLOC_CTX *_mem_save_ids_0; > TALLOC_CTX *_mem_save_ids_1; >@@ -1274,10 +1277,11 @@ static enum ndr_err_code ndr_pull_samr_Ids(struct ndr_pull *ndr, int ndr_flags, > _mem_save_ids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->ids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->ids)); >- NDR_PULL_ALLOC_N(ndr, r->ids, ndr_get_array_size(ndr, &r->ids)); >+ size_ids_1 = ndr_get_array_size(ndr, &r->ids); >+ NDR_PULL_ALLOC_N(ndr, r->ids, size_ids_1); > _mem_save_ids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->ids, 0); >- for (cntr_ids_1 = 0; cntr_ids_1 < r->count; cntr_ids_1++) { >+ for (cntr_ids_1 = 0; cntr_ids_1 < size_ids_1; cntr_ids_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ids[cntr_ids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ids_1, 0); >@@ -1633,10 +1637,12 @@ static enum ndr_err_code ndr_push_samr_RidTypeArray(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_samr_RidTypeArray(struct ndr_pull *ndr, int ndr_flags, struct samr_RidTypeArray *r) > { > uint32_t _ptr_rids; >+ uint32_t size_rids_1 = 0; > uint32_t cntr_rids_1; > TALLOC_CTX *_mem_save_rids_0; > TALLOC_CTX *_mem_save_rids_1; > uint32_t _ptr_types; >+ uint32_t size_types_1 = 0; > uint32_t cntr_types_1; > TALLOC_CTX *_mem_save_types_0; > TALLOC_CTX *_mem_save_types_1; >@@ -1662,10 +1668,11 @@ static enum ndr_err_code ndr_pull_samr_RidTypeArray(struct ndr_pull *ndr, int nd > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); >- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); >+ size_rids_1 = ndr_get_array_size(ndr, &r->rids); >+ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); > _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); >- for (cntr_rids_1 = 0; cntr_rids_1 < r->count; cntr_rids_1++) { >+ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); >@@ -1675,10 +1682,11 @@ static enum ndr_err_code ndr_pull_samr_RidTypeArray(struct ndr_pull *ndr, int nd > _mem_save_types_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->types, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->types)); >- NDR_PULL_ALLOC_N(ndr, r->types, ndr_get_array_size(ndr, &r->types)); >+ size_types_1 = ndr_get_array_size(ndr, &r->types); >+ NDR_PULL_ALLOC_N(ndr, r->types, size_types_1); > _mem_save_types_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->types, 0); >- for (cntr_types_1 = 0; cntr_types_1 < r->count; cntr_types_1++) { >+ for (cntr_types_1 = 0; cntr_types_1 < size_types_1; cntr_types_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->types[cntr_types_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_types_1, 0); >@@ -2089,6 +2097,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_LogonHours(struct ndr_push *ndr, int nd > _PUBLIC_ enum ndr_err_code ndr_pull_samr_LogonHours(struct ndr_pull *ndr, int ndr_flags, struct samr_LogonHours *r) > { > uint32_t _ptr_bits; >+ uint32_t size_bits_1 = 0; >+ uint32_t length_bits_1 = 0; > TALLOC_CTX *_mem_save_bits_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -2110,11 +2120,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_LogonHours(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->bits, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->bits)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->bits)); >- if (ndr_get_array_length(ndr, &r->bits) > ndr_get_array_size(ndr, &r->bits)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->bits), ndr_get_array_length(ndr, &r->bits)); >+ size_bits_1 = ndr_get_array_size(ndr, &r->bits); >+ length_bits_1 = ndr_get_array_length(ndr, &r->bits); >+ if (length_bits_1 > size_bits_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_bits_1, length_bits_1); > } >- NDR_PULL_ALLOC_N(ndr, r->bits, ndr_get_array_size(ndr, &r->bits)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->bits, ndr_get_array_length(ndr, &r->bits))); >+ NDR_PULL_ALLOC_N(ndr, r->bits, size_bits_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->bits, length_bits_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_bits_0, 0); > } > if (r->bits) { >@@ -2779,12 +2791,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_Password(struct ndr_push *ndr, int ndr_ > > _PUBLIC_ enum ndr_err_code ndr_pull_samr_Password(struct ndr_pull *ndr, int ndr_flags, struct samr_Password *r) > { >+ uint32_t size_hash_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); >+ size_hash_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -3002,6 +3016,7 @@ static enum ndr_err_code ndr_push_samr_UserInfo21(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_samr_UserInfo21(struct ndr_pull *ndr, int ndr_flags, struct samr_UserInfo21 *r) > { > uint32_t _ptr_buffer; >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_buffer_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3064,8 +3079,9 @@ static enum ndr_err_code ndr_pull_samr_UserInfo21(struct ndr_pull *ndr, int ndr_ > _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->buffer)); >- NDR_PULL_ALLOC_N(ndr, r->buffer, ndr_get_array_size(ndr, &r->buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, ndr_get_array_size(ndr, &r->buffer))); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->buffer); >+ NDR_PULL_ALLOC_N(ndr, r->buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, size_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > NDR_CHECK(ndr_pull_samr_LogonHours(ndr, NDR_BUFFERS, &r->logon_hours)); >@@ -3141,12 +3157,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_CryptPassword(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_samr_CryptPassword(struct ndr_pull *ndr, int ndr_flags, struct samr_CryptPassword *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 516)); >+ size_data_0 = 516; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -3260,12 +3278,14 @@ static enum ndr_err_code ndr_push_samr_CryptPasswordEx(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_samr_CryptPasswordEx(struct ndr_pull *ndr, int ndr_flags, struct samr_CryptPasswordEx *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 532)); >+ size_data_0 = 532; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -3923,6 +3943,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_RidWithAttributeArray(struct ndr_push * > _PUBLIC_ enum ndr_err_code ndr_pull_samr_RidWithAttributeArray(struct ndr_pull *ndr, int ndr_flags, struct samr_RidWithAttributeArray *r) > { > uint32_t _ptr_rids; >+ uint32_t size_rids_1 = 0; > uint32_t cntr_rids_1; > TALLOC_CTX *_mem_save_rids_0; > TALLOC_CTX *_mem_save_rids_1; >@@ -3942,10 +3963,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_RidWithAttributeArray(struct ndr_pull * > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); >- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); >+ size_rids_1 = ndr_get_array_size(ndr, &r->rids); >+ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); > _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); >- for (cntr_rids_1 = 0; cntr_rids_1 < r->count; cntr_rids_1++) { >+ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { > NDR_CHECK(ndr_pull_samr_RidWithAttribute(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); >@@ -4061,6 +4083,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoGeneral(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_samr_DispInfoGeneral(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoGeneral *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -4080,13 +4103,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoGeneral(struct ndr_pull *ndr, int > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryGeneral(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryGeneral(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4197,6 +4221,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoFull(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_samr_DispInfoFull(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoFull *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -4216,13 +4241,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoFull(struct ndr_pull *ndr, int nd > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFull(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFull(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4333,6 +4359,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoFullGroups(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_samr_DispInfoFullGroups(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoFullGroups *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -4352,13 +4379,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoFullGroups(struct ndr_pull *ndr, > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFullGroup(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFullGroup(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4458,6 +4486,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoAscii(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_samr_DispInfoAscii(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoAscii *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -4477,13 +4506,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoAscii(struct ndr_pull *ndr, int n > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryAscii(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryAscii(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4993,6 +5023,7 @@ static enum ndr_err_code ndr_push_samr_ValidationBlob(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_samr_ValidationBlob(struct ndr_pull *ndr, int ndr_flags, struct samr_ValidationBlob *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -5010,8 +5041,9 @@ static enum ndr_err_code ndr_pull_samr_ValidationBlob(struct ndr_pull *ndr, int > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -5066,6 +5098,7 @@ static enum ndr_err_code ndr_push_samr_ValidatePasswordInfo(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_samr_ValidatePasswordInfo(struct ndr_pull *ndr, int ndr_flags, struct samr_ValidatePasswordInfo *r) > { > uint32_t _ptr_pwd_history; >+ uint32_t size_pwd_history_1 = 0; > uint32_t cntr_pwd_history_1; > TALLOC_CTX *_mem_save_pwd_history_0; > TALLOC_CTX *_mem_save_pwd_history_1; >@@ -5090,13 +5123,14 @@ static enum ndr_err_code ndr_pull_samr_ValidatePasswordInfo(struct ndr_pull *ndr > _mem_save_pwd_history_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->pwd_history, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->pwd_history)); >- NDR_PULL_ALLOC_N(ndr, r->pwd_history, ndr_get_array_size(ndr, &r->pwd_history)); >+ size_pwd_history_1 = ndr_get_array_size(ndr, &r->pwd_history); >+ NDR_PULL_ALLOC_N(ndr, r->pwd_history, size_pwd_history_1); > _mem_save_pwd_history_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->pwd_history, 0); >- for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < r->pwd_history_len; cntr_pwd_history_1++) { >+ for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < size_pwd_history_1; cntr_pwd_history_1++) { > NDR_CHECK(ndr_pull_samr_ValidationBlob(ndr, NDR_SCALARS, &r->pwd_history[cntr_pwd_history_1])); > } >- for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < r->pwd_history_len; cntr_pwd_history_1++) { >+ for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < size_pwd_history_1; cntr_pwd_history_1++) { > NDR_CHECK(ndr_pull_samr_ValidationBlob(ndr, NDR_BUFFERS, &r->pwd_history[cntr_pwd_history_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pwd_history_1, 0); >@@ -7425,6 +7459,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_LookupNames(struct ndr_push *ndr, int f > > _PUBLIC_ enum ndr_err_code ndr_pull_samr_LookupNames(struct ndr_pull *ndr, int flags, struct samr_LookupNames *r) > { >+ uint32_t size_names_0 = 0; >+ uint32_t length_names_0 = 0; > uint32_t cntr_names_0; > TALLOC_CTX *_mem_save_domain_handle_0; > TALLOC_CTX *_mem_save_names_0; >@@ -7446,16 +7482,18 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_LookupNames(struct ndr_pull *ndr, int f > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.names)); >- if (ndr_get_array_length(ndr, &r->in.names) > ndr_get_array_size(ndr, &r->in.names)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.names), ndr_get_array_length(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ length_names_0 = ndr_get_array_length(ndr, &r->in.names); >+ if (length_names_0 > size_names_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_names_0, length_names_0); > } >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < ndr_get_array_length(ndr, &r->in.names); cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < length_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < ndr_get_array_length(ndr, &r->in.names); cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < length_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -7567,6 +7605,8 @@ static enum ndr_err_code ndr_push_samr_LookupRids(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_samr_LookupRids(struct ndr_pull *ndr, int flags, struct samr_LookupRids *r) > { >+ uint32_t size_rids_0 = 0; >+ uint32_t length_rids_0 = 0; > uint32_t cntr_rids_0; > TALLOC_CTX *_mem_save_domain_handle_0; > TALLOC_CTX *_mem_save_rids_0; >@@ -7588,13 +7628,15 @@ static enum ndr_err_code ndr_pull_samr_LookupRids(struct ndr_pull *ndr, int flag > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rids)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rids)); >- if (ndr_get_array_length(ndr, &r->in.rids) > ndr_get_array_size(ndr, &r->in.rids)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rids), ndr_get_array_length(ndr, &r->in.rids)); >+ size_rids_0 = ndr_get_array_size(ndr, &r->in.rids); >+ length_rids_0 = ndr_get_array_length(ndr, &r->in.rids); >+ if (length_rids_0 > size_rids_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rids_0, length_rids_0); > } >- NDR_PULL_ALLOC_N(ndr, r->in.rids, ndr_get_array_size(ndr, &r->in.rids)); >+ NDR_PULL_ALLOC_N(ndr, r->in.rids, size_rids_0); > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.rids, 0); >- for (cntr_rids_0 = 0; cntr_rids_0 < ndr_get_array_length(ndr, &r->in.rids); cntr_rids_0++) { >+ for (cntr_rids_0 = 0; cntr_rids_0 < length_rids_0; cntr_rids_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.rids[cntr_rids_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_0, 0); >@@ -11266,6 +11308,8 @@ static enum ndr_err_code ndr_push_samr_Connect2(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_samr_Connect2(struct ndr_pull *ndr, int flags, struct samr_Connect2 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_connect_handle_0; > if (flags & NDR_IN) { >@@ -11282,11 +11326,13 @@ static enum ndr_err_code ndr_pull_samr_Connect2(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_samr_ConnectAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); >@@ -11586,6 +11632,8 @@ static enum ndr_err_code ndr_push_samr_Connect3(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_samr_Connect3(struct ndr_pull *ndr, int flags, struct samr_Connect3 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_connect_handle_0; > if (flags & NDR_IN) { >@@ -11602,11 +11650,13 @@ static enum ndr_err_code ndr_pull_samr_Connect3(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown)); >@@ -11686,6 +11736,8 @@ static enum ndr_err_code ndr_push_samr_Connect4(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_samr_Connect4(struct ndr_pull *ndr, int flags, struct samr_Connect4 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_connect_handle_0; > if (flags & NDR_IN) { >@@ -11702,11 +11754,13 @@ static enum ndr_err_code ndr_pull_samr_Connect4(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_samr_ConnectVersion(ndr, NDR_SCALARS, &r->in.client_version)); >@@ -12084,6 +12138,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_Connect5(struct ndr_push *ndr, int flag > _PUBLIC_ enum ndr_err_code ndr_pull_samr_Connect5(struct ndr_pull *ndr, int flags, struct samr_Connect5 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_info_in_0; > TALLOC_CTX *_mem_save_level_out_0; >@@ -12103,11 +12159,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_Connect5(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_samr_ConnectAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); >diff --git a/librpc/gen_ndr/ndr_schannel.c b/librpc/gen_ndr/ndr_schannel.c >index 9a2396f..f2acd7b 100644 >--- a/librpc/gen_ndr/ndr_schannel.c >+++ b/librpc/gen_ndr/ndr_schannel.c >@@ -42,6 +42,11 @@ _PUBLIC_ enum ndr_err_code ndr_push_netlogon_creds_CredentialState(struct ndr_pu > > _PUBLIC_ enum ndr_err_code ndr_pull_netlogon_creds_CredentialState(struct ndr_pull *ndr, int ndr_flags, struct netlogon_creds_CredentialState *r) > { >+ uint32_t size_session_key_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; > uint32_t _ptr_sid; > TALLOC_CTX *_mem_save_sid_0; > { >@@ -50,7 +55,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netlogon_creds_CredentialState(struct ndr_pu > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_netr_NegotiateFlags(ndr, NDR_SCALARS, &r->negotiate_flags)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->session_key, 16)); >+ size_session_key_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->session_key, size_session_key_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sequence)); > NDR_CHECK(ndr_pull_netr_Credential(ndr, NDR_SCALARS, &r->seed)); > NDR_CHECK(ndr_pull_netr_Credential(ndr, NDR_SCALARS, &r->client)); >@@ -58,18 +64,22 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netlogon_creds_CredentialState(struct ndr_pu > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_name)); >- if (ndr_get_array_length(ndr, &r->computer_name) > ndr_get_array_size(ndr, &r->computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_name), ndr_get_array_length(ndr, &r->computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_name, ndr_get_array_length(ndr, &r->computer_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_name, length_computer_name_0, sizeof(uint8_t), CH_UTF8)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->account_name)); >- if (ndr_get_array_length(ndr, &r->account_name) > ndr_get_array_size(ndr, &r->account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->account_name), ndr_get_array_length(ndr, &r->account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->account_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, ndr_get_array_length(ndr, &r->account_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, length_account_name_0, sizeof(uint8_t), CH_UTF8)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -535,6 +545,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_NL_AUTH_SIGNATURE(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_NL_AUTH_SIGNATURE(struct ndr_pull *ndr, int ndr_flags, struct NL_AUTH_SIGNATURE *r) > { >+ uint32_t size_SequenceNumber_0 = 0; >+ uint32_t size_Checksum_0 = 0; >+ uint32_t size_Confounder_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); >@@ -544,9 +557,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_NL_AUTH_SIGNATURE(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_NL_SEAL_ALGORITHM(ndr, NDR_SCALARS, &r->SealAlgorithm)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Pad)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Flags)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SequenceNumber, 8)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, 8)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Confounder, 8)); >+ size_SequenceNumber_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SequenceNumber, size_SequenceNumber_0)); >+ size_Checksum_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, size_Checksum_0)); >+ size_Confounder_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Confounder, size_Confounder_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 3)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -600,6 +616,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_NL_AUTH_SHA2_SIGNATURE(struct ndr_push *ndr, > > _PUBLIC_ enum ndr_err_code ndr_pull_NL_AUTH_SHA2_SIGNATURE(struct ndr_pull *ndr, int ndr_flags, struct NL_AUTH_SHA2_SIGNATURE *r) > { >+ uint32_t size_SequenceNumber_0 = 0; >+ uint32_t size_Checksum_0 = 0; >+ uint32_t size_Confounder_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); >@@ -609,9 +628,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_NL_AUTH_SHA2_SIGNATURE(struct ndr_pull *ndr, > NDR_CHECK(ndr_pull_NL_SEAL_ALGORITHM(ndr, NDR_SCALARS, &r->SealAlgorithm)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Pad)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Flags)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SequenceNumber, 8)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, 32)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Confounder, 8)); >+ size_SequenceNumber_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SequenceNumber, size_SequenceNumber_0)); >+ size_Checksum_0 = 32; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, size_Checksum_0)); >+ size_Confounder_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Confounder, size_Confounder_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 3)); > } > if (ndr_flags & NDR_BUFFERS) { >diff --git a/librpc/gen_ndr/ndr_security.c b/librpc/gen_ndr/ndr_security.c >index b59eb19..4c80b00 100644 >--- a/librpc/gen_ndr/ndr_security.c >+++ b/librpc/gen_ndr/ndr_security.c >@@ -501,6 +501,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_security_acl(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_security_acl(struct ndr_pull *ndr, int ndr_flags, struct security_acl *r) > { >+ uint32_t size_aces_0 = 0; > uint32_t cntr_aces_0; > TALLOC_CTX *_mem_save_aces_0; > if (ndr_flags & NDR_SCALARS) { >@@ -511,19 +512,21 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_acl(struct ndr_pull *ndr, int ndr_f > if (r->num_aces > 1000) { > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } >- NDR_PULL_ALLOC_N(ndr, r->aces, r->num_aces); >+ size_aces_0 = r->num_aces; >+ NDR_PULL_ALLOC_N(ndr, r->aces, size_aces_0); > _mem_save_aces_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->aces, 0); >- for (cntr_aces_0 = 0; cntr_aces_0 < r->num_aces; cntr_aces_0++) { >+ for (cntr_aces_0 = 0; cntr_aces_0 < size_aces_0; cntr_aces_0++) { > NDR_CHECK(ndr_pull_security_ace(ndr, NDR_SCALARS, &r->aces[cntr_aces_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_aces_0, 0); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_aces_0 = r->num_aces; > _mem_save_aces_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->aces, 0); >- for (cntr_aces_0 = 0; cntr_aces_0 < r->num_aces; cntr_aces_0++) { >+ for (cntr_aces_0 = 0; cntr_aces_0 < size_aces_0; cntr_aces_0++) { > NDR_CHECK(ndr_pull_security_ace(ndr, NDR_BUFFERS, &r->aces[cntr_aces_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_aces_0, 0); >@@ -898,6 +901,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct ndr_pull *ndr, int ndr > uint32_t _ptr_group_sid; > TALLOC_CTX *_mem_save_group_sid_0; > uint32_t _ptr_sids; >+ uint32_t size_sids_0 = 0; > uint32_t cntr_sids_0; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -919,10 +923,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct ndr_pull *ndr, int ndr > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_sids)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_0 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_0); > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_0 = 0; cntr_sids_0 < r->num_sids; cntr_sids_0++) { >+ for (cntr_sids_0 = 0; cntr_sids_0 < size_sids_0; cntr_sids_0++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sids)); > if (_ptr_sids) { > NDR_PULL_ALLOC(ndr, r->sids[cntr_sids_0]); >@@ -956,9 +961,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct ndr_pull *ndr, int ndr > NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0); > } >+ size_sids_0 = ndr_get_array_size(ndr, &r->sids); > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_0 = 0; cntr_sids_0 < r->num_sids; cntr_sids_0++) { >+ for (cntr_sids_0 = 0; cntr_sids_0 < size_sids_0; cntr_sids_0++) { > if (r->sids[cntr_sids_0]) { > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids[cntr_sids_0], 0); >diff --git a/librpc/gen_ndr/ndr_spoolss.c b/librpc/gen_ndr/ndr_spoolss.c >index c94edef..b11a6a1 100644 >--- a/librpc/gen_ndr/ndr_spoolss.c >+++ b/librpc/gen_ndr/ndr_spoolss.c >@@ -1086,9 +1086,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_DeviceMode(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_DeviceMode(struct ndr_pull *ndr, int ndr_flags, struct spoolss_DeviceMode *r) > { >+ uint32_t size_devicename_0 = 0; >+ uint32_t size_formname_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->devicename, MAXDEVICENAME, sizeof(uint16_t), CH_UTF16)); >+ size_devicename_0 = MAXDEVICENAME; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->devicename, size_devicename_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_spoolss_DeviceModeSpecVersion(ndr, NDR_SCALARS, &r->specversion)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->driverversion)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); >@@ -1107,7 +1110,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_DeviceMode(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->yresolution)); > NDR_CHECK(ndr_pull_spoolss_DeviceModeTTOption(ndr, NDR_SCALARS, &r->ttoption)); > NDR_CHECK(ndr_pull_spoolss_DeviceModeCollate(ndr, NDR_SCALARS, &r->collate)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->formname, MAXDEVICENAME, sizeof(uint16_t), CH_UTF16)); >+ size_formname_0 = MAXDEVICENAME; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->formname, size_formname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->logpixels)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->bitsperpel)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->pelswidth)); >@@ -5022,16 +5026,28 @@ static enum ndr_err_code ndr_push_spoolss_SetJobInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetJobInfo1 *r) > { > uint32_t _ptr_printer_name; >+ uint32_t size_printer_name_1 = 0; >+ uint32_t length_printer_name_1 = 0; > TALLOC_CTX *_mem_save_printer_name_0; > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_user_name; >+ uint32_t size_user_name_1 = 0; >+ uint32_t length_user_name_1 = 0; > TALLOC_CTX *_mem_save_user_name_0; > uint32_t _ptr_document_name; >+ uint32_t size_document_name_1 = 0; >+ uint32_t length_document_name_1 = 0; > TALLOC_CTX *_mem_save_document_name_0; > uint32_t _ptr_data_type; >+ uint32_t size_data_type_1 = 0; >+ uint32_t length_data_type_1 = 0; > TALLOC_CTX *_mem_save_data_type_0; > uint32_t _ptr_text_status; >+ uint32_t size_text_status_1 = 0; >+ uint32_t length_text_status_1 = 0; > TALLOC_CTX *_mem_save_text_status_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -5089,11 +5105,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->printer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printer_name)); >- if (ndr_get_array_length(ndr, &r->printer_name) > ndr_get_array_size(ndr, &r->printer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printer_name), ndr_get_array_length(ndr, &r->printer_name)); >+ size_printer_name_1 = ndr_get_array_size(ndr, &r->printer_name); >+ length_printer_name_1 = ndr_get_array_length(ndr, &r->printer_name); >+ if (length_printer_name_1 > size_printer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printer_name_1, length_printer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, length_printer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printer_name_0, 0); > } > if (r->server_name) { >@@ -5101,11 +5119,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->user_name) { >@@ -5113,11 +5133,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); >- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); >+ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); >+ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); >+ if (length_user_name_1 > size_user_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); > } > if (r->document_name) { >@@ -5125,11 +5147,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); >- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); >+ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); >+ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); >+ if (length_document_name_1 > size_document_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); > } > if (r->data_type) { >@@ -5137,11 +5161,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->data_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_type)); >- if (ndr_get_array_length(ndr, &r->data_type) > ndr_get_array_size(ndr, &r->data_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_type), ndr_get_array_length(ndr, &r->data_type)); >+ size_data_type_1 = ndr_get_array_size(ndr, &r->data_type); >+ length_data_type_1 = ndr_get_array_length(ndr, &r->data_type); >+ if (length_data_type_1 > size_data_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); > } > if (r->text_status) { >@@ -5149,11 +5175,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->text_status, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->text_status)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->text_status)); >- if (ndr_get_array_length(ndr, &r->text_status) > ndr_get_array_size(ndr, &r->text_status)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->text_status), ndr_get_array_length(ndr, &r->text_status)); >+ size_text_status_1 = ndr_get_array_size(ndr, &r->text_status); >+ length_text_status_1 = ndr_get_array_length(ndr, &r->text_status); >+ if (length_text_status_1 > size_text_status_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_text_status_1, length_text_status_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_text_status_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, length_text_status_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_text_status_0, 0); > } > } >@@ -5307,24 +5335,44 @@ static enum ndr_err_code ndr_push_spoolss_SetJobInfo2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetJobInfo2 *r) > { > uint32_t _ptr_printer_name; >+ uint32_t size_printer_name_1 = 0; >+ uint32_t length_printer_name_1 = 0; > TALLOC_CTX *_mem_save_printer_name_0; > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_user_name; >+ uint32_t size_user_name_1 = 0; >+ uint32_t length_user_name_1 = 0; > TALLOC_CTX *_mem_save_user_name_0; > uint32_t _ptr_document_name; >+ uint32_t size_document_name_1 = 0; >+ uint32_t length_document_name_1 = 0; > TALLOC_CTX *_mem_save_document_name_0; > uint32_t _ptr_notify_name; >+ uint32_t size_notify_name_1 = 0; >+ uint32_t length_notify_name_1 = 0; > TALLOC_CTX *_mem_save_notify_name_0; > uint32_t _ptr_data_type; >+ uint32_t size_data_type_1 = 0; >+ uint32_t length_data_type_1 = 0; > TALLOC_CTX *_mem_save_data_type_0; > uint32_t _ptr_print_processor; >+ uint32_t size_print_processor_1 = 0; >+ uint32_t length_print_processor_1 = 0; > TALLOC_CTX *_mem_save_print_processor_0; > uint32_t _ptr_parameters; >+ uint32_t size_parameters_1 = 0; >+ uint32_t length_parameters_1 = 0; > TALLOC_CTX *_mem_save_parameters_0; > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_text_status; >+ uint32_t size_text_status_1 = 0; >+ uint32_t length_text_status_1 = 0; > TALLOC_CTX *_mem_save_text_status_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -5412,11 +5460,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->printer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printer_name)); >- if (ndr_get_array_length(ndr, &r->printer_name) > ndr_get_array_size(ndr, &r->printer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printer_name), ndr_get_array_length(ndr, &r->printer_name)); >+ size_printer_name_1 = ndr_get_array_size(ndr, &r->printer_name); >+ length_printer_name_1 = ndr_get_array_length(ndr, &r->printer_name); >+ if (length_printer_name_1 > size_printer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printer_name_1, length_printer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, length_printer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printer_name_0, 0); > } > if (r->server_name) { >@@ -5424,11 +5474,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->user_name) { >@@ -5436,11 +5488,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); >- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); >+ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); >+ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); >+ if (length_user_name_1 > size_user_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); > } > if (r->document_name) { >@@ -5448,11 +5502,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); >- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); >+ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); >+ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); >+ if (length_document_name_1 > size_document_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); > } > if (r->notify_name) { >@@ -5460,11 +5516,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->notify_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->notify_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->notify_name)); >- if (ndr_get_array_length(ndr, &r->notify_name) > ndr_get_array_size(ndr, &r->notify_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->notify_name), ndr_get_array_length(ndr, &r->notify_name)); >+ size_notify_name_1 = ndr_get_array_size(ndr, &r->notify_name); >+ length_notify_name_1 = ndr_get_array_length(ndr, &r->notify_name); >+ if (length_notify_name_1 > size_notify_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_notify_name_1, length_notify_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_notify_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, length_notify_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_notify_name_0, 0); > } > if (r->data_type) { >@@ -5472,11 +5530,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->data_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_type)); >- if (ndr_get_array_length(ndr, &r->data_type) > ndr_get_array_size(ndr, &r->data_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_type), ndr_get_array_length(ndr, &r->data_type)); >+ size_data_type_1 = ndr_get_array_size(ndr, &r->data_type); >+ length_data_type_1 = ndr_get_array_length(ndr, &r->data_type); >+ if (length_data_type_1 > size_data_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); > } > if (r->print_processor) { >@@ -5484,11 +5544,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->print_processor, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->print_processor)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->print_processor)); >- if (ndr_get_array_length(ndr, &r->print_processor) > ndr_get_array_size(ndr, &r->print_processor)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->print_processor), ndr_get_array_length(ndr, &r->print_processor)); >+ size_print_processor_1 = ndr_get_array_size(ndr, &r->print_processor); >+ length_print_processor_1 = ndr_get_array_length(ndr, &r->print_processor); >+ if (length_print_processor_1 > size_print_processor_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_1, length_print_processor_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, length_print_processor_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_print_processor_0, 0); > } > if (r->parameters) { >@@ -5496,11 +5558,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->parameters, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->parameters)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->parameters)); >- if (ndr_get_array_length(ndr, &r->parameters) > ndr_get_array_size(ndr, &r->parameters)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->parameters), ndr_get_array_length(ndr, &r->parameters)); >+ size_parameters_1 = ndr_get_array_size(ndr, &r->parameters); >+ length_parameters_1 = ndr_get_array_length(ndr, &r->parameters); >+ if (length_parameters_1 > size_parameters_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parameters_1, length_parameters_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_parameters_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, length_parameters_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parameters_0, 0); > } > if (r->driver_name) { >@@ -5508,11 +5572,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->text_status) { >@@ -5520,11 +5586,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->text_status, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->text_status)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->text_status)); >- if (ndr_get_array_length(ndr, &r->text_status) > ndr_get_array_size(ndr, &r->text_status)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->text_status), ndr_get_array_length(ndr, &r->text_status)); >+ size_text_status_1 = ndr_get_array_size(ndr, &r->text_status); >+ length_text_status_1 = ndr_get_array_length(ndr, &r->text_status); >+ if (length_text_status_1 > size_text_status_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_text_status_1, length_text_status_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_text_status_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, length_text_status_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_text_status_0, 0); > } > } >@@ -5709,24 +5777,44 @@ static enum ndr_err_code ndr_push_spoolss_SetJobInfo4(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetJobInfo4 *r) > { > uint32_t _ptr_printer_name; >+ uint32_t size_printer_name_1 = 0; >+ uint32_t length_printer_name_1 = 0; > TALLOC_CTX *_mem_save_printer_name_0; > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_user_name; >+ uint32_t size_user_name_1 = 0; >+ uint32_t length_user_name_1 = 0; > TALLOC_CTX *_mem_save_user_name_0; > uint32_t _ptr_document_name; >+ uint32_t size_document_name_1 = 0; >+ uint32_t length_document_name_1 = 0; > TALLOC_CTX *_mem_save_document_name_0; > uint32_t _ptr_notify_name; >+ uint32_t size_notify_name_1 = 0; >+ uint32_t length_notify_name_1 = 0; > TALLOC_CTX *_mem_save_notify_name_0; > uint32_t _ptr_data_type; >+ uint32_t size_data_type_1 = 0; >+ uint32_t length_data_type_1 = 0; > TALLOC_CTX *_mem_save_data_type_0; > uint32_t _ptr_print_processor; >+ uint32_t size_print_processor_1 = 0; >+ uint32_t length_print_processor_1 = 0; > TALLOC_CTX *_mem_save_print_processor_0; > uint32_t _ptr_parameters; >+ uint32_t size_parameters_1 = 0; >+ uint32_t length_parameters_1 = 0; > TALLOC_CTX *_mem_save_parameters_0; > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_text_status; >+ uint32_t size_text_status_1 = 0; >+ uint32_t length_text_status_1 = 0; > TALLOC_CTX *_mem_save_text_status_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -5815,11 +5903,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->printer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printer_name)); >- if (ndr_get_array_length(ndr, &r->printer_name) > ndr_get_array_size(ndr, &r->printer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printer_name), ndr_get_array_length(ndr, &r->printer_name)); >+ size_printer_name_1 = ndr_get_array_size(ndr, &r->printer_name); >+ length_printer_name_1 = ndr_get_array_length(ndr, &r->printer_name); >+ if (length_printer_name_1 > size_printer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printer_name_1, length_printer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, length_printer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printer_name_0, 0); > } > if (r->server_name) { >@@ -5827,11 +5917,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->user_name) { >@@ -5839,11 +5931,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); >- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); >+ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); >+ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); >+ if (length_user_name_1 > size_user_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); > } > if (r->document_name) { >@@ -5851,11 +5945,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); >- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); >+ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); >+ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); >+ if (length_document_name_1 > size_document_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); > } > if (r->notify_name) { >@@ -5863,11 +5959,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->notify_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->notify_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->notify_name)); >- if (ndr_get_array_length(ndr, &r->notify_name) > ndr_get_array_size(ndr, &r->notify_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->notify_name), ndr_get_array_length(ndr, &r->notify_name)); >+ size_notify_name_1 = ndr_get_array_size(ndr, &r->notify_name); >+ length_notify_name_1 = ndr_get_array_length(ndr, &r->notify_name); >+ if (length_notify_name_1 > size_notify_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_notify_name_1, length_notify_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_notify_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, length_notify_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_notify_name_0, 0); > } > if (r->data_type) { >@@ -5875,11 +5973,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->data_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_type)); >- if (ndr_get_array_length(ndr, &r->data_type) > ndr_get_array_size(ndr, &r->data_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_type), ndr_get_array_length(ndr, &r->data_type)); >+ size_data_type_1 = ndr_get_array_size(ndr, &r->data_type); >+ length_data_type_1 = ndr_get_array_length(ndr, &r->data_type); >+ if (length_data_type_1 > size_data_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); > } > if (r->print_processor) { >@@ -5887,11 +5987,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->print_processor, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->print_processor)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->print_processor)); >- if (ndr_get_array_length(ndr, &r->print_processor) > ndr_get_array_size(ndr, &r->print_processor)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->print_processor), ndr_get_array_length(ndr, &r->print_processor)); >+ size_print_processor_1 = ndr_get_array_size(ndr, &r->print_processor); >+ length_print_processor_1 = ndr_get_array_length(ndr, &r->print_processor); >+ if (length_print_processor_1 > size_print_processor_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_1, length_print_processor_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, length_print_processor_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_print_processor_0, 0); > } > if (r->parameters) { >@@ -5899,11 +6001,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->parameters, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->parameters)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->parameters)); >- if (ndr_get_array_length(ndr, &r->parameters) > ndr_get_array_size(ndr, &r->parameters)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->parameters), ndr_get_array_length(ndr, &r->parameters)); >+ size_parameters_1 = ndr_get_array_size(ndr, &r->parameters); >+ length_parameters_1 = ndr_get_array_length(ndr, &r->parameters); >+ if (length_parameters_1 > size_parameters_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parameters_1, length_parameters_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_parameters_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, length_parameters_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parameters_0, 0); > } > if (r->driver_name) { >@@ -5911,11 +6015,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->text_status) { >@@ -5923,11 +6029,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->text_status, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->text_status)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->text_status)); >- if (ndr_get_array_length(ndr, &r->text_status) > ndr_get_array_size(ndr, &r->text_status)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->text_status), ndr_get_array_length(ndr, &r->text_status)); >+ size_text_status_1 = ndr_get_array_size(ndr, &r->text_status); >+ length_text_status_1 = ndr_get_array_length(ndr, &r->text_status); >+ if (length_text_status_1 > size_text_status_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_text_status_1, length_text_status_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_text_status_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, length_text_status_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_text_status_0, 0); > } > } >@@ -6083,9 +6191,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetJobInfo(struct ndr_pull *ndr, int > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -6095,7 +6207,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetJobInfo(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -6105,7 +6216,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetJobInfo(struct ndr_pull *ndr, int > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -6115,7 +6225,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetJobInfo(struct ndr_pull *ndr, int > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -6125,7 +6234,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetJobInfo(struct ndr_pull *ndr, int > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -6388,8 +6496,12 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo0(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo0(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo0 *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > uint32_t _ptr_printername; >+ uint32_t size_printername_1 = 0; >+ uint32_t length_printername_1 = 0; > TALLOC_CTX *_mem_save_printername_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -6440,11 +6552,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo0(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->servername)); >- if (ndr_get_array_length(ndr, &r->servername) > ndr_get_array_size(ndr, &r->servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->servername), ndr_get_array_length(ndr, &r->servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > if (r->printername) { >@@ -6452,11 +6566,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo0(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); >- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); >+ size_printername_1 = ndr_get_array_size(ndr, &r->printername); >+ length_printername_1 = ndr_get_array_length(ndr, &r->printername); >+ if (length_printername_1 > size_printername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); > } > } >@@ -6545,10 +6661,16 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo1(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo1 *r) > { > uint32_t _ptr_description; >+ uint32_t size_description_1 = 0; >+ uint32_t length_description_1 = 0; > TALLOC_CTX *_mem_save_description_0; > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -6579,11 +6701,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->description, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->description)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->description)); >- if (ndr_get_array_length(ndr, &r->description) > ndr_get_array_size(ndr, &r->description)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->description), ndr_get_array_length(ndr, &r->description)); >+ size_description_1 = ndr_get_array_size(ndr, &r->description); >+ length_description_1 = ndr_get_array_length(ndr, &r->description); >+ if (length_description_1 > size_description_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_description_1, length_description_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->description), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->description, ndr_get_array_length(ndr, &r->description), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_description_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->description, length_description_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_description_0, 0); > } > if (r->name) { >@@ -6591,11 +6715,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->comment) { >@@ -6603,11 +6729,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -6741,26 +6869,48 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo2 *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > uint32_t _ptr_printername; >+ uint32_t size_printername_1 = 0; >+ uint32_t length_printername_1 = 0; > TALLOC_CTX *_mem_save_printername_0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_sharename_0; > uint32_t _ptr_portname; >+ uint32_t size_portname_1 = 0; >+ uint32_t length_portname_1 = 0; > TALLOC_CTX *_mem_save_portname_0; > uint32_t _ptr_drivername; >+ uint32_t size_drivername_1 = 0; >+ uint32_t length_drivername_1 = 0; > TALLOC_CTX *_mem_save_drivername_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_location; >+ uint32_t size_location_1 = 0; >+ uint32_t length_location_1 = 0; > TALLOC_CTX *_mem_save_location_0; > uint32_t _ptr_sepfile; >+ uint32_t size_sepfile_1 = 0; >+ uint32_t length_sepfile_1 = 0; > TALLOC_CTX *_mem_save_sepfile_0; > uint32_t _ptr_printprocessor; >+ uint32_t size_printprocessor_1 = 0; >+ uint32_t length_printprocessor_1 = 0; > TALLOC_CTX *_mem_save_printprocessor_0; > uint32_t _ptr_datatype; >+ uint32_t size_datatype_1 = 0; >+ uint32_t length_datatype_1 = 0; > TALLOC_CTX *_mem_save_datatype_0; > uint32_t _ptr_parameters; >+ uint32_t size_parameters_1 = 0; >+ uint32_t length_parameters_1 = 0; > TALLOC_CTX *_mem_save_parameters_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -6851,11 +7001,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->servername)); >- if (ndr_get_array_length(ndr, &r->servername) > ndr_get_array_size(ndr, &r->servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->servername), ndr_get_array_length(ndr, &r->servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > if (r->printername) { >@@ -6863,11 +7015,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); >- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); >+ size_printername_1 = ndr_get_array_size(ndr, &r->printername); >+ length_printername_1 = ndr_get_array_length(ndr, &r->printername); >+ if (length_printername_1 > size_printername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); > } > if (r->sharename) { >@@ -6875,11 +7029,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->sharename)); >- if (ndr_get_array_length(ndr, &r->sharename) > ndr_get_array_size(ndr, &r->sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->sharename), ndr_get_array_length(ndr, &r->sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sharename, ndr_get_array_length(ndr, &r->sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > if (r->portname) { >@@ -6887,11 +7043,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->portname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->portname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->portname)); >- if (ndr_get_array_length(ndr, &r->portname) > ndr_get_array_size(ndr, &r->portname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->portname), ndr_get_array_length(ndr, &r->portname)); >+ size_portname_1 = ndr_get_array_size(ndr, &r->portname); >+ length_portname_1 = ndr_get_array_length(ndr, &r->portname); >+ if (length_portname_1 > size_portname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_portname_1, length_portname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_portname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, length_portname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_portname_0, 0); > } > if (r->drivername) { >@@ -6899,11 +7057,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->drivername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->drivername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->drivername)); >- if (ndr_get_array_length(ndr, &r->drivername) > ndr_get_array_size(ndr, &r->drivername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->drivername), ndr_get_array_length(ndr, &r->drivername)); >+ size_drivername_1 = ndr_get_array_size(ndr, &r->drivername); >+ length_drivername_1 = ndr_get_array_length(ndr, &r->drivername); >+ if (length_drivername_1 > size_drivername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_drivername_1, length_drivername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->drivername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->drivername, ndr_get_array_length(ndr, &r->drivername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_drivername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->drivername, length_drivername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_drivername_0, 0); > } > if (r->comment) { >@@ -6911,11 +7071,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->location) { >@@ -6923,11 +7085,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->location, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->location)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->location)); >- if (ndr_get_array_length(ndr, &r->location) > ndr_get_array_size(ndr, &r->location)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->location), ndr_get_array_length(ndr, &r->location)); >+ size_location_1 = ndr_get_array_size(ndr, &r->location); >+ length_location_1 = ndr_get_array_length(ndr, &r->location); >+ if (length_location_1 > size_location_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_location_1, length_location_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->location), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->location, ndr_get_array_length(ndr, &r->location), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_location_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->location, length_location_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_location_0, 0); > } > if (r->sepfile) { >@@ -6935,11 +7099,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->sepfile, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sepfile)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->sepfile)); >- if (ndr_get_array_length(ndr, &r->sepfile) > ndr_get_array_size(ndr, &r->sepfile)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->sepfile), ndr_get_array_length(ndr, &r->sepfile)); >+ size_sepfile_1 = ndr_get_array_size(ndr, &r->sepfile); >+ length_sepfile_1 = ndr_get_array_length(ndr, &r->sepfile); >+ if (length_sepfile_1 > size_sepfile_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sepfile_1, length_sepfile_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->sepfile), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sepfile, ndr_get_array_length(ndr, &r->sepfile), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sepfile_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sepfile, length_sepfile_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sepfile_0, 0); > } > if (r->printprocessor) { >@@ -6947,11 +7113,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->printprocessor, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printprocessor)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printprocessor)); >- if (ndr_get_array_length(ndr, &r->printprocessor) > ndr_get_array_size(ndr, &r->printprocessor)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printprocessor), ndr_get_array_length(ndr, &r->printprocessor)); >+ size_printprocessor_1 = ndr_get_array_size(ndr, &r->printprocessor); >+ length_printprocessor_1 = ndr_get_array_length(ndr, &r->printprocessor); >+ if (length_printprocessor_1 > size_printprocessor_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printprocessor_1, length_printprocessor_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printprocessor), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printprocessor, ndr_get_array_length(ndr, &r->printprocessor), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printprocessor_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printprocessor, length_printprocessor_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printprocessor_0, 0); > } > if (r->datatype) { >@@ -6959,11 +7127,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->datatype)); >- if (ndr_get_array_length(ndr, &r->datatype) > ndr_get_array_size(ndr, &r->datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->datatype), ndr_get_array_length(ndr, &r->datatype)); >+ size_datatype_1 = ndr_get_array_size(ndr, &r->datatype); >+ length_datatype_1 = ndr_get_array_length(ndr, &r->datatype); >+ if (length_datatype_1 > size_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_datatype_1, length_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->datatype, ndr_get_array_length(ndr, &r->datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->datatype, length_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_datatype_0, 0); > } > if (r->parameters) { >@@ -6971,11 +7141,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->parameters, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->parameters)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->parameters)); >- if (ndr_get_array_length(ndr, &r->parameters) > ndr_get_array_size(ndr, &r->parameters)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->parameters), ndr_get_array_length(ndr, &r->parameters)); >+ size_parameters_1 = ndr_get_array_size(ndr, &r->parameters); >+ length_parameters_1 = ndr_get_array_length(ndr, &r->parameters); >+ if (length_parameters_1 > size_parameters_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parameters_1, length_parameters_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_parameters_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, length_parameters_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parameters_0, 0); > } > } >@@ -7126,8 +7298,12 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo4(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo4(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo4 *r) > { > uint32_t _ptr_printername; >+ uint32_t size_printername_1 = 0; >+ uint32_t length_printername_1 = 0; > TALLOC_CTX *_mem_save_printername_0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7152,11 +7328,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo4(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); >- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); >+ size_printername_1 = ndr_get_array_size(ndr, &r->printername); >+ length_printername_1 = ndr_get_array_length(ndr, &r->printername); >+ if (length_printername_1 > size_printername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); > } > if (r->servername) { >@@ -7164,11 +7342,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo4(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->servername)); >- if (ndr_get_array_length(ndr, &r->servername) > ndr_get_array_size(ndr, &r->servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->servername), ndr_get_array_length(ndr, &r->servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > } >@@ -7226,8 +7406,12 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo5(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo5(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo5 *r) > { > uint32_t _ptr_printername; >+ uint32_t size_printername_1 = 0; >+ uint32_t length_printername_1 = 0; > TALLOC_CTX *_mem_save_printername_0; > uint32_t _ptr_portname; >+ uint32_t size_portname_1 = 0; >+ uint32_t length_portname_1 = 0; > TALLOC_CTX *_mem_save_portname_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7254,11 +7438,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo5(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); >- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); >+ size_printername_1 = ndr_get_array_size(ndr, &r->printername); >+ length_printername_1 = ndr_get_array_length(ndr, &r->printername); >+ if (length_printername_1 > size_printername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); > } > if (r->portname) { >@@ -7266,11 +7452,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo5(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->portname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->portname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->portname)); >- if (ndr_get_array_length(ndr, &r->portname) > ndr_get_array_size(ndr, &r->portname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->portname), ndr_get_array_length(ndr, &r->portname)); >+ size_portname_1 = ndr_get_array_size(ndr, &r->portname); >+ length_portname_1 = ndr_get_array_length(ndr, &r->portname); >+ if (length_portname_1 > size_portname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_portname_1, length_portname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_portname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, length_portname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_portname_0, 0); > } > } >@@ -7353,6 +7541,8 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo7(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo7(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo7 *r) > { > uint32_t _ptr_guid; >+ uint32_t size_guid_1 = 0; >+ uint32_t length_guid_1 = 0; > TALLOC_CTX *_mem_save_guid_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7371,11 +7561,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo7(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->guid, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->guid)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->guid)); >- if (ndr_get_array_length(ndr, &r->guid) > ndr_get_array_size(ndr, &r->guid)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->guid), ndr_get_array_length(ndr, &r->guid)); >+ size_guid_1 = ndr_get_array_size(ndr, &r->guid); >+ length_guid_1 = ndr_get_array_length(ndr, &r->guid); >+ if (length_guid_1 > size_guid_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_guid_1, length_guid_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->guid), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guid, ndr_get_array_length(ndr, &r->guid), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_guid_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guid, length_guid_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_guid_0, 0); > } > } >@@ -7588,15 +7780,25 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > TALLOC_CTX *_mem_save_info5_0; >+ uint32_t _ptr_info5; > TALLOC_CTX *_mem_save_info6_0; >+ uint32_t _ptr_info6; > TALLOC_CTX *_mem_save_info7_0; >+ uint32_t _ptr_info7; > TALLOC_CTX *_mem_save_info8_0; >+ uint32_t _ptr_info8; > TALLOC_CTX *_mem_save_info9_0; >+ uint32_t _ptr_info9; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -7606,7 +7808,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -7616,7 +7817,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -7626,7 +7826,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -7636,7 +7835,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -7646,7 +7844,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -7656,7 +7853,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 5: { >- uint32_t _ptr_info5; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); > if (_ptr_info5) { > NDR_PULL_ALLOC(ndr, r->info5); >@@ -7666,7 +7862,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 6: { >- uint32_t _ptr_info6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); > if (_ptr_info6) { > NDR_PULL_ALLOC(ndr, r->info6); >@@ -7676,7 +7871,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 7: { >- uint32_t _ptr_info7; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info7)); > if (_ptr_info7) { > NDR_PULL_ALLOC(ndr, r->info7); >@@ -7686,7 +7880,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 8: { >- uint32_t _ptr_info8; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info8)); > if (_ptr_info8) { > NDR_PULL_ALLOC(ndr, r->info8); >@@ -7696,7 +7889,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 9: { >- uint32_t _ptr_info9; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info9)); > if (_ptr_info9) { > NDR_PULL_ALLOC(ndr, r->info9); >@@ -8018,6 +8210,8 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo1(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo1 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -8035,11 +8229,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo1(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > } >@@ -8136,14 +8332,24 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo2(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo2 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > TALLOC_CTX *_mem_save_architecture_0; > uint32_t _ptr_driver_path; >+ uint32_t size_driver_path_1 = 0; >+ uint32_t length_driver_path_1 = 0; > TALLOC_CTX *_mem_save_driver_path_0; > uint32_t _ptr_data_file; >+ uint32_t size_data_file_1 = 0; >+ uint32_t length_data_file_1 = 0; > TALLOC_CTX *_mem_save_data_file_0; > uint32_t _ptr_config_file; >+ uint32_t size_config_file_1 = 0; >+ uint32_t length_config_file_1 = 0; > TALLOC_CTX *_mem_save_config_file_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -8186,11 +8392,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->architecture) { >@@ -8198,11 +8406,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); >- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > if (r->driver_path) { >@@ -8210,11 +8420,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); >- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); >+ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); >+ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); >+ if (length_driver_path_1 > size_driver_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); > } > if (r->data_file) { >@@ -8222,11 +8434,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); >- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); >+ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); >+ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); >+ if (length_data_file_1 > size_data_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); > } > if (r->config_file) { >@@ -8234,11 +8448,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); >- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); >+ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); >+ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); >+ if (length_config_file_1 > size_config_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); > } > } >@@ -8359,20 +8575,36 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo3(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo3 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > TALLOC_CTX *_mem_save_architecture_0; > uint32_t _ptr_driver_path; >+ uint32_t size_driver_path_1 = 0; >+ uint32_t length_driver_path_1 = 0; > TALLOC_CTX *_mem_save_driver_path_0; > uint32_t _ptr_data_file; >+ uint32_t size_data_file_1 = 0; >+ uint32_t length_data_file_1 = 0; > TALLOC_CTX *_mem_save_data_file_0; > uint32_t _ptr_config_file; >+ uint32_t size_config_file_1 = 0; >+ uint32_t length_config_file_1 = 0; > TALLOC_CTX *_mem_save_config_file_0; > uint32_t _ptr_help_file; >+ uint32_t size_help_file_1 = 0; >+ uint32_t length_help_file_1 = 0; > TALLOC_CTX *_mem_save_help_file_0; > uint32_t _ptr_monitor_name; >+ uint32_t size_monitor_name_1 = 0; >+ uint32_t length_monitor_name_1 = 0; > TALLOC_CTX *_mem_save_monitor_name_0; > uint32_t _ptr_default_datatype; >+ uint32_t size_default_datatype_1 = 0; >+ uint32_t length_default_datatype_1 = 0; > TALLOC_CTX *_mem_save_default_datatype_0; > uint32_t _ptr_dependent_files; > TALLOC_CTX *_mem_save_dependent_files_0; >@@ -8442,11 +8674,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->architecture) { >@@ -8454,11 +8688,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); >- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > if (r->driver_path) { >@@ -8466,11 +8702,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); >- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); >+ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); >+ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); >+ if (length_driver_path_1 > size_driver_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); > } > if (r->data_file) { >@@ -8478,11 +8716,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); >- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); >+ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); >+ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); >+ if (length_data_file_1 > size_data_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); > } > if (r->config_file) { >@@ -8490,11 +8730,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); >- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); >+ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); >+ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); >+ if (length_config_file_1 > size_config_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); > } > if (r->help_file) { >@@ -8502,11 +8744,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); >- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); >+ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); >+ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); >+ if (length_help_file_1 > size_help_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); > } > if (r->monitor_name) { >@@ -8514,11 +8758,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); >- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); >+ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); >+ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); >+ if (length_monitor_name_1 > size_monitor_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); > } > if (r->default_datatype) { >@@ -8526,11 +8772,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); >- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); >+ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); >+ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); >+ if (length_default_datatype_1 > size_default_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); > } > if (r->dependent_files) { >@@ -8687,20 +8935,36 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo4(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo4 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > TALLOC_CTX *_mem_save_architecture_0; > uint32_t _ptr_driver_path; >+ uint32_t size_driver_path_1 = 0; >+ uint32_t length_driver_path_1 = 0; > TALLOC_CTX *_mem_save_driver_path_0; > uint32_t _ptr_data_file; >+ uint32_t size_data_file_1 = 0; >+ uint32_t length_data_file_1 = 0; > TALLOC_CTX *_mem_save_data_file_0; > uint32_t _ptr_config_file; >+ uint32_t size_config_file_1 = 0; >+ uint32_t length_config_file_1 = 0; > TALLOC_CTX *_mem_save_config_file_0; > uint32_t _ptr_help_file; >+ uint32_t size_help_file_1 = 0; >+ uint32_t length_help_file_1 = 0; > TALLOC_CTX *_mem_save_help_file_0; > uint32_t _ptr_monitor_name; >+ uint32_t size_monitor_name_1 = 0; >+ uint32_t length_monitor_name_1 = 0; > TALLOC_CTX *_mem_save_monitor_name_0; > uint32_t _ptr_default_datatype; >+ uint32_t size_default_datatype_1 = 0; >+ uint32_t length_default_datatype_1 = 0; > TALLOC_CTX *_mem_save_default_datatype_0; > uint32_t _ptr_dependent_files; > TALLOC_CTX *_mem_save_dependent_files_0; >@@ -8779,11 +9043,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->architecture) { >@@ -8791,11 +9057,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); >- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > if (r->driver_path) { >@@ -8803,11 +9071,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); >- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); >+ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); >+ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); >+ if (length_driver_path_1 > size_driver_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); > } > if (r->data_file) { >@@ -8815,11 +9085,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); >- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); >+ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); >+ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); >+ if (length_data_file_1 > size_data_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); > } > if (r->config_file) { >@@ -8827,11 +9099,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); >- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); >+ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); >+ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); >+ if (length_config_file_1 > size_config_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); > } > if (r->help_file) { >@@ -8839,11 +9113,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); >- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); >+ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); >+ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); >+ if (length_help_file_1 > size_help_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); > } > if (r->monitor_name) { >@@ -8851,11 +9127,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); >- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); >+ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); >+ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); >+ if (length_monitor_name_1 > size_monitor_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); > } > if (r->default_datatype) { >@@ -8863,11 +9141,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); >- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); >+ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); >+ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); >+ if (length_default_datatype_1 > size_default_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); > } > if (r->dependent_files) { >@@ -9089,32 +9369,56 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo6(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo6 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > TALLOC_CTX *_mem_save_architecture_0; > uint32_t _ptr_driver_path; >+ uint32_t size_driver_path_1 = 0; >+ uint32_t length_driver_path_1 = 0; > TALLOC_CTX *_mem_save_driver_path_0; > uint32_t _ptr_data_file; >+ uint32_t size_data_file_1 = 0; >+ uint32_t length_data_file_1 = 0; > TALLOC_CTX *_mem_save_data_file_0; > uint32_t _ptr_config_file; >+ uint32_t size_config_file_1 = 0; >+ uint32_t length_config_file_1 = 0; > TALLOC_CTX *_mem_save_config_file_0; > uint32_t _ptr_help_file; >+ uint32_t size_help_file_1 = 0; >+ uint32_t length_help_file_1 = 0; > TALLOC_CTX *_mem_save_help_file_0; > uint32_t _ptr_monitor_name; >+ uint32_t size_monitor_name_1 = 0; >+ uint32_t length_monitor_name_1 = 0; > TALLOC_CTX *_mem_save_monitor_name_0; > uint32_t _ptr_default_datatype; >+ uint32_t size_default_datatype_1 = 0; >+ uint32_t length_default_datatype_1 = 0; > TALLOC_CTX *_mem_save_default_datatype_0; > uint32_t _ptr_dependent_files; > TALLOC_CTX *_mem_save_dependent_files_0; > uint32_t _ptr_previous_names; > TALLOC_CTX *_mem_save_previous_names_0; > uint32_t _ptr_manufacturer_name; >+ uint32_t size_manufacturer_name_1 = 0; >+ uint32_t length_manufacturer_name_1 = 0; > TALLOC_CTX *_mem_save_manufacturer_name_0; > uint32_t _ptr_manufacturer_url; >+ uint32_t size_manufacturer_url_1 = 0; >+ uint32_t length_manufacturer_url_1 = 0; > TALLOC_CTX *_mem_save_manufacturer_url_0; > uint32_t _ptr_hardware_id; >+ uint32_t size_hardware_id_1 = 0; >+ uint32_t length_hardware_id_1 = 0; > TALLOC_CTX *_mem_save_hardware_id_0; > uint32_t _ptr_provider; >+ uint32_t size_provider_1 = 0; >+ uint32_t length_provider_1 = 0; > TALLOC_CTX *_mem_save_provider_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -9215,11 +9519,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->architecture) { >@@ -9227,11 +9533,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); >- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > if (r->driver_path) { >@@ -9239,11 +9547,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); >- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); >+ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); >+ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); >+ if (length_driver_path_1 > size_driver_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); > } > if (r->data_file) { >@@ -9251,11 +9561,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); >- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); >+ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); >+ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); >+ if (length_data_file_1 > size_data_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); > } > if (r->config_file) { >@@ -9263,11 +9575,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); >- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); >+ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); >+ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); >+ if (length_config_file_1 > size_config_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); > } > if (r->help_file) { >@@ -9275,11 +9589,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); >- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); >+ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); >+ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); >+ if (length_help_file_1 > size_help_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); > } > if (r->monitor_name) { >@@ -9287,11 +9603,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); >- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); >+ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); >+ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); >+ if (length_monitor_name_1 > size_monitor_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); > } > if (r->default_datatype) { >@@ -9299,11 +9617,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); >- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); >+ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); >+ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); >+ if (length_default_datatype_1 > size_default_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); > } > if (r->dependent_files) { >@@ -9323,11 +9643,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_name)); >- if (ndr_get_array_length(ndr, &r->manufacturer_name) > ndr_get_array_size(ndr, &r->manufacturer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_name), ndr_get_array_length(ndr, &r->manufacturer_name)); >+ size_manufacturer_name_1 = ndr_get_array_size(ndr, &r->manufacturer_name); >+ length_manufacturer_name_1 = ndr_get_array_length(ndr, &r->manufacturer_name); >+ if (length_manufacturer_name_1 > size_manufacturer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_name_1, length_manufacturer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, length_manufacturer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_name_0, 0); > } > if (r->manufacturer_url) { >@@ -9335,11 +9657,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_url, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_url)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_url)); >- if (ndr_get_array_length(ndr, &r->manufacturer_url) > ndr_get_array_size(ndr, &r->manufacturer_url)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_url), ndr_get_array_length(ndr, &r->manufacturer_url)); >+ size_manufacturer_url_1 = ndr_get_array_size(ndr, &r->manufacturer_url); >+ length_manufacturer_url_1 = ndr_get_array_length(ndr, &r->manufacturer_url); >+ if (length_manufacturer_url_1 > size_manufacturer_url_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_url_1, length_manufacturer_url_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_url_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, length_manufacturer_url_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_url_0, 0); > } > if (r->hardware_id) { >@@ -9347,11 +9671,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->hardware_id, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->hardware_id)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->hardware_id)); >- if (ndr_get_array_length(ndr, &r->hardware_id) > ndr_get_array_size(ndr, &r->hardware_id)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->hardware_id), ndr_get_array_length(ndr, &r->hardware_id)); >+ size_hardware_id_1 = ndr_get_array_size(ndr, &r->hardware_id); >+ length_hardware_id_1 = ndr_get_array_length(ndr, &r->hardware_id); >+ if (length_hardware_id_1 > size_hardware_id_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_hardware_id_1, length_hardware_id_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->hardware_id), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_id, ndr_get_array_length(ndr, &r->hardware_id), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_hardware_id_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_id, length_hardware_id_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_hardware_id_0, 0); > } > if (r->provider) { >@@ -9359,11 +9685,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->provider, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->provider)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->provider)); >- if (ndr_get_array_length(ndr, &r->provider) > ndr_get_array_size(ndr, &r->provider)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->provider), ndr_get_array_length(ndr, &r->provider)); >+ size_provider_1 = ndr_get_array_size(ndr, &r->provider); >+ length_provider_1 = ndr_get_array_length(ndr, &r->provider); >+ if (length_provider_1 > size_provider_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_provider_1, length_provider_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->provider), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->provider, ndr_get_array_length(ndr, &r->provider), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_provider_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->provider, length_provider_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_provider_0, 0); > } > } >@@ -9611,40 +9939,70 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo8(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo8 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > TALLOC_CTX *_mem_save_architecture_0; > uint32_t _ptr_driver_path; >+ uint32_t size_driver_path_1 = 0; >+ uint32_t length_driver_path_1 = 0; > TALLOC_CTX *_mem_save_driver_path_0; > uint32_t _ptr_data_file; >+ uint32_t size_data_file_1 = 0; >+ uint32_t length_data_file_1 = 0; > TALLOC_CTX *_mem_save_data_file_0; > uint32_t _ptr_config_file; >+ uint32_t size_config_file_1 = 0; >+ uint32_t length_config_file_1 = 0; > TALLOC_CTX *_mem_save_config_file_0; > uint32_t _ptr_help_file; >+ uint32_t size_help_file_1 = 0; >+ uint32_t length_help_file_1 = 0; > TALLOC_CTX *_mem_save_help_file_0; > uint32_t _ptr_monitor_name; >+ uint32_t size_monitor_name_1 = 0; >+ uint32_t length_monitor_name_1 = 0; > TALLOC_CTX *_mem_save_monitor_name_0; > uint32_t _ptr_default_datatype; >+ uint32_t size_default_datatype_1 = 0; >+ uint32_t length_default_datatype_1 = 0; > TALLOC_CTX *_mem_save_default_datatype_0; > uint32_t _ptr_dependent_files; > TALLOC_CTX *_mem_save_dependent_files_0; > uint32_t _ptr_previous_names; > TALLOC_CTX *_mem_save_previous_names_0; > uint32_t _ptr_manufacturer_name; >+ uint32_t size_manufacturer_name_1 = 0; >+ uint32_t length_manufacturer_name_1 = 0; > TALLOC_CTX *_mem_save_manufacturer_name_0; > uint32_t _ptr_manufacturer_url; >+ uint32_t size_manufacturer_url_1 = 0; >+ uint32_t length_manufacturer_url_1 = 0; > TALLOC_CTX *_mem_save_manufacturer_url_0; > uint32_t _ptr_hardware_id; >+ uint32_t size_hardware_id_1 = 0; >+ uint32_t length_hardware_id_1 = 0; > TALLOC_CTX *_mem_save_hardware_id_0; > uint32_t _ptr_provider; >+ uint32_t size_provider_1 = 0; >+ uint32_t length_provider_1 = 0; > TALLOC_CTX *_mem_save_provider_0; > uint32_t _ptr_print_processor; >+ uint32_t size_print_processor_1 = 0; >+ uint32_t length_print_processor_1 = 0; > TALLOC_CTX *_mem_save_print_processor_0; > uint32_t _ptr_vendor_setup; >+ uint32_t size_vendor_setup_1 = 0; >+ uint32_t length_vendor_setup_1 = 0; > TALLOC_CTX *_mem_save_vendor_setup_0; > uint32_t _ptr_color_profiles; > TALLOC_CTX *_mem_save_color_profiles_0; > uint32_t _ptr_inf_path; >+ uint32_t size_inf_path_1 = 0; >+ uint32_t length_inf_path_1 = 0; > TALLOC_CTX *_mem_save_inf_path_0; > uint32_t _ptr_core_driver_dependencies; > TALLOC_CTX *_mem_save_core_driver_dependencies_0; >@@ -9782,11 +10140,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->architecture) { >@@ -9794,11 +10154,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); >- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > if (r->driver_path) { >@@ -9806,11 +10168,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); >- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); >+ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); >+ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); >+ if (length_driver_path_1 > size_driver_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); > } > if (r->data_file) { >@@ -9818,11 +10182,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); >- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); >+ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); >+ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); >+ if (length_data_file_1 > size_data_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); > } > if (r->config_file) { >@@ -9830,11 +10196,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); >- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); >+ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); >+ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); >+ if (length_config_file_1 > size_config_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); > } > if (r->help_file) { >@@ -9842,11 +10210,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); >- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); >+ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); >+ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); >+ if (length_help_file_1 > size_help_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); > } > if (r->monitor_name) { >@@ -9854,11 +10224,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); >- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); >+ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); >+ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); >+ if (length_monitor_name_1 > size_monitor_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); > } > if (r->default_datatype) { >@@ -9866,11 +10238,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); >- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); >+ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); >+ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); >+ if (length_default_datatype_1 > size_default_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); > } > if (r->dependent_files) { >@@ -9890,11 +10264,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_name)); >- if (ndr_get_array_length(ndr, &r->manufacturer_name) > ndr_get_array_size(ndr, &r->manufacturer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_name), ndr_get_array_length(ndr, &r->manufacturer_name)); >+ size_manufacturer_name_1 = ndr_get_array_size(ndr, &r->manufacturer_name); >+ length_manufacturer_name_1 = ndr_get_array_length(ndr, &r->manufacturer_name); >+ if (length_manufacturer_name_1 > size_manufacturer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_name_1, length_manufacturer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, length_manufacturer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_name_0, 0); > } > if (r->manufacturer_url) { >@@ -9902,11 +10278,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_url, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_url)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_url)); >- if (ndr_get_array_length(ndr, &r->manufacturer_url) > ndr_get_array_size(ndr, &r->manufacturer_url)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_url), ndr_get_array_length(ndr, &r->manufacturer_url)); >+ size_manufacturer_url_1 = ndr_get_array_size(ndr, &r->manufacturer_url); >+ length_manufacturer_url_1 = ndr_get_array_length(ndr, &r->manufacturer_url); >+ if (length_manufacturer_url_1 > size_manufacturer_url_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_url_1, length_manufacturer_url_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_url_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, length_manufacturer_url_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_url_0, 0); > } > if (r->hardware_id) { >@@ -9914,11 +10292,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->hardware_id, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->hardware_id)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->hardware_id)); >- if (ndr_get_array_length(ndr, &r->hardware_id) > ndr_get_array_size(ndr, &r->hardware_id)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->hardware_id), ndr_get_array_length(ndr, &r->hardware_id)); >+ size_hardware_id_1 = ndr_get_array_size(ndr, &r->hardware_id); >+ length_hardware_id_1 = ndr_get_array_length(ndr, &r->hardware_id); >+ if (length_hardware_id_1 > size_hardware_id_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_hardware_id_1, length_hardware_id_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->hardware_id), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_id, ndr_get_array_length(ndr, &r->hardware_id), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_hardware_id_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_id, length_hardware_id_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_hardware_id_0, 0); > } > if (r->provider) { >@@ -9926,11 +10306,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->provider, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->provider)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->provider)); >- if (ndr_get_array_length(ndr, &r->provider) > ndr_get_array_size(ndr, &r->provider)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->provider), ndr_get_array_length(ndr, &r->provider)); >+ size_provider_1 = ndr_get_array_size(ndr, &r->provider); >+ length_provider_1 = ndr_get_array_length(ndr, &r->provider); >+ if (length_provider_1 > size_provider_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_provider_1, length_provider_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->provider), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->provider, ndr_get_array_length(ndr, &r->provider), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_provider_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->provider, length_provider_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_provider_0, 0); > } > if (r->print_processor) { >@@ -9938,11 +10320,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->print_processor, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->print_processor)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->print_processor)); >- if (ndr_get_array_length(ndr, &r->print_processor) > ndr_get_array_size(ndr, &r->print_processor)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->print_processor), ndr_get_array_length(ndr, &r->print_processor)); >+ size_print_processor_1 = ndr_get_array_size(ndr, &r->print_processor); >+ length_print_processor_1 = ndr_get_array_length(ndr, &r->print_processor); >+ if (length_print_processor_1 > size_print_processor_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_1, length_print_processor_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, length_print_processor_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_print_processor_0, 0); > } > if (r->vendor_setup) { >@@ -9950,11 +10334,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->vendor_setup, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->vendor_setup)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->vendor_setup)); >- if (ndr_get_array_length(ndr, &r->vendor_setup) > ndr_get_array_size(ndr, &r->vendor_setup)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->vendor_setup), ndr_get_array_length(ndr, &r->vendor_setup)); >+ size_vendor_setup_1 = ndr_get_array_size(ndr, &r->vendor_setup); >+ length_vendor_setup_1 = ndr_get_array_length(ndr, &r->vendor_setup); >+ if (length_vendor_setup_1 > size_vendor_setup_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_vendor_setup_1, length_vendor_setup_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->vendor_setup), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->vendor_setup, ndr_get_array_length(ndr, &r->vendor_setup), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_vendor_setup_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->vendor_setup, length_vendor_setup_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_vendor_setup_0, 0); > } > if (r->color_profiles) { >@@ -9968,11 +10354,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->inf_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->inf_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->inf_path)); >- if (ndr_get_array_length(ndr, &r->inf_path) > ndr_get_array_size(ndr, &r->inf_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->inf_path), ndr_get_array_length(ndr, &r->inf_path)); >+ size_inf_path_1 = ndr_get_array_size(ndr, &r->inf_path); >+ length_inf_path_1 = ndr_get_array_length(ndr, &r->inf_path); >+ if (length_inf_path_1 > size_inf_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_inf_path_1, length_inf_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->inf_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->inf_path, ndr_get_array_length(ndr, &r->inf_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_inf_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->inf_path, length_inf_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_inf_path_0, 0); > } > if (r->core_driver_dependencies) { >@@ -10202,11 +10590,17 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo(struct ndr_pull *ndr, in > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > TALLOC_CTX *_mem_save_info6_0; >+ uint32_t _ptr_info6; > TALLOC_CTX *_mem_save_info8_0; >+ uint32_t _ptr_info8; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -10216,7 +10610,6 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -10226,7 +10619,6 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo(struct ndr_pull *ndr, in > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -10236,7 +10628,6 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo(struct ndr_pull *ndr, in > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -10246,7 +10637,6 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo(struct ndr_pull *ndr, in > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -10256,7 +10646,6 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo(struct ndr_pull *ndr, in > break; } > > case 6: { >- uint32_t _ptr_info6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); > if (_ptr_info6) { > NDR_PULL_ALLOC(ndr, r->info6); >@@ -10266,7 +10655,6 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo(struct ndr_pull *ndr, in > break; } > > case 8: { >- uint32_t _ptr_info8; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info8)); > if (_ptr_info8) { > NDR_PULL_ALLOC(ndr, r->info8); >@@ -15177,10 +15565,16 @@ static enum ndr_err_code ndr_push_spoolss_DocumentInfo1(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_spoolss_DocumentInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_DocumentInfo1 *r) > { > uint32_t _ptr_document_name; >+ uint32_t size_document_name_1 = 0; >+ uint32_t length_document_name_1 = 0; > TALLOC_CTX *_mem_save_document_name_0; > uint32_t _ptr_output_file; >+ uint32_t size_output_file_1 = 0; >+ uint32_t length_output_file_1 = 0; > TALLOC_CTX *_mem_save_output_file_0; > uint32_t _ptr_datatype; >+ uint32_t size_datatype_1 = 0; >+ uint32_t length_datatype_1 = 0; > TALLOC_CTX *_mem_save_datatype_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -15210,11 +15604,13 @@ static enum ndr_err_code ndr_pull_spoolss_DocumentInfo1(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); >- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); >+ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); >+ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); >+ if (length_document_name_1 > size_document_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); > } > if (r->output_file) { >@@ -15222,11 +15618,13 @@ static enum ndr_err_code ndr_pull_spoolss_DocumentInfo1(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->output_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->output_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->output_file)); >- if (ndr_get_array_length(ndr, &r->output_file) > ndr_get_array_size(ndr, &r->output_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->output_file), ndr_get_array_length(ndr, &r->output_file)); >+ size_output_file_1 = ndr_get_array_size(ndr, &r->output_file); >+ length_output_file_1 = ndr_get_array_length(ndr, &r->output_file); >+ if (length_output_file_1 > size_output_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_output_file_1, length_output_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->output_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->output_file, ndr_get_array_length(ndr, &r->output_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_output_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->output_file, length_output_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_output_file_0, 0); > } > if (r->datatype) { >@@ -15234,11 +15632,13 @@ static enum ndr_err_code ndr_pull_spoolss_DocumentInfo1(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->datatype)); >- if (ndr_get_array_length(ndr, &r->datatype) > ndr_get_array_size(ndr, &r->datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->datatype), ndr_get_array_length(ndr, &r->datatype)); >+ size_datatype_1 = ndr_get_array_size(ndr, &r->datatype); >+ length_datatype_1 = ndr_get_array_length(ndr, &r->datatype); >+ if (length_datatype_1 > size_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_datatype_1, length_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->datatype, ndr_get_array_length(ndr, &r->datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->datatype, length_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_datatype_0, 0); > } > } >@@ -15320,6 +15720,7 @@ static enum ndr_err_code ndr_pull_spoolss_DocumentInfo(struct ndr_pull *ndr, int > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -15329,7 +15730,6 @@ static enum ndr_err_code ndr_pull_spoolss_DocumentInfo(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -16380,6 +16780,8 @@ static enum ndr_err_code ndr_push_spoolss_AddFormInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_AddFormInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddFormInfo1 *r) > { > uint32_t _ptr_form_name; >+ uint32_t size_form_name_1 = 0; >+ uint32_t length_form_name_1 = 0; > TALLOC_CTX *_mem_save_form_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -16400,11 +16802,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddFormInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->form_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->form_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->form_name)); >- if (ndr_get_array_length(ndr, &r->form_name) > ndr_get_array_size(ndr, &r->form_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->form_name), ndr_get_array_length(ndr, &r->form_name)); >+ size_form_name_1 = ndr_get_array_size(ndr, &r->form_name); >+ length_form_name_1 = ndr_get_array_length(ndr, &r->form_name); >+ if (length_form_name_1 > size_form_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_form_name_1, length_form_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->form_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->form_name, ndr_get_array_length(ndr, &r->form_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_form_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->form_name, length_form_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_form_name_0, 0); > } > } >@@ -16475,12 +16879,20 @@ static enum ndr_err_code ndr_push_spoolss_AddFormInfo2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_AddFormInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddFormInfo2 *r) > { > uint32_t _ptr_form_name; >+ uint32_t size_form_name_1 = 0; >+ uint32_t length_form_name_1 = 0; > TALLOC_CTX *_mem_save_form_name_0; > uint32_t _ptr_keyword; >+ uint32_t size_keyword_1 = 0; >+ uint32_t length_keyword_1 = 0; > TALLOC_CTX *_mem_save_keyword_0; > uint32_t _ptr_mui_dll; >+ uint32_t size_mui_dll_1 = 0; >+ uint32_t length_mui_dll_1 = 0; > TALLOC_CTX *_mem_save_mui_dll_0; > uint32_t _ptr_display_name; >+ uint32_t size_display_name_1 = 0; >+ uint32_t length_display_name_1 = 0; > TALLOC_CTX *_mem_save_display_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -16522,11 +16934,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddFormInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->form_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->form_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->form_name)); >- if (ndr_get_array_length(ndr, &r->form_name) > ndr_get_array_size(ndr, &r->form_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->form_name), ndr_get_array_length(ndr, &r->form_name)); >+ size_form_name_1 = ndr_get_array_size(ndr, &r->form_name); >+ length_form_name_1 = ndr_get_array_length(ndr, &r->form_name); >+ if (length_form_name_1 > size_form_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_form_name_1, length_form_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->form_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->form_name, ndr_get_array_length(ndr, &r->form_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_form_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->form_name, length_form_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_form_name_0, 0); > } > if (r->keyword) { >@@ -16534,11 +16948,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddFormInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->keyword, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->keyword)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->keyword)); >- if (ndr_get_array_length(ndr, &r->keyword) > ndr_get_array_size(ndr, &r->keyword)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->keyword), ndr_get_array_length(ndr, &r->keyword)); >+ size_keyword_1 = ndr_get_array_size(ndr, &r->keyword); >+ length_keyword_1 = ndr_get_array_length(ndr, &r->keyword); >+ if (length_keyword_1 > size_keyword_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_keyword_1, length_keyword_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->keyword), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->keyword, ndr_get_array_length(ndr, &r->keyword), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_keyword_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->keyword, length_keyword_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keyword_0, 0); > } > if (r->mui_dll) { >@@ -16546,11 +16962,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddFormInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->mui_dll, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->mui_dll)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->mui_dll)); >- if (ndr_get_array_length(ndr, &r->mui_dll) > ndr_get_array_size(ndr, &r->mui_dll)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->mui_dll), ndr_get_array_length(ndr, &r->mui_dll)); >+ size_mui_dll_1 = ndr_get_array_size(ndr, &r->mui_dll); >+ length_mui_dll_1 = ndr_get_array_length(ndr, &r->mui_dll); >+ if (length_mui_dll_1 > size_mui_dll_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_mui_dll_1, length_mui_dll_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->mui_dll), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->mui_dll, ndr_get_array_length(ndr, &r->mui_dll), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_mui_dll_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->mui_dll, length_mui_dll_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_mui_dll_0, 0); > } > if (r->display_name) { >@@ -16558,11 +16976,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddFormInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->display_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->display_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->display_name)); >- if (ndr_get_array_length(ndr, &r->display_name) > ndr_get_array_size(ndr, &r->display_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->display_name), ndr_get_array_length(ndr, &r->display_name)); >+ size_display_name_1 = ndr_get_array_size(ndr, &r->display_name); >+ length_display_name_1 = ndr_get_array_length(ndr, &r->display_name); >+ if (length_display_name_1 > size_display_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_1, length_display_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->display_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->display_name, ndr_get_array_length(ndr, &r->display_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->display_name, length_display_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, 0); > } > } >@@ -16652,7 +17072,9 @@ static enum ndr_err_code ndr_pull_spoolss_AddFormInfo(struct ndr_pull *ndr, int > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -16662,7 +17084,6 @@ static enum ndr_err_code ndr_pull_spoolss_AddFormInfo(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -16672,7 +17093,6 @@ static enum ndr_err_code ndr_pull_spoolss_AddFormInfo(struct ndr_pull *ndr, int > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -18308,6 +18728,7 @@ static enum ndr_err_code ndr_push_spoolss_NotifyOptionType(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_NotifyOptionType(struct ndr_pull *ndr, int ndr_flags, struct spoolss_NotifyOptionType *r) > { > uint32_t _ptr_fields; >+ uint32_t size_fields_1 = 0; > uint32_t cntr_fields_1; > TALLOC_CTX *_mem_save_fields_0; > TALLOC_CTX *_mem_save_fields_1; >@@ -18331,10 +18752,11 @@ static enum ndr_err_code ndr_pull_spoolss_NotifyOptionType(struct ndr_pull *ndr, > _mem_save_fields_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->fields, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->fields)); >- NDR_PULL_ALLOC_N(ndr, r->fields, ndr_get_array_size(ndr, &r->fields)); >+ size_fields_1 = ndr_get_array_size(ndr, &r->fields); >+ NDR_PULL_ALLOC_N(ndr, r->fields, size_fields_1); > _mem_save_fields_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->fields, 0); >- for (cntr_fields_1 = 0; cntr_fields_1 < r->count; cntr_fields_1++) { >+ for (cntr_fields_1 = 0; cntr_fields_1 < size_fields_1; cntr_fields_1++) { > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->fields[cntr_fields_1], r->type)); > NDR_CHECK(ndr_pull_spoolss_Field(ndr, NDR_SCALARS, &r->fields[cntr_fields_1])); > } >@@ -18427,6 +18849,7 @@ static enum ndr_err_code ndr_push_spoolss_NotifyOption(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_NotifyOption(struct ndr_pull *ndr, int ndr_flags, struct spoolss_NotifyOption *r) > { > uint32_t _ptr_types; >+ uint32_t size_types_1 = 0; > uint32_t cntr_types_1; > TALLOC_CTX *_mem_save_types_0; > TALLOC_CTX *_mem_save_types_1; >@@ -18448,13 +18871,14 @@ static enum ndr_err_code ndr_pull_spoolss_NotifyOption(struct ndr_pull *ndr, int > _mem_save_types_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->types, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->types)); >- NDR_PULL_ALLOC_N(ndr, r->types, ndr_get_array_size(ndr, &r->types)); >+ size_types_1 = ndr_get_array_size(ndr, &r->types); >+ NDR_PULL_ALLOC_N(ndr, r->types, size_types_1); > _mem_save_types_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->types, 0); >- for (cntr_types_1 = 0; cntr_types_1 < r->count; cntr_types_1++) { >+ for (cntr_types_1 = 0; cntr_types_1 < size_types_1; cntr_types_1++) { > NDR_CHECK(ndr_pull_spoolss_NotifyOptionType(ndr, NDR_SCALARS, &r->types[cntr_types_1])); > } >- for (cntr_types_1 = 0; cntr_types_1 < r->count; cntr_types_1++) { >+ for (cntr_types_1 = 0; cntr_types_1 < size_types_1; cntr_types_1++) { > NDR_CHECK(ndr_pull_spoolss_NotifyOptionType(ndr, NDR_BUFFERS, &r->types[cntr_types_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_types_1, 0); >@@ -18513,6 +18937,7 @@ static enum ndr_err_code ndr_push_spoolss_NotifyString(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_NotifyString(struct ndr_pull *ndr, int ndr_flags, struct spoolss_NotifyString *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -18530,7 +18955,8 @@ static enum ndr_err_code ndr_pull_spoolss_NotifyString(struct ndr_pull *ndr, int > _mem_save_string_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_size(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, size_string_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -18649,6 +19075,8 @@ static enum ndr_err_code ndr_pull_spoolss_NotifyData(struct ndr_pull *ndr, int n > { > int level; > uint32_t _level; >+ uint32_t size_integer_0 = 0; >+ uint32_t cntr_integer_0; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -18658,8 +19086,8 @@ static enum ndr_err_code ndr_pull_spoolss_NotifyData(struct ndr_pull *ndr, int n > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t cntr_integer_0; >- for (cntr_integer_0 = 0; cntr_integer_0 < 2; cntr_integer_0++) { >+ size_integer_0 = 2; >+ for (cntr_integer_0 = 0; cntr_integer_0 < size_integer_0; cntr_integer_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->integer[cntr_integer_0])); > } > break; } >@@ -18829,6 +19257,7 @@ static enum ndr_err_code ndr_push_spoolss_NotifyInfo(struct ndr_push *ndr, int n > > static enum ndr_err_code ndr_pull_spoolss_NotifyInfo(struct ndr_pull *ndr, int ndr_flags, struct spoolss_NotifyInfo *r) > { >+ uint32_t size_notifies_0 = 0; > uint32_t cntr_notifies_0; > TALLOC_CTX *_mem_save_notifies_0; > if (ndr_flags & NDR_SCALARS) { >@@ -18837,10 +19266,11 @@ static enum ndr_err_code ndr_pull_spoolss_NotifyInfo(struct ndr_pull *ndr, int n > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->flags)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); >- NDR_PULL_ALLOC_N(ndr, r->notifies, ndr_get_array_size(ndr, &r->notifies)); >+ size_notifies_0 = ndr_get_array_size(ndr, &r->notifies); >+ NDR_PULL_ALLOC_N(ndr, r->notifies, size_notifies_0); > _mem_save_notifies_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->notifies, 0); >- for (cntr_notifies_0 = 0; cntr_notifies_0 < r->count; cntr_notifies_0++) { >+ for (cntr_notifies_0 = 0; cntr_notifies_0 < size_notifies_0; cntr_notifies_0++) { > NDR_CHECK(ndr_pull_spoolss_Notify(ndr, NDR_SCALARS, &r->notifies[cntr_notifies_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_notifies_0, 0); >@@ -18850,9 +19280,10 @@ static enum ndr_err_code ndr_pull_spoolss_NotifyInfo(struct ndr_pull *ndr, int n > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_notifies_0 = ndr_get_array_size(ndr, &r->notifies); > _mem_save_notifies_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->notifies, 0); >- for (cntr_notifies_0 = 0; cntr_notifies_0 < r->count; cntr_notifies_0++) { >+ for (cntr_notifies_0 = 0; cntr_notifies_0 < size_notifies_0; cntr_notifies_0++) { > NDR_CHECK(ndr_pull_spoolss_Notify(ndr, NDR_BUFFERS, &r->notifies[cntr_notifies_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_notifies_0, 0); >@@ -18917,6 +19348,7 @@ static enum ndr_err_code ndr_pull_spoolss_ReplyPrinterInfo(struct ndr_pull *ndr, > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -18926,7 +19358,6 @@ static enum ndr_err_code ndr_pull_spoolss_ReplyPrinterInfo(struct ndr_pull *ndr, > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -19034,8 +19465,12 @@ static enum ndr_err_code ndr_push_spoolss_UserLevel1(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_spoolss_UserLevel1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_UserLevel1 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -19064,11 +19499,13 @@ static enum ndr_err_code ndr_pull_spoolss_UserLevel1(struct ndr_pull *ndr, int n > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > if (r->user) { >@@ -19076,11 +19513,13 @@ static enum ndr_err_code ndr_pull_spoolss_UserLevel1(struct ndr_pull *ndr, int n > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -19179,8 +19618,12 @@ static enum ndr_err_code ndr_push_spoolss_UserLevel3(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_spoolss_UserLevel3(struct ndr_pull *ndr, int ndr_flags, struct spoolss_UserLevel3 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -19212,11 +19655,13 @@ static enum ndr_err_code ndr_pull_spoolss_UserLevel3(struct ndr_pull *ndr, int n > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > if (r->user) { >@@ -19224,11 +19669,13 @@ static enum ndr_err_code ndr_pull_spoolss_UserLevel3(struct ndr_pull *ndr, int n > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -19318,8 +19765,11 @@ static enum ndr_err_code ndr_pull_spoolss_UserLevel(struct ndr_pull *ndr, int nd > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_level1_0; >+ uint32_t _ptr_level1; > TALLOC_CTX *_mem_save_level2_0; >+ uint32_t _ptr_level2; > TALLOC_CTX *_mem_save_level3_0; >+ uint32_t _ptr_level3; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -19329,7 +19779,6 @@ static enum ndr_err_code ndr_pull_spoolss_UserLevel(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_level1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_level1)); > if (_ptr_level1) { > NDR_PULL_ALLOC(ndr, r->level1); >@@ -19339,7 +19788,6 @@ static enum ndr_err_code ndr_pull_spoolss_UserLevel(struct ndr_pull *ndr, int nd > break; } > > case 2: { >- uint32_t _ptr_level2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_level2)); > if (_ptr_level2) { > NDR_PULL_ALLOC(ndr, r->level2); >@@ -19349,7 +19797,6 @@ static enum ndr_err_code ndr_pull_spoolss_UserLevel(struct ndr_pull *ndr, int nd > break; } > > case 3: { >- uint32_t _ptr_level3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_level3)); > if (_ptr_level3) { > NDR_PULL_ALLOC(ndr, r->level3); >@@ -19842,20 +20289,34 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_PortData1(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_PortData1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_PortData1 *r) > { >+ uint32_t size_portname_0 = 0; >+ uint32_t size_hostaddress_0 = 0; >+ uint32_t size_snmpcommunity_0 = 0; >+ uint32_t size_queue_0 = 0; >+ uint32_t size_ip_address_0 = 0; >+ uint32_t size_hardware_address_0 = 0; >+ uint32_t size_device_type_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, 64, sizeof(uint16_t), CH_UTF16)); >+ size_portname_0 = 64; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, size_portname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); > NDR_CHECK(ndr_pull_spoolss_PortProtocol(ndr, NDR_SCALARS, &r->protocol)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hostaddress, 49, sizeof(uint16_t), CH_UTF16)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->snmpcommunity, 33, sizeof(uint16_t), CH_UTF16)); >+ size_hostaddress_0 = 49; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hostaddress, size_hostaddress_0, sizeof(uint16_t), CH_UTF16)); >+ size_snmpcommunity_0 = 33; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->snmpcommunity, size_snmpcommunity_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->dblspool)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->queue, 33, sizeof(uint16_t), CH_UTF16)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ip_address, 16, sizeof(uint16_t), CH_UTF16)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_address, 13, sizeof(uint16_t), CH_UTF16)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device_type, 257, sizeof(uint16_t), CH_UTF16)); >+ size_queue_0 = 33; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->queue, size_queue_0, sizeof(uint16_t), CH_UTF16)); >+ size_ip_address_0 = 16; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ip_address, size_ip_address_0, sizeof(uint16_t), CH_UTF16)); >+ size_hardware_address_0 = 13; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_address, size_hardware_address_0, sizeof(uint16_t), CH_UTF16)); >+ size_device_type_0 = 257; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device_type, size_device_type_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->port_number)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->snmp_enabled)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->snmp_dev_index)); >@@ -19915,18 +20376,28 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_PortData2(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_PortData2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_PortData2 *r) > { >+ uint32_t size_portname_0 = 0; >+ uint32_t size_hostaddress_0 = 0; >+ uint32_t size_snmpcommunity_0 = 0; >+ uint32_t size_queue_0 = 0; >+ uint32_t size_device_type_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, 64, sizeof(uint16_t), CH_UTF16)); >+ size_portname_0 = 64; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, size_portname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); > NDR_CHECK(ndr_pull_spoolss_PortProtocol(ndr, NDR_SCALARS, &r->protocol)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hostaddress, 128, sizeof(uint16_t), CH_UTF16)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->snmpcommunity, 33, sizeof(uint16_t), CH_UTF16)); >+ size_hostaddress_0 = 128; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hostaddress, size_hostaddress_0, sizeof(uint16_t), CH_UTF16)); >+ size_snmpcommunity_0 = 33; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->snmpcommunity, size_snmpcommunity_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->dblspool)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->queue, 33, sizeof(uint16_t), CH_UTF16)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device_type, 257, sizeof(uint16_t), CH_UTF16)); >+ size_queue_0 = 33; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->queue, size_queue_0, sizeof(uint16_t), CH_UTF16)); >+ size_device_type_0 = 257; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device_type, size_device_type_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->port_number)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->snmp_enabled)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->snmp_dev_index)); >@@ -20047,12 +20518,14 @@ static enum ndr_err_code ndr_push_spoolss_CorePrinterDriver(struct ndr_push *ndr > > static enum ndr_err_code ndr_pull_spoolss_CorePrinterDriver(struct ndr_pull *ndr, int ndr_flags, struct spoolss_CorePrinterDriver *r) > { >+ uint32_t size_formname_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->core_driver_guid)); > NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->driver_date)); > NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->driver_version)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->formname, 520, sizeof(uint8_t), CH_UTF8)); >+ size_formname_0 = 520; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->formname, size_formname_0, sizeof(uint8_t), CH_UTF8)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -20110,6 +20583,8 @@ _PUBLIC_ enum ndr_err_code ndr_push__spoolss_EnumPrinters(struct ndr_push *ndr, > _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrinters(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPrinters *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_0; >@@ -20132,11 +20607,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrinters(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -20211,6 +20688,7 @@ _PUBLIC_ enum ndr_err_code ndr_push___spoolss_EnumPrinters(struct ndr_push *ndr, > > _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrinters(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPrinters *r) > { >+ uint32_t size_info_0 = 0; > uint32_t cntr_info_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -20220,14 +20698,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrinters(struct ndr_pull *ndr, > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); >+ size_info_0 = r->in.count; >+ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); > NDR_CHECK(ndr_pull_spoolss_PrinterInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); > } >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_spoolss_PrinterInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); >@@ -20332,7 +20811,11 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_OpenPrinter(struct ndr_push *ndr, in > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_OpenPrinter(struct ndr_pull *ndr, int flags, struct spoolss_OpenPrinter *r) > { > uint32_t _ptr_printername; >+ uint32_t size_printername_1 = 0; >+ uint32_t length_printername_1 = 0; > uint32_t _ptr_datatype; >+ uint32_t size_datatype_1 = 0; >+ uint32_t length_datatype_1 = 0; > TALLOC_CTX *_mem_save_printername_0; > TALLOC_CTX *_mem_save_datatype_0; > TALLOC_CTX *_mem_save_handle_0; >@@ -20350,11 +20833,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_OpenPrinter(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.printername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.printername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.printername)); >- if (ndr_get_array_length(ndr, &r->in.printername) > ndr_get_array_size(ndr, &r->in.printername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.printername), ndr_get_array_length(ndr, &r->in.printername)); >+ size_printername_1 = ndr_get_array_size(ndr, &r->in.printername); >+ length_printername_1 = ndr_get_array_length(ndr, &r->in.printername); >+ if (length_printername_1 > size_printername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_datatype)); >@@ -20368,11 +20853,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_OpenPrinter(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.datatype)); >- if (ndr_get_array_length(ndr, &r->in.datatype) > ndr_get_array_size(ndr, &r->in.datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.datatype), ndr_get_array_length(ndr, &r->in.datatype)); >+ size_datatype_1 = ndr_get_array_size(ndr, &r->in.datatype); >+ length_datatype_1 = ndr_get_array_length(ndr, &r->in.datatype); >+ if (length_datatype_1 > size_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_datatype_1, length_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.datatype, ndr_get_array_length(ndr, &r->in.datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.datatype, length_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_datatype_0, 0); > } > NDR_CHECK(ndr_pull_spoolss_DevmodeContainer(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.devmode_ctr)); >@@ -20793,6 +21280,7 @@ _PUBLIC_ enum ndr_err_code ndr_push___spoolss_EnumJobs(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumJobs(struct ndr_pull *ndr, int flags, struct __spoolss_EnumJobs *r) > { >+ uint32_t size_info_0 = 0; > uint32_t cntr_info_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -20802,14 +21290,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumJobs(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); >+ size_info_0 = r->in.count; >+ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); > NDR_CHECK(ndr_pull_spoolss_JobInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); > } >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_spoolss_JobInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); >@@ -20916,6 +21405,8 @@ static enum ndr_err_code ndr_push_spoolss_AddPrinter(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_spoolss_AddPrinter(struct ndr_pull *ndr, int flags, struct spoolss_AddPrinter *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > TALLOC_CTX *_mem_save_server_0; > TALLOC_CTX *_mem_save_info_ctr_0; > TALLOC_CTX *_mem_save_devmode_ctr_0; >@@ -20935,11 +21426,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddPrinter(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -21355,6 +21848,8 @@ static enum ndr_err_code ndr_push_spoolss_AddPrinterDriver(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_AddPrinterDriver(struct ndr_pull *ndr, int flags, struct spoolss_AddPrinterDriver *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_info_ctr_0; > if (flags & NDR_IN) { >@@ -21369,11 +21864,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddPrinterDriver(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -21466,7 +21963,11 @@ _PUBLIC_ enum ndr_err_code ndr_push__spoolss_EnumPrinterDrivers(struct ndr_push > _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrinterDrivers(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPrinterDrivers *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > uint32_t _ptr_environment; >+ uint32_t size_environment_1 = 0; >+ uint32_t length_environment_1 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_0; >@@ -21489,11 +21990,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrinterDrivers(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_environment)); >@@ -21507,11 +22010,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrinterDrivers(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.environment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.environment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.environment)); >- if (ndr_get_array_length(ndr, &r->in.environment) > ndr_get_array_size(ndr, &r->in.environment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.environment), ndr_get_array_length(ndr, &r->in.environment)); >+ size_environment_1 = ndr_get_array_size(ndr, &r->in.environment); >+ length_environment_1 = ndr_get_array_length(ndr, &r->in.environment); >+ if (length_environment_1 > size_environment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_environment_1, length_environment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_environment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, length_environment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_environment_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -21586,6 +22091,7 @@ _PUBLIC_ enum ndr_err_code ndr_push___spoolss_EnumPrinterDrivers(struct ndr_push > > _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrinterDrivers(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPrinterDrivers *r) > { >+ uint32_t size_info_0 = 0; > uint32_t cntr_info_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -21595,14 +22101,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrinterDrivers(struct ndr_pull > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); >+ size_info_0 = r->in.count; >+ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); > NDR_CHECK(ndr_pull_spoolss_DriverInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); > } >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_spoolss_DriverInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); >@@ -21723,6 +22230,8 @@ static enum ndr_err_code ndr_push_spoolss_GetPrinterDriver(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriver(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterDriver *r) > { > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_handle_0; >@@ -21751,11 +22260,13 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriver(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); >- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->in.architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->in.architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -21903,7 +22414,11 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_GetPrinterDriverDirectory(struct ndr > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_GetPrinterDriverDirectory(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterDriverDirectory *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > uint32_t _ptr_environment; >+ uint32_t size_environment_1 = 0; >+ uint32_t length_environment_1 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_0; >@@ -21925,11 +22440,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_GetPrinterDriverDirectory(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_environment)); >@@ -21943,11 +22460,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_GetPrinterDriverDirectory(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.environment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.environment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.environment)); >- if (ndr_get_array_length(ndr, &r->in.environment) > ndr_get_array_size(ndr, &r->in.environment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.environment), ndr_get_array_length(ndr, &r->in.environment)); >+ size_environment_1 = ndr_get_array_size(ndr, &r->in.environment); >+ length_environment_1 = ndr_get_array_length(ndr, &r->in.environment); >+ if (length_environment_1 > size_environment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_environment_1, length_environment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_environment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, length_environment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_environment_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -22078,6 +22597,12 @@ static enum ndr_err_code ndr_push_spoolss_DeletePrinterDriver(struct ndr_push *n > static enum ndr_err_code ndr_pull_spoolss_DeletePrinterDriver(struct ndr_pull *ndr, int flags, struct spoolss_DeletePrinterDriver *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; >+ uint32_t size_architecture_0 = 0; >+ uint32_t length_architecture_0 = 0; >+ uint32_t size_driver_0 = 0; >+ uint32_t length_driver_0 = 0; > TALLOC_CTX *_mem_save_server_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server)); >@@ -22091,27 +22616,33 @@ static enum ndr_err_code ndr_pull_spoolss_DeletePrinterDriver(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); >- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); >+ size_architecture_0 = ndr_get_array_size(ndr, &r->in.architecture); >+ length_architecture_0 = ndr_get_array_length(ndr, &r->in.architecture); >+ if (length_architecture_0 > size_architecture_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_0, length_architecture_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.driver)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.driver)); >- if (ndr_get_array_length(ndr, &r->in.driver) > ndr_get_array_size(ndr, &r->in.driver)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.driver), ndr_get_array_length(ndr, &r->in.driver)); >+ size_driver_0 = ndr_get_array_size(ndr, &r->in.driver); >+ length_driver_0 = ndr_get_array_length(ndr, &r->in.driver); >+ if (length_driver_0 > size_driver_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_0, length_driver_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.driver), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver, ndr_get_array_length(ndr, &r->in.driver), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver, length_driver_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -22180,6 +22711,14 @@ static enum ndr_err_code ndr_push_spoolss_AddPrintProcessor(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_spoolss_AddPrintProcessor(struct ndr_pull *ndr, int flags, struct spoolss_AddPrintProcessor *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; >+ uint32_t size_architecture_0 = 0; >+ uint32_t length_architecture_0 = 0; >+ uint32_t size_path_name_0 = 0; >+ uint32_t length_path_name_0 = 0; >+ uint32_t size_print_processor_name_0 = 0; >+ uint32_t length_print_processor_name_0 = 0; > TALLOC_CTX *_mem_save_server_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server)); >@@ -22193,34 +22732,42 @@ static enum ndr_err_code ndr_pull_spoolss_AddPrintProcessor(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); >- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); >+ size_architecture_0 = ndr_get_array_size(ndr, &r->in.architecture); >+ length_architecture_0 = ndr_get_array_length(ndr, &r->in.architecture); >+ if (length_architecture_0 > size_architecture_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_0, length_architecture_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path_name)); >- if (ndr_get_array_length(ndr, &r->in.path_name) > ndr_get_array_size(ndr, &r->in.path_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path_name), ndr_get_array_length(ndr, &r->in.path_name)); >+ size_path_name_0 = ndr_get_array_size(ndr, &r->in.path_name); >+ length_path_name_0 = ndr_get_array_length(ndr, &r->in.path_name); >+ if (length_path_name_0 > size_path_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_name_0, length_path_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path_name, ndr_get_array_length(ndr, &r->in.path_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path_name, length_path_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.print_processor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.print_processor_name)); >- if (ndr_get_array_length(ndr, &r->in.print_processor_name) > ndr_get_array_size(ndr, &r->in.print_processor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.print_processor_name), ndr_get_array_length(ndr, &r->in.print_processor_name)); >+ size_print_processor_name_0 = ndr_get_array_size(ndr, &r->in.print_processor_name); >+ length_print_processor_name_0 = ndr_get_array_length(ndr, &r->in.print_processor_name); >+ if (length_print_processor_name_0 > size_print_processor_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_name_0, length_print_processor_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.print_processor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.print_processor_name, ndr_get_array_length(ndr, &r->in.print_processor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.print_processor_name, length_print_processor_name_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -22303,7 +22850,11 @@ _PUBLIC_ enum ndr_err_code ndr_push__spoolss_EnumPrintProcessors(struct ndr_push > _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrintProcessors(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPrintProcessors *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_environment; >+ uint32_t size_environment_1 = 0; >+ uint32_t length_environment_1 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_servername_0; >@@ -22326,11 +22877,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrintProcessors(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_environment)); >@@ -22344,11 +22897,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrintProcessors(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.environment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.environment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.environment)); >- if (ndr_get_array_length(ndr, &r->in.environment) > ndr_get_array_size(ndr, &r->in.environment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.environment), ndr_get_array_length(ndr, &r->in.environment)); >+ size_environment_1 = ndr_get_array_size(ndr, &r->in.environment); >+ length_environment_1 = ndr_get_array_length(ndr, &r->in.environment); >+ if (length_environment_1 > size_environment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_environment_1, length_environment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_environment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, length_environment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_environment_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -22423,6 +22978,7 @@ _PUBLIC_ enum ndr_err_code ndr_push___spoolss_EnumPrintProcessors(struct ndr_pus > > _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrintProcessors(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPrintProcessors *r) > { >+ uint32_t size_info_0 = 0; > uint32_t cntr_info_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -22432,14 +22988,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrintProcessors(struct ndr_pul > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); >+ size_info_0 = r->in.count; >+ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); > NDR_CHECK(ndr_pull_spoolss_PrintProcessorInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); > } >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_spoolss_PrintProcessorInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); >@@ -22563,7 +23120,11 @@ static enum ndr_err_code ndr_push_spoolss_GetPrintProcessorDirectory(struct ndr_ > static enum ndr_err_code ndr_pull_spoolss_GetPrintProcessorDirectory(struct ndr_pull *ndr, int flags, struct spoolss_GetPrintProcessorDirectory *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > uint32_t _ptr_environment; >+ uint32_t size_environment_1 = 0; >+ uint32_t length_environment_1 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_0; >@@ -22585,11 +23146,13 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrintProcessorDirectory(struct ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_environment)); >@@ -22603,11 +23166,13 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrintProcessorDirectory(struct ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->in.environment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.environment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.environment)); >- if (ndr_get_array_length(ndr, &r->in.environment) > ndr_get_array_size(ndr, &r->in.environment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.environment), ndr_get_array_length(ndr, &r->in.environment)); >+ size_environment_1 = ndr_get_array_size(ndr, &r->in.environment); >+ length_environment_1 = ndr_get_array_length(ndr, &r->in.environment); >+ if (length_environment_1 > size_environment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_environment_1, length_environment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_environment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, length_environment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_environment_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -23076,6 +23641,7 @@ static enum ndr_err_code ndr_push_spoolss_ReadPrinter(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_spoolss_ReadPrinter(struct ndr_pull *ndr, int flags, struct spoolss_ReadPrinter *r) > { >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save__data_size_0; > if (flags & NDR_IN) { >@@ -23096,10 +23662,11 @@ static enum ndr_err_code ndr_pull_spoolss_ReadPrinter(struct ndr_pull *ndr, int > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->out.data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out._data_size); > } >@@ -23239,6 +23806,7 @@ static enum ndr_err_code ndr_push_spoolss_AddJob(struct ndr_push *ndr, int flags > static enum ndr_err_code ndr_pull_spoolss_AddJob(struct ndr_pull *ndr, int flags, struct spoolss_AddJob *r) > { > uint32_t _ptr_buffer; >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_buffer_0; > TALLOC_CTX *_mem_save_needed_0; >@@ -23263,8 +23831,9 @@ static enum ndr_err_code ndr_pull_spoolss_AddJob(struct ndr_pull *ndr, int flags > _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); >- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer))); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); >+ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, size_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); >@@ -23285,8 +23854,9 @@ static enum ndr_err_code ndr_pull_spoolss_AddJob(struct ndr_pull *ndr, int flags > _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -23441,6 +24011,9 @@ static enum ndr_err_code ndr_push_spoolss_GetPrinterData(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_spoolss_GetPrinterData(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterData *r) > { >+ uint32_t size_value_name_0 = 0; >+ uint32_t length_value_name_0 = 0; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_type_0; > TALLOC_CTX *_mem_save_needed_0; >@@ -23456,11 +24029,13 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrinterData(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); >- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); >+ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); >+ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); >+ if (length_value_name_0 > size_value_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); > NDR_PULL_ALLOC(ndr, r->out.type); > ZERO_STRUCTP(r->out.type); >@@ -23478,10 +24053,11 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrinterData(struct ndr_pull *ndr, i > NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, r->out.type)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_type_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->out.data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -23563,6 +24139,9 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterData(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_spoolss_SetPrinterData(struct ndr_pull *ndr, int flags, struct spoolss_SetPrinterData *r) > { >+ uint32_t size_value_name_0 = 0; >+ uint32_t length_value_name_0 = 0; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -23574,17 +24153,20 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterData(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); >- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); >+ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); >+ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); >+ if (length_value_name_0 > size_value_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, &r->in.type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->in.data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); > if (r->in.data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.data, r->in.offered)); >@@ -23831,6 +24413,8 @@ static enum ndr_err_code ndr_push_spoolss_DeleteForm(struct ndr_push *ndr, int f > > static enum ndr_err_code ndr_pull_spoolss_DeleteForm(struct ndr_pull *ndr, int flags, struct spoolss_DeleteForm *r) > { >+ uint32_t size_form_name_0 = 0; >+ uint32_t length_form_name_0 = 0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -23842,11 +24426,13 @@ static enum ndr_err_code ndr_pull_spoolss_DeleteForm(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.form_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.form_name)); >- if (ndr_get_array_length(ndr, &r->in.form_name) > ndr_get_array_size(ndr, &r->in.form_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.form_name), ndr_get_array_length(ndr, &r->in.form_name)); >+ size_form_name_0 = ndr_get_array_size(ndr, &r->in.form_name); >+ length_form_name_0 = ndr_get_array_length(ndr, &r->in.form_name); >+ if (length_form_name_0 > size_form_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_form_name_0, length_form_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_form_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, length_form_name_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -23920,6 +24506,8 @@ static enum ndr_err_code ndr_push_spoolss_GetForm(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_spoolss_GetForm(struct ndr_pull *ndr, int flags, struct spoolss_GetForm *r) > { >+ uint32_t size_form_name_0 = 0; >+ uint32_t length_form_name_0 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_handle_0; >@@ -23938,11 +24526,13 @@ static enum ndr_err_code ndr_pull_spoolss_GetForm(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.form_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.form_name)); >- if (ndr_get_array_length(ndr, &r->in.form_name) > ndr_get_array_size(ndr, &r->in.form_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.form_name), ndr_get_array_length(ndr, &r->in.form_name)); >+ size_form_name_0 = ndr_get_array_size(ndr, &r->in.form_name); >+ length_form_name_0 = ndr_get_array_length(ndr, &r->in.form_name); >+ if (length_form_name_0 > size_form_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_form_name_0, length_form_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_form_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, length_form_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_buffer)); > if (_ptr_buffer) { >@@ -24059,6 +24649,8 @@ static enum ndr_err_code ndr_push_spoolss_SetForm(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_spoolss_SetForm(struct ndr_pull *ndr, int flags, struct spoolss_SetForm *r) > { >+ uint32_t size_form_name_0 = 0; >+ uint32_t length_form_name_0 = 0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -24070,11 +24662,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetForm(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.form_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.form_name)); >- if (ndr_get_array_length(ndr, &r->in.form_name) > ndr_get_array_size(ndr, &r->in.form_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.form_name), ndr_get_array_length(ndr, &r->in.form_name)); >+ size_form_name_0 = ndr_get_array_size(ndr, &r->in.form_name); >+ length_form_name_0 = ndr_get_array_length(ndr, &r->in.form_name); >+ if (length_form_name_0 > size_form_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_form_name_0, length_form_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_form_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, length_form_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->in.info, r->in.level)); > NDR_CHECK(ndr_pull_spoolss_AddFormInfo(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.info)); >@@ -24237,6 +24831,7 @@ _PUBLIC_ enum ndr_err_code ndr_push___spoolss_EnumForms(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumForms(struct ndr_pull *ndr, int flags, struct __spoolss_EnumForms *r) > { >+ uint32_t size_info_0 = 0; > uint32_t cntr_info_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -24246,14 +24841,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumForms(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); >+ size_info_0 = r->in.count; >+ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); > NDR_CHECK(ndr_pull_spoolss_FormInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); > } >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_spoolss_FormInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); >@@ -24360,6 +24956,8 @@ _PUBLIC_ enum ndr_err_code ndr_push__spoolss_EnumPorts(struct ndr_push *ndr, int > _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPorts(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPorts *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_servername_0; >@@ -24381,11 +24979,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPorts(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -24460,6 +25060,7 @@ _PUBLIC_ enum ndr_err_code ndr_push___spoolss_EnumPorts(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPorts(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPorts *r) > { >+ uint32_t size_info_0 = 0; > uint32_t cntr_info_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -24469,14 +25070,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPorts(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); >+ size_info_0 = r->in.count; >+ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); > NDR_CHECK(ndr_pull_spoolss_PortInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); > } >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_spoolss_PortInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); >@@ -24585,6 +25187,8 @@ _PUBLIC_ enum ndr_err_code ndr_push__spoolss_EnumMonitors(struct ndr_push *ndr, > _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumMonitors(struct ndr_pull *ndr, int flags, struct _spoolss_EnumMonitors *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_servername_0; >@@ -24606,11 +25210,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumMonitors(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -24685,6 +25291,7 @@ _PUBLIC_ enum ndr_err_code ndr_push___spoolss_EnumMonitors(struct ndr_push *ndr, > > _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumMonitors(struct ndr_pull *ndr, int flags, struct __spoolss_EnumMonitors *r) > { >+ uint32_t size_info_0 = 0; > uint32_t cntr_info_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -24694,14 +25301,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumMonitors(struct ndr_pull *ndr, > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); >+ size_info_0 = r->in.count; >+ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); > NDR_CHECK(ndr_pull_spoolss_MonitorInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); > } >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_spoolss_MonitorInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); >@@ -24797,6 +25405,10 @@ static enum ndr_err_code ndr_push_spoolss_AddPort(struct ndr_push *ndr, int flag > static enum ndr_err_code ndr_pull_spoolss_AddPort(struct ndr_pull *ndr, int flags, struct spoolss_AddPort *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_monitor_name_0 = 0; >+ uint32_t length_monitor_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_name)); >@@ -24810,21 +25422,25 @@ static enum ndr_err_code ndr_pull_spoolss_AddPort(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.monitor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.monitor_name)); >- if (ndr_get_array_length(ndr, &r->in.monitor_name) > ndr_get_array_size(ndr, &r->in.monitor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.monitor_name), ndr_get_array_length(ndr, &r->in.monitor_name)); >+ size_monitor_name_0 = ndr_get_array_size(ndr, &r->in.monitor_name); >+ length_monitor_name_0 = ndr_get_array_length(ndr, &r->in.monitor_name); >+ if (length_monitor_name_0 > size_monitor_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_0, length_monitor_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.monitor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.monitor_name, ndr_get_array_length(ndr, &r->in.monitor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.monitor_name, length_monitor_name_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -25526,7 +26142,11 @@ _PUBLIC_ enum ndr_err_code ndr_push__spoolss_EnumPrintProcDataTypes(struct ndr_p > _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrintProcDataTypes(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPrintProcDataTypes *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_print_processor_name; >+ uint32_t size_print_processor_name_1 = 0; >+ uint32_t length_print_processor_name_1 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_servername_0; >@@ -25549,11 +26169,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrintProcDataTypes(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_print_processor_name)); >@@ -25567,11 +26189,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrintProcDataTypes(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.print_processor_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.print_processor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.print_processor_name)); >- if (ndr_get_array_length(ndr, &r->in.print_processor_name) > ndr_get_array_size(ndr, &r->in.print_processor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.print_processor_name), ndr_get_array_length(ndr, &r->in.print_processor_name)); >+ size_print_processor_name_1 = ndr_get_array_size(ndr, &r->in.print_processor_name); >+ length_print_processor_name_1 = ndr_get_array_length(ndr, &r->in.print_processor_name); >+ if (length_print_processor_name_1 > size_print_processor_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_name_1, length_print_processor_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.print_processor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.print_processor_name, ndr_get_array_length(ndr, &r->in.print_processor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.print_processor_name, length_print_processor_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_print_processor_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -25646,6 +26270,7 @@ _PUBLIC_ enum ndr_err_code ndr_push___spoolss_EnumPrintProcDataTypes(struct ndr_ > > _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrintProcDataTypes(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPrintProcDataTypes *r) > { >+ uint32_t size_info_0 = 0; > uint32_t cntr_info_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -25655,14 +26280,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrintProcDataTypes(struct ndr_ > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); >+ size_info_0 = r->in.count; >+ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); > NDR_CHECK(ndr_pull_spoolss_PrintProcDataTypesInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); > } >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_spoolss_PrintProcDataTypesInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); >@@ -25767,6 +26393,8 @@ static enum ndr_err_code ndr_push_spoolss_ResetPrinter(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_ResetPrinter(struct ndr_pull *ndr, int flags, struct spoolss_ResetPrinter *r) > { > uint32_t _ptr_data_type; >+ uint32_t size_data_type_1 = 0; >+ uint32_t length_data_type_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_data_type_0; > TALLOC_CTX *_mem_save_devmode_ctr_0; >@@ -25789,11 +26417,13 @@ static enum ndr_err_code ndr_pull_spoolss_ResetPrinter(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.data_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.data_type)); >- if (ndr_get_array_length(ndr, &r->in.data_type) > ndr_get_array_size(ndr, &r->in.data_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.data_type), ndr_get_array_length(ndr, &r->in.data_type)); >+ size_data_type_1 = ndr_get_array_size(ndr, &r->in.data_type); >+ length_data_type_1 = ndr_get_array_length(ndr, &r->in.data_type); >+ if (length_data_type_1 > size_data_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.data_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.data_type, ndr_get_array_length(ndr, &r->in.data_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -25899,6 +26529,8 @@ static enum ndr_err_code ndr_push_spoolss_GetPrinterDriver2(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriver2(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterDriver2 *r) > { > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > uint32_t _ptr_buffer; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_handle_0; >@@ -25929,11 +26561,13 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriver2(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); >- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->in.architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->in.architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -26272,7 +26906,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_ReplyOpenPrinter(struct ndr_push *nd > > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_ReplyOpenPrinter(struct ndr_pull *ndr, int flags, struct spoolss_ReplyOpenPrinter *r) > { >+ uint32_t size_server_name_0 = 0; >+ uint32_t length_server_name_0 = 0; > uint32_t _ptr_buffer; >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_buffer_0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { >@@ -26280,11 +26917,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_ReplyOpenPrinter(struct ndr_pull *nd > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_0 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_0 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_0 > size_server_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_0, length_server_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.printer_local)); > NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, &r->in.type)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.bufsize)); >@@ -26301,8 +26940,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_ReplyOpenPrinter(struct ndr_pull *nd > _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); >- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer))); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); >+ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, size_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.handle); >@@ -26383,6 +27023,7 @@ static enum ndr_err_code ndr_push_spoolss_RouterReplyPrinter(struct ndr_push *nd > static enum ndr_err_code ndr_pull_spoolss_RouterReplyPrinter(struct ndr_pull *ndr, int flags, struct spoolss_RouterReplyPrinter *r) > { > uint32_t _ptr_buffer; >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_buffer_0; > if (flags & NDR_IN) { >@@ -26408,8 +27049,9 @@ static enum ndr_err_code ndr_pull_spoolss_RouterReplyPrinter(struct ndr_pull *nd > _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); >- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer))); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); >+ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, size_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > if (r->in.buffer) { >@@ -26726,6 +27368,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_RemoteFindFirstPrinterChangeNotifyEx > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_RemoteFindFirstPrinterChangeNotifyEx(struct ndr_pull *ndr, int flags, struct spoolss_RemoteFindFirstPrinterChangeNotifyEx *r) > { > uint32_t _ptr_local_machine; >+ uint32_t size_local_machine_1 = 0; >+ uint32_t length_local_machine_1 = 0; > uint32_t _ptr_notify_options; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_local_machine_0; >@@ -26751,11 +27395,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_RemoteFindFirstPrinterChangeNotifyEx > NDR_PULL_SET_MEM_CTX(ndr, r->in.local_machine, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.local_machine)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.local_machine)); >- if (ndr_get_array_length(ndr, &r->in.local_machine) > ndr_get_array_size(ndr, &r->in.local_machine)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.local_machine), ndr_get_array_length(ndr, &r->in.local_machine)); >+ size_local_machine_1 = ndr_get_array_size(ndr, &r->in.local_machine); >+ length_local_machine_1 = ndr_get_array_length(ndr, &r->in.local_machine); >+ if (length_local_machine_1 > size_local_machine_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_local_machine_1, length_local_machine_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.local_machine), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.local_machine, ndr_get_array_length(ndr, &r->in.local_machine), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_local_machine_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.local_machine, length_local_machine_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_local_machine_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.printer_local)); >@@ -27112,7 +27758,11 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_OpenPrinterEx(struct ndr_push *ndr, > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_OpenPrinterEx(struct ndr_pull *ndr, int flags, struct spoolss_OpenPrinterEx *r) > { > uint32_t _ptr_printername; >+ uint32_t size_printername_1 = 0; >+ uint32_t length_printername_1 = 0; > uint32_t _ptr_datatype; >+ uint32_t size_datatype_1 = 0; >+ uint32_t length_datatype_1 = 0; > TALLOC_CTX *_mem_save_printername_0; > TALLOC_CTX *_mem_save_datatype_0; > TALLOC_CTX *_mem_save_handle_0; >@@ -27130,11 +27780,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_OpenPrinterEx(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.printername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.printername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.printername)); >- if (ndr_get_array_length(ndr, &r->in.printername) > ndr_get_array_size(ndr, &r->in.printername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.printername), ndr_get_array_length(ndr, &r->in.printername)); >+ size_printername_1 = ndr_get_array_size(ndr, &r->in.printername); >+ length_printername_1 = ndr_get_array_length(ndr, &r->in.printername); >+ if (length_printername_1 > size_printername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_datatype)); >@@ -27148,11 +27800,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_OpenPrinterEx(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.datatype)); >- if (ndr_get_array_length(ndr, &r->in.datatype) > ndr_get_array_size(ndr, &r->in.datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.datatype), ndr_get_array_length(ndr, &r->in.datatype)); >+ size_datatype_1 = ndr_get_array_size(ndr, &r->in.datatype); >+ length_datatype_1 = ndr_get_array_length(ndr, &r->in.datatype); >+ if (length_datatype_1 > size_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_datatype_1, length_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.datatype, ndr_get_array_length(ndr, &r->in.datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.datatype, length_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_datatype_0, 0); > } > NDR_CHECK(ndr_pull_spoolss_DevmodeContainer(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.devmode_ctr)); >@@ -27258,6 +27912,8 @@ static enum ndr_err_code ndr_push_spoolss_AddPrinterEx(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_AddPrinterEx(struct ndr_pull *ndr, int flags, struct spoolss_AddPrinterEx *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > TALLOC_CTX *_mem_save_server_0; > TALLOC_CTX *_mem_save_info_ctr_0; > TALLOC_CTX *_mem_save_devmode_ctr_0; >@@ -27278,11 +27934,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddPrinterEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -27460,6 +28118,8 @@ static enum ndr_err_code ndr_push_spoolss_EnumPrinterData(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_spoolss_EnumPrinterData(struct ndr_pull *ndr, int flags, struct spoolss_EnumPrinterData *r) > { >+ uint32_t size_value_name_0 = 0; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_value_needed_0; > TALLOC_CTX *_mem_save_type_0; >@@ -27488,7 +28148,8 @@ static enum ndr_err_code ndr_pull_spoolss_EnumPrinterData(struct ndr_pull *ndr, > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.value_name)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->out.value_name, ndr_get_array_size(ndr, &r->out.value_name), sizeof(uint16_t), CH_UTF16)); >+ size_value_name_0 = ndr_get_array_size(ndr, &r->out.value_name); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->out.value_name, size_value_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.value_needed); > } >@@ -27507,10 +28168,11 @@ static enum ndr_err_code ndr_pull_spoolss_EnumPrinterData(struct ndr_pull *ndr, > uint32_t _flags_save_uint8 = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->out.data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); > ndr->flags = _flags_save_uint8; > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -27596,6 +28258,8 @@ static enum ndr_err_code ndr_push_spoolss_DeletePrinterData(struct ndr_push *ndr > > static enum ndr_err_code ndr_pull_spoolss_DeletePrinterData(struct ndr_pull *ndr, int flags, struct spoolss_DeletePrinterData *r) > { >+ uint32_t size_value_name_0 = 0; >+ uint32_t length_value_name_0 = 0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -27607,11 +28271,13 @@ static enum ndr_err_code ndr_pull_spoolss_DeletePrinterData(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); >- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); >+ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); >+ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); >+ if (length_value_name_0 > size_value_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -27799,6 +28465,11 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterDataEx(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_spoolss_SetPrinterDataEx(struct ndr_pull *ndr, int flags, struct spoolss_SetPrinterDataEx *r) > { >+ uint32_t size_key_name_0 = 0; >+ uint32_t length_key_name_0 = 0; >+ uint32_t size_value_name_0 = 0; >+ uint32_t length_value_name_0 = 0; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -27810,24 +28481,29 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterDataEx(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); >- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); >+ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); >+ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); >+ if (length_key_name_0 > size_key_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); >- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); >+ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); >+ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); >+ if (length_value_name_0 > size_value_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, &r->in.type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->in.data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); > if (r->in.data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.data, r->in.offered)); >@@ -27910,6 +28586,11 @@ static enum ndr_err_code ndr_push_spoolss_GetPrinterDataEx(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_spoolss_GetPrinterDataEx(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterDataEx *r) > { >+ uint32_t size_key_name_0 = 0; >+ uint32_t length_key_name_0 = 0; >+ uint32_t size_value_name_0 = 0; >+ uint32_t length_value_name_0 = 0; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_type_0; > TALLOC_CTX *_mem_save_needed_0; >@@ -27925,18 +28606,22 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrinterDataEx(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); >- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); >+ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); >+ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); >+ if (length_key_name_0 > size_key_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); >- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); >+ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); >+ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); >+ if (length_value_name_0 > size_value_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); > NDR_PULL_ALLOC(ndr, r->out.type); > ZERO_STRUCTP(r->out.type); >@@ -27954,10 +28639,11 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrinterDataEx(struct ndr_pull *ndr, > NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, r->out.type)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_type_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->out.data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -28043,6 +28729,8 @@ _PUBLIC_ enum ndr_err_code ndr_push__spoolss_EnumPrinterDataEx(struct ndr_push * > > _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrinterDataEx(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPrinterDataEx *r) > { >+ uint32_t size_key_name_0 = 0; >+ uint32_t length_key_name_0 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_needed_0; > TALLOC_CTX *_mem_save_count_0; >@@ -28058,11 +28746,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrinterDataEx(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); >- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); >+ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); >+ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); >+ if (length_key_name_0 > size_key_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); > NDR_PULL_ALLOC(ndr, r->out.needed); > ZERO_STRUCTP(r->out.needed); >@@ -28109,6 +28799,7 @@ _PUBLIC_ enum ndr_err_code ndr_push___spoolss_EnumPrinterDataEx(struct ndr_push > > _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrinterDataEx(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPrinterDataEx *r) > { >+ uint32_t size_info_0 = 0; > uint32_t cntr_info_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -28117,13 +28808,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrinterDataEx(struct ndr_pull > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); >+ size_info_0 = r->in.count; >+ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_spoolss_PrinterEnumValues(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); > } >- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { >+ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { > NDR_CHECK(ndr_pull_spoolss_PrinterEnumValues(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); >@@ -28224,6 +28916,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_EnumPrinterKey(struct ndr_push *ndr, > > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_EnumPrinterKey(struct ndr_pull *ndr, int flags, struct spoolss_EnumPrinterKey *r) > { >+ uint32_t size_key_name_0 = 0; >+ uint32_t length_key_name_0 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save__ndr_size_0; > TALLOC_CTX *_mem_save_key_buffer_0; >@@ -28240,11 +28934,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_EnumPrinterKey(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); >- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); >+ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); >+ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); >+ if (length_key_name_0 > size_key_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); > NDR_PULL_ALLOC(ndr, r->out._ndr_size); > ZERO_STRUCTP(r->out._ndr_size); >@@ -28350,6 +29046,10 @@ static enum ndr_err_code ndr_push_spoolss_DeletePrinterDataEx(struct ndr_push *n > > static enum ndr_err_code ndr_pull_spoolss_DeletePrinterDataEx(struct ndr_pull *ndr, int flags, struct spoolss_DeletePrinterDataEx *r) > { >+ uint32_t size_key_name_0 = 0; >+ uint32_t length_key_name_0 = 0; >+ uint32_t size_value_name_0 = 0; >+ uint32_t length_value_name_0 = 0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -28361,18 +29061,22 @@ static enum ndr_err_code ndr_pull_spoolss_DeletePrinterDataEx(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); >- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); >+ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); >+ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); >+ if (length_key_name_0 > size_key_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); >- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); >+ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); >+ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); >+ if (length_value_name_0 > size_value_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -28427,6 +29131,8 @@ static enum ndr_err_code ndr_push_spoolss_DeletePrinterKey(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_spoolss_DeletePrinterKey(struct ndr_pull *ndr, int flags, struct spoolss_DeletePrinterKey *r) > { >+ uint32_t size_key_name_0 = 0; >+ uint32_t length_key_name_0 = 0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -28438,11 +29144,13 @@ static enum ndr_err_code ndr_pull_spoolss_DeletePrinterKey(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); >- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); >+ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); >+ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); >+ if (length_key_name_0 > size_key_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -28547,6 +29255,12 @@ static enum ndr_err_code ndr_push_spoolss_DeletePrinterDriverEx(struct ndr_push > static enum ndr_err_code ndr_pull_spoolss_DeletePrinterDriverEx(struct ndr_pull *ndr, int flags, struct spoolss_DeletePrinterDriverEx *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; >+ uint32_t size_architecture_0 = 0; >+ uint32_t length_architecture_0 = 0; >+ uint32_t size_driver_0 = 0; >+ uint32_t length_driver_0 = 0; > TALLOC_CTX *_mem_save_server_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server)); >@@ -28560,27 +29274,33 @@ static enum ndr_err_code ndr_pull_spoolss_DeletePrinterDriverEx(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); >- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); >+ size_architecture_0 = ndr_get_array_size(ndr, &r->in.architecture); >+ length_architecture_0 = ndr_get_array_length(ndr, &r->in.architecture); >+ if (length_architecture_0 > size_architecture_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_0, length_architecture_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.driver)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.driver)); >- if (ndr_get_array_length(ndr, &r->in.driver) > ndr_get_array_size(ndr, &r->in.driver)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.driver), ndr_get_array_length(ndr, &r->in.driver)); >+ size_driver_0 = ndr_get_array_size(ndr, &r->in.driver); >+ length_driver_0 = ndr_get_array_length(ndr, &r->in.driver); >+ if (length_driver_0 > size_driver_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_0, length_driver_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.driver), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver, ndr_get_array_length(ndr, &r->in.driver), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver, length_driver_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_spoolss_DeleteDriverFlags(ndr, NDR_SCALARS, &r->in.delete_flags)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.version)); > } >@@ -28784,6 +29504,9 @@ static enum ndr_err_code ndr_push_spoolss_XcvData(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_spoolss_XcvData(struct ndr_pull *ndr, int flags, struct spoolss_XcvData *r) > { >+ uint32_t size_function_name_0 = 0; >+ uint32_t length_function_name_0 = 0; >+ uint32_t size_out_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_needed_0; > TALLOC_CTX *_mem_save_status_code_0; >@@ -28799,11 +29522,13 @@ static enum ndr_err_code ndr_pull_spoolss_XcvData(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.function_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.function_name)); >- if (ndr_get_array_length(ndr, &r->in.function_name) > ndr_get_array_size(ndr, &r->in.function_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.function_name), ndr_get_array_length(ndr, &r->in.function_name)); >+ size_function_name_0 = ndr_get_array_size(ndr, &r->in.function_name); >+ length_function_name_0 = ndr_get_array_length(ndr, &r->in.function_name); >+ if (length_function_name_0 > size_function_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_function_name_0, length_function_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.function_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.function_name, ndr_get_array_length(ndr, &r->in.function_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_function_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.function_name, length_function_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->in.in_data)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in._in_data_length)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.out_data_size)); >@@ -28823,10 +29548,11 @@ static enum ndr_err_code ndr_pull_spoolss_XcvData(struct ndr_pull *ndr, int flag > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.out_data)); >+ size_out_data_1 = ndr_get_array_size(ndr, &r->out.out_data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data)); >+ NDR_PULL_ALLOC_N(ndr, r->out.out_data, size_out_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, size_out_data_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -28919,6 +29645,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_AddPrinterDriverEx(struct ndr_push * > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_AddPrinterDriverEx(struct ndr_pull *ndr, int flags, struct spoolss_AddPrinterDriverEx *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_info_ctr_0; > if (flags & NDR_IN) { >@@ -28933,11 +29661,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_AddPrinterDriverEx(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -29521,6 +30251,12 @@ static enum ndr_err_code ndr_push_spoolss_GetCorePrinterDrivers(struct ndr_push > static enum ndr_err_code ndr_pull_spoolss_GetCorePrinterDrivers(struct ndr_pull *ndr, int flags, struct spoolss_GetCorePrinterDrivers *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; >+ uint32_t size_core_driver_dependencies_1 = 0; >+ uint32_t size_core_printer_drivers_1 = 0; > uint32_t cntr_core_printer_drivers_1; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_core_printer_drivers_1; >@@ -29538,23 +30274,28 @@ static enum ndr_err_code ndr_pull_spoolss_GetCorePrinterDrivers(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); >- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->in.architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->in.architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.core_driver_size)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.core_driver_dependencies)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.core_driver_dependencies, ndr_get_array_size(ndr, &r->in.core_driver_dependencies), sizeof(uint16_t), CH_UTF16)); >+ size_core_driver_dependencies_1 = ndr_get_array_size(ndr, &r->in.core_driver_dependencies); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.core_driver_dependencies, size_core_driver_dependencies_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.core_printer_driver_count)); > NDR_PULL_ALLOC_N(ndr, r->out.core_printer_drivers, r->in.core_printer_driver_count); > memset(r->out.core_printer_drivers, 0, (r->in.core_printer_driver_count) * sizeof(*r->out.core_printer_drivers)); >@@ -29564,12 +30305,13 @@ static enum ndr_err_code ndr_pull_spoolss_GetCorePrinterDrivers(struct ndr_pull > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.core_printer_drivers)); >+ size_core_printer_drivers_1 = ndr_get_array_size(ndr, &r->out.core_printer_drivers); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.core_printer_drivers, ndr_get_array_size(ndr, &r->out.core_printer_drivers)); >+ NDR_PULL_ALLOC_N(ndr, r->out.core_printer_drivers, size_core_printer_drivers_1); > } > _mem_save_core_printer_drivers_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.core_printer_drivers, 0); >- for (cntr_core_printer_drivers_1 = 0; cntr_core_printer_drivers_1 < r->in.core_printer_driver_count; cntr_core_printer_drivers_1++) { >+ for (cntr_core_printer_drivers_1 = 0; cntr_core_printer_drivers_1 < size_core_printer_drivers_1; cntr_core_printer_drivers_1++) { > NDR_CHECK(ndr_pull_spoolss_CorePrinterDriver(ndr, NDR_SCALARS, &r->out.core_printer_drivers[cntr_core_printer_drivers_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_core_printer_drivers_1, 0); >@@ -29729,8 +30471,17 @@ static enum ndr_err_code ndr_push_spoolss_GetPrinterDriverPackagePath(struct ndr > static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriverPackagePath(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterDriverPackagePath *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > uint32_t _ptr_language; >+ uint32_t size_language_1 = 0; >+ uint32_t length_language_1 = 0; >+ uint32_t size_package_id_1 = 0; >+ uint32_t length_package_id_1 = 0; > uint32_t _ptr_driver_package_cab; >+ uint32_t size_driver_package_cab_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_language_0; > TALLOC_CTX *_mem_save_driver_package_cab_0; >@@ -29749,20 +30500,24 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriverPackagePath(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); >- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->in.architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->in.architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_language)); > if (_ptr_language) { > NDR_PULL_ALLOC(ndr, r->in.language); >@@ -29774,20 +30529,24 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriverPackagePath(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.language, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.language)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.language)); >- if (ndr_get_array_length(ndr, &r->in.language) > ndr_get_array_size(ndr, &r->in.language)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.language), ndr_get_array_length(ndr, &r->in.language)); >+ size_language_1 = ndr_get_array_size(ndr, &r->in.language); >+ length_language_1 = ndr_get_array_length(ndr, &r->in.language); >+ if (length_language_1 > size_language_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_language_1, length_language_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.language), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.language, ndr_get_array_length(ndr, &r->in.language), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_language_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.language, length_language_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_language_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.package_id)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.package_id)); >- if (ndr_get_array_length(ndr, &r->in.package_id) > ndr_get_array_size(ndr, &r->in.package_id)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.package_id), ndr_get_array_length(ndr, &r->in.package_id)); >+ size_package_id_1 = ndr_get_array_size(ndr, &r->in.package_id); >+ length_package_id_1 = ndr_get_array_length(ndr, &r->in.package_id); >+ if (length_package_id_1 > size_package_id_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_package_id_1, length_package_id_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.package_id), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.package_id, ndr_get_array_length(ndr, &r->in.package_id), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_package_id_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.package_id, length_package_id_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_driver_package_cab)); > if (_ptr_driver_package_cab) { > NDR_PULL_ALLOC(ndr, r->in.driver_package_cab); >@@ -29798,7 +30557,8 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriverPackagePath(struct ndr > _mem_save_driver_package_cab_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.driver_package_cab, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.driver_package_cab)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver_package_cab, ndr_get_array_size(ndr, &r->in.driver_package_cab), sizeof(uint16_t), CH_UTF16)); >+ size_driver_package_cab_1 = ndr_get_array_size(ndr, &r->in.driver_package_cab); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver_package_cab, size_driver_package_cab_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_package_cab_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.driver_package_cab_size)); >@@ -29819,7 +30579,8 @@ static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriverPackagePath(struct ndr > _mem_save_driver_package_cab_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.driver_package_cab, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.driver_package_cab)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->out.driver_package_cab, ndr_get_array_size(ndr, &r->out.driver_package_cab), sizeof(uint16_t), CH_UTF16)); >+ size_driver_package_cab_1 = ndr_get_array_size(ndr, &r->out.driver_package_cab); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->out.driver_package_cab, size_driver_package_cab_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_package_cab_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >diff --git a/librpc/gen_ndr/ndr_srvsvc.c b/librpc/gen_ndr/ndr_srvsvc.c >index 740f610..5a87197 100644 >--- a/librpc/gen_ndr/ndr_srvsvc.c >+++ b/librpc/gen_ndr/ndr_srvsvc.c >@@ -26,6 +26,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevInfo0(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevInfo0 *r) > { > uint32_t _ptr_device; >+ uint32_t size_device_1 = 0; >+ uint32_t length_device_1 = 0; > TALLOC_CTX *_mem_save_device_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -43,11 +45,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo0(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); >- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); >+ size_device_1 = ndr_get_array_size(ndr, &r->device); >+ length_device_1 = ndr_get_array_length(ndr, &r->device); >+ if (length_device_1 > size_device_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); > } > } >@@ -93,6 +97,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevCtr0(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -112,13 +117,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr0(struct ndr_pull *ndr, in > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -185,8 +191,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevInfo1(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevInfo1 *r) > { > uint32_t _ptr_device; >+ uint32_t size_device_1 = 0; >+ uint32_t length_device_1 = 0; > TALLOC_CTX *_mem_save_device_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -212,11 +222,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo1(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); >- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); >+ size_device_1 = ndr_get_array_size(ndr, &r->device); >+ length_device_1 = ndr_get_array_length(ndr, &r->device); >+ if (length_device_1 > size_device_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); > } > if (r->user) { >@@ -224,11 +236,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo1(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -282,6 +296,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevCtr1(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -301,13 +316,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr1(struct ndr_pull *ndr, in > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -392,7 +408,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo(struct ndr_pull *ndr, in > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -402,7 +420,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -412,7 +429,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo(struct ndr_pull *ndr, in > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -532,7 +548,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr(struct ndr_pull *ndr, int > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -542,7 +560,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -552,7 +569,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr(struct ndr_pull *ndr, int > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -685,6 +701,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQInfo0(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQInfo0 *r) > { > uint32_t _ptr_device; >+ uint32_t size_device_1 = 0; >+ uint32_t length_device_1 = 0; > TALLOC_CTX *_mem_save_device_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -702,11 +720,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo0(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); >- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); >+ size_device_1 = ndr_get_array_size(ndr, &r->device); >+ length_device_1 = ndr_get_array_length(ndr, &r->device); >+ if (length_device_1 > size_device_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); > } > } >@@ -752,6 +772,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQCtr0(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -771,13 +792,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr0(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -845,8 +867,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQInfo1(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQInfo1 *r) > { > uint32_t _ptr_device; >+ uint32_t size_device_1 = 0; >+ uint32_t length_device_1 = 0; > TALLOC_CTX *_mem_save_device_0; > uint32_t _ptr_devices; >+ uint32_t size_devices_1 = 0; >+ uint32_t length_devices_1 = 0; > TALLOC_CTX *_mem_save_devices_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -873,11 +899,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); >- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); >+ size_device_1 = ndr_get_array_size(ndr, &r->device); >+ length_device_1 = ndr_get_array_length(ndr, &r->device); >+ if (length_device_1 > size_device_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); > } > if (r->devices) { >@@ -885,11 +913,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->devices, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->devices)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->devices)); >- if (ndr_get_array_length(ndr, &r->devices) > ndr_get_array_size(ndr, &r->devices)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->devices), ndr_get_array_length(ndr, &r->devices)); >+ size_devices_1 = ndr_get_array_size(ndr, &r->devices); >+ length_devices_1 = ndr_get_array_length(ndr, &r->devices); >+ if (length_devices_1 > size_devices_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devices_1, length_devices_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->devices), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->devices, ndr_get_array_length(ndr, &r->devices), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devices_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->devices, length_devices_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_devices_0, 0); > } > } >@@ -944,6 +974,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQCtr1(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -963,13 +994,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr1(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -1054,7 +1086,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo(struct ndr_pull *ndr, i > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -1064,7 +1098,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo(struct ndr_pull *ndr, i > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -1074,7 +1107,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo(struct ndr_pull *ndr, i > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -1194,7 +1226,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr(struct ndr_pull *ndr, in > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -1204,7 +1238,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -1214,7 +1247,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr(struct ndr_pull *ndr, in > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -1381,6 +1413,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetConnCtr0(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetConnCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -1400,10 +1433,11 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr0(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetConnInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -1473,8 +1507,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetConnInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetConnInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetConnInfo1 *r) > { > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; > TALLOC_CTX *_mem_save_share_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -1503,11 +1541,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (r->share) { >@@ -1515,11 +1555,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->share)); >- if (ndr_get_array_length(ndr, &r->share) > ndr_get_array_size(ndr, &r->share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->share), ndr_get_array_length(ndr, &r->share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->share); >+ length_share_1 = ndr_get_array_length(ndr, &r->share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > } >@@ -1576,6 +1618,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetConnCtr1(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetConnCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -1595,13 +1638,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr1(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetConnInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetConnInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -1686,7 +1730,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr(struct ndr_pull *ndr, int nd > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -1696,7 +1742,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -1706,7 +1751,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr(struct ndr_pull *ndr, int nd > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -1873,6 +1917,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileCtr2(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetFileCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -1892,10 +1937,11 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr2(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetFileInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -1963,8 +2009,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileInfo3(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetFileInfo3 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -1991,11 +2041,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->user) { >@@ -2003,11 +2055,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -2062,6 +2116,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileCtr3(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetFileCtr3 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -2081,13 +2136,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr3(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetFileInfo3(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetFileInfo3(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -2172,7 +2228,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo(struct ndr_pull *ndr, int n > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -2182,7 +2240,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo(struct ndr_pull *ndr, int n > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -2192,7 +2249,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo(struct ndr_pull *ndr, int n > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -2312,7 +2368,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr(struct ndr_pull *ndr, int nd > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr2_0; >+ uint32_t _ptr_ctr2; > TALLOC_CTX *_mem_save_ctr3_0; >+ uint32_t _ptr_ctr3; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -2322,7 +2380,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 2: { >- uint32_t _ptr_ctr2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); > if (_ptr_ctr2) { > NDR_PULL_ALLOC(ndr, r->ctr2); >@@ -2332,7 +2389,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr(struct ndr_pull *ndr, int nd > break; } > > case 3: { >- uint32_t _ptr_ctr3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr3)); > if (_ptr_ctr3) { > NDR_PULL_ALLOC(ndr, r->ctr3); >@@ -2465,6 +2521,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessInfo0(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo0 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -2482,11 +2540,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo0(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > } >@@ -2532,6 +2592,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessCtr0(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -2551,13 +2612,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr0(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -2626,8 +2688,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo1 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -2655,11 +2721,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > if (r->user) { >@@ -2667,11 +2735,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -2727,6 +2797,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessCtr1(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -2746,13 +2817,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr1(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -2828,10 +2900,16 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessInfo2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo2 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > uint32_t _ptr_client_type; >+ uint32_t size_client_type_1 = 0; >+ uint32_t length_client_type_1 = 0; > TALLOC_CTX *_mem_save_client_type_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -2865,11 +2943,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > if (r->user) { >@@ -2877,11 +2957,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (r->client_type) { >@@ -2889,11 +2971,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->client_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_type)); >- if (ndr_get_array_length(ndr, &r->client_type) > ndr_get_array_size(ndr, &r->client_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_type), ndr_get_array_length(ndr, &r->client_type)); >+ size_client_type_1 = ndr_get_array_size(ndr, &r->client_type); >+ length_client_type_1 = ndr_get_array_length(ndr, &r->client_type); >+ if (length_client_type_1 > size_client_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_type_1, length_client_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, length_client_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_type_0, 0); > } > } >@@ -2955,6 +3039,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessCtr2(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -2974,13 +3059,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr2(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -3047,8 +3133,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessInfo10(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo10(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo10 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3074,11 +3164,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo10(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > if (r->user) { >@@ -3086,11 +3178,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo10(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -3144,6 +3238,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessCtr10(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr10(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr10 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -3163,13 +3258,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr10(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo10(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo10(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -3252,12 +3348,20 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessInfo502(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo502 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > uint32_t _ptr_client_type; >+ uint32_t size_client_type_1 = 0; >+ uint32_t length_client_type_1 = 0; > TALLOC_CTX *_mem_save_client_type_0; > uint32_t _ptr_transport; >+ uint32_t size_transport_1 = 0; >+ uint32_t length_transport_1 = 0; > TALLOC_CTX *_mem_save_transport_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3297,11 +3401,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > if (r->user) { >@@ -3309,11 +3415,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (r->client_type) { >@@ -3321,11 +3429,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->client_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_type)); >- if (ndr_get_array_length(ndr, &r->client_type) > ndr_get_array_size(ndr, &r->client_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_type), ndr_get_array_length(ndr, &r->client_type)); >+ size_client_type_1 = ndr_get_array_size(ndr, &r->client_type); >+ length_client_type_1 = ndr_get_array_length(ndr, &r->client_type); >+ if (length_client_type_1 > size_client_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_type_1, length_client_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, length_client_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_type_0, 0); > } > if (r->transport) { >@@ -3333,11 +3443,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->transport, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->transport)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->transport)); >- if (ndr_get_array_length(ndr, &r->transport) > ndr_get_array_size(ndr, &r->transport)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->transport), ndr_get_array_length(ndr, &r->transport)); >+ size_transport_1 = ndr_get_array_size(ndr, &r->transport); >+ length_transport_1 = ndr_get_array_length(ndr, &r->transport); >+ if (length_transport_1 > size_transport_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_1, length_transport_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->transport), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport, ndr_get_array_length(ndr, &r->transport), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport, length_transport_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_0, 0); > } > } >@@ -3405,6 +3517,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessCtr502(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr502 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -3424,13 +3537,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr502(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo502(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo502(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -3545,10 +3659,15 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > TALLOC_CTX *_mem_save_ctr2_0; >+ uint32_t _ptr_ctr2; > TALLOC_CTX *_mem_save_ctr10_0; >+ uint32_t _ptr_ctr10; > TALLOC_CTX *_mem_save_ctr502_0; >+ uint32_t _ptr_ctr502; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -3558,7 +3677,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -3568,7 +3686,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -3578,7 +3695,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > break; } > > case 2: { >- uint32_t _ptr_ctr2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); > if (_ptr_ctr2) { > NDR_PULL_ALLOC(ndr, r->ctr2); >@@ -3588,7 +3704,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > break; } > > case 10: { >- uint32_t _ptr_ctr10; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr10)); > if (_ptr_ctr10) { > NDR_PULL_ALLOC(ndr, r->ctr10); >@@ -3598,7 +3713,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > break; } > > case 502: { >- uint32_t _ptr_ctr502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr502)); > if (_ptr_ctr502) { > NDR_PULL_ALLOC(ndr, r->ctr502); >@@ -3835,6 +3949,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo0(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo0 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3852,11 +3968,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo0(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > } >@@ -3902,6 +4020,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr0(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -3921,13 +4040,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr0(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -3993,8 +4113,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo1 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4019,11 +4143,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->comment) { >@@ -4031,11 +4157,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -4088,6 +4216,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4107,13 +4236,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -4196,12 +4326,20 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo2 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_password_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4241,11 +4379,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->comment) { >@@ -4253,11 +4393,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->path) { >@@ -4265,11 +4407,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->password) { >@@ -4277,11 +4421,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->password)); >- if (ndr_get_array_length(ndr, &r->password) > ndr_get_array_size(ndr, &r->password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->password), ndr_get_array_length(ndr, &r->password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->password); >+ length_password_1 = ndr_get_array_length(ndr, &r->password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > } >@@ -4349,6 +4495,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4368,13 +4515,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr2(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -4441,8 +4589,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo501(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo501(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo501 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4468,11 +4620,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo501(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->comment) { >@@ -4480,11 +4634,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo501(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -4538,6 +4694,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr501(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr501(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr501 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4557,13 +4714,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr501(struct ndr_pull *ndr, in > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo501(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo501(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -4648,12 +4806,20 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo502(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo502 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_password_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4694,11 +4860,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->comment) { >@@ -4706,11 +4874,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->path) { >@@ -4718,11 +4888,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->password) { >@@ -4730,11 +4902,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->password)); >- if (ndr_get_array_length(ndr, &r->password) > ndr_get_array_size(ndr, &r->password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->password), ndr_get_array_length(ndr, &r->password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->password); >+ length_password_1 = ndr_get_array_length(ndr, &r->password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_BUFFERS, &r->sd_buf)); >@@ -4804,6 +4978,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr502(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr502 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4823,13 +4998,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr502(struct ndr_pull *ndr, in > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo502(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo502(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -4887,6 +5063,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo1004(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1004(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo1004 *r) > { > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4904,11 +5082,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1004(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -4954,6 +5134,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1004(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1004(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1004 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4973,13 +5154,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1004(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1004(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1004(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5094,6 +5276,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1005(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1005(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1005 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -5113,10 +5296,11 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1005(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1005(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5208,6 +5392,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1006(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1006(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1006 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -5227,10 +5412,11 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1006(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1006(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5289,6 +5475,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo1007(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1007(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo1007 *r) > { > uint32_t _ptr_alternate_directory_name; >+ uint32_t size_alternate_directory_name_1 = 0; >+ uint32_t length_alternate_directory_name_1 = 0; > TALLOC_CTX *_mem_save_alternate_directory_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -5307,11 +5495,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1007(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->alternate_directory_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->alternate_directory_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->alternate_directory_name)); >- if (ndr_get_array_length(ndr, &r->alternate_directory_name) > ndr_get_array_size(ndr, &r->alternate_directory_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->alternate_directory_name), ndr_get_array_length(ndr, &r->alternate_directory_name)); >+ size_alternate_directory_name_1 = ndr_get_array_size(ndr, &r->alternate_directory_name); >+ length_alternate_directory_name_1 = ndr_get_array_length(ndr, &r->alternate_directory_name); >+ if (length_alternate_directory_name_1 > size_alternate_directory_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_alternate_directory_name_1, length_alternate_directory_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->alternate_directory_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alternate_directory_name, ndr_get_array_length(ndr, &r->alternate_directory_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_alternate_directory_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alternate_directory_name, length_alternate_directory_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_alternate_directory_name_0, 0); > } > } >@@ -5358,6 +5548,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1007(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1007(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1007 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -5377,13 +5568,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1007(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1007(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1007(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5446,6 +5638,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1501(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1501(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1501 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -5465,13 +5658,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1501(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5636,15 +5830,25 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info501_0; >+ uint32_t _ptr_info501; > TALLOC_CTX *_mem_save_info502_0; >+ uint32_t _ptr_info502; > TALLOC_CTX *_mem_save_info1004_0; >+ uint32_t _ptr_info1004; > TALLOC_CTX *_mem_save_info1005_0; >+ uint32_t _ptr_info1005; > TALLOC_CTX *_mem_save_info1006_0; >+ uint32_t _ptr_info1006; > TALLOC_CTX *_mem_save_info1007_0; >+ uint32_t _ptr_info1007; > TALLOC_CTX *_mem_save_info1501_0; >+ uint32_t _ptr_info1501; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -5654,7 +5858,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -5664,7 +5867,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -5674,7 +5876,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -5684,7 +5885,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 501: { >- uint32_t _ptr_info501; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info501)); > if (_ptr_info501) { > NDR_PULL_ALLOC(ndr, r->info501); >@@ -5694,7 +5894,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 502: { >- uint32_t _ptr_info502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info502)); > if (_ptr_info502) { > NDR_PULL_ALLOC(ndr, r->info502); >@@ -5704,7 +5903,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1004: { >- uint32_t _ptr_info1004; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1004)); > if (_ptr_info1004) { > NDR_PULL_ALLOC(ndr, r->info1004); >@@ -5714,7 +5912,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1005: { >- uint32_t _ptr_info1005; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1005)); > if (_ptr_info1005) { > NDR_PULL_ALLOC(ndr, r->info1005); >@@ -5724,7 +5921,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1006: { >- uint32_t _ptr_info1006; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1006)); > if (_ptr_info1006) { > NDR_PULL_ALLOC(ndr, r->info1006); >@@ -5734,7 +5930,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1007: { >- uint32_t _ptr_info1007; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1007)); > if (_ptr_info1007) { > NDR_PULL_ALLOC(ndr, r->info1007); >@@ -5744,7 +5939,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1501: { >- uint32_t _ptr_info1501; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1501)); > if (_ptr_info1501) { > NDR_PULL_ALLOC(ndr, r->info1501); >@@ -6088,15 +6282,25 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > TALLOC_CTX *_mem_save_ctr2_0; >+ uint32_t _ptr_ctr2; > TALLOC_CTX *_mem_save_ctr501_0; >+ uint32_t _ptr_ctr501; > TALLOC_CTX *_mem_save_ctr502_0; >+ uint32_t _ptr_ctr502; > TALLOC_CTX *_mem_save_ctr1004_0; >+ uint32_t _ptr_ctr1004; > TALLOC_CTX *_mem_save_ctr1005_0; >+ uint32_t _ptr_ctr1005; > TALLOC_CTX *_mem_save_ctr1006_0; >+ uint32_t _ptr_ctr1006; > TALLOC_CTX *_mem_save_ctr1007_0; >+ uint32_t _ptr_ctr1007; > TALLOC_CTX *_mem_save_ctr1501_0; >+ uint32_t _ptr_ctr1501; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -6106,7 +6310,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -6116,7 +6319,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -6126,7 +6328,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 2: { >- uint32_t _ptr_ctr2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); > if (_ptr_ctr2) { > NDR_PULL_ALLOC(ndr, r->ctr2); >@@ -6136,7 +6337,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 501: { >- uint32_t _ptr_ctr501; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr501)); > if (_ptr_ctr501) { > NDR_PULL_ALLOC(ndr, r->ctr501); >@@ -6146,7 +6346,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 502: { >- uint32_t _ptr_ctr502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr502)); > if (_ptr_ctr502) { > NDR_PULL_ALLOC(ndr, r->ctr502); >@@ -6156,7 +6355,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1004: { >- uint32_t _ptr_ctr1004; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1004)); > if (_ptr_ctr1004) { > NDR_PULL_ALLOC(ndr, r->ctr1004); >@@ -6166,7 +6364,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1005: { >- uint32_t _ptr_ctr1005; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1005)); > if (_ptr_ctr1005) { > NDR_PULL_ALLOC(ndr, r->ctr1005); >@@ -6176,7 +6373,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1006: { >- uint32_t _ptr_ctr1006; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1006)); > if (_ptr_ctr1006) { > NDR_PULL_ALLOC(ndr, r->ctr1006); >@@ -6186,7 +6382,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1007: { >- uint32_t _ptr_ctr1007; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1007)); > if (_ptr_ctr1007) { > NDR_PULL_ALLOC(ndr, r->ctr1007); >@@ -6196,7 +6391,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1501: { >- uint32_t _ptr_ctr1501; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1501)); > if (_ptr_ctr1501) { > NDR_PULL_ALLOC(ndr, r->ctr1501); >@@ -6502,6 +6696,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_srvsvc_NetSrvInfo100(struct ndr_push *ndr, i > _PUBLIC_ enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo100(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo100 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -6520,11 +6716,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo100(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > } >@@ -6577,8 +6775,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_srvsvc_NetSrvInfo101(struct ndr_push *ndr, i > _PUBLIC_ enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo101(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo101 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -6606,11 +6808,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo101(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->comment) { >@@ -6618,11 +6822,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo101(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -6697,10 +6903,16 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo102(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo102(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo102 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_userpath; >+ uint32_t size_userpath_1 = 0; >+ uint32_t length_userpath_1 = 0; > TALLOC_CTX *_mem_save_userpath_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -6740,11 +6952,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo102(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->comment) { >@@ -6752,11 +6966,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo102(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->userpath) { >@@ -6764,11 +6980,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo102(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->userpath, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->userpath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->userpath)); >- if (ndr_get_array_length(ndr, &r->userpath) > ndr_get_array_size(ndr, &r->userpath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->userpath), ndr_get_array_length(ndr, &r->userpath)); >+ size_userpath_1 = ndr_get_array_size(ndr, &r->userpath); >+ length_userpath_1 = ndr_get_array_length(ndr, &r->userpath); >+ if (length_userpath_1 > size_userpath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_userpath_1, length_userpath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->userpath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->userpath, ndr_get_array_length(ndr, &r->userpath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_userpath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->userpath, length_userpath_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_userpath_0, 0); > } > } >@@ -6873,10 +7091,16 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo402(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo402(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo402 *r) > { > uint32_t _ptr_alerts; >+ uint32_t size_alerts_1 = 0; >+ uint32_t length_alerts_1 = 0; > TALLOC_CTX *_mem_save_alerts_0; > uint32_t _ptr_guestaccount; >+ uint32_t size_guestaccount_1 = 0; >+ uint32_t length_guestaccount_1 = 0; > TALLOC_CTX *_mem_save_guestaccount_0; > uint32_t _ptr_srvheuristics; >+ uint32_t size_srvheuristics_1 = 0; >+ uint32_t length_srvheuristics_1 = 0; > TALLOC_CTX *_mem_save_srvheuristics_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -6934,11 +7158,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo402(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->alerts, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->alerts)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->alerts)); >- if (ndr_get_array_length(ndr, &r->alerts) > ndr_get_array_size(ndr, &r->alerts)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->alerts), ndr_get_array_length(ndr, &r->alerts)); >+ size_alerts_1 = ndr_get_array_size(ndr, &r->alerts); >+ length_alerts_1 = ndr_get_array_length(ndr, &r->alerts); >+ if (length_alerts_1 > size_alerts_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_alerts_1, length_alerts_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_alerts_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, length_alerts_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_alerts_0, 0); > } > if (r->guestaccount) { >@@ -6946,11 +7172,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo402(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->guestaccount, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->guestaccount)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->guestaccount)); >- if (ndr_get_array_length(ndr, &r->guestaccount) > ndr_get_array_size(ndr, &r->guestaccount)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->guestaccount), ndr_get_array_length(ndr, &r->guestaccount)); >+ size_guestaccount_1 = ndr_get_array_size(ndr, &r->guestaccount); >+ length_guestaccount_1 = ndr_get_array_length(ndr, &r->guestaccount); >+ if (length_guestaccount_1 > size_guestaccount_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_guestaccount_1, length_guestaccount_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_guestaccount_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, length_guestaccount_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_guestaccount_0, 0); > } > if (r->srvheuristics) { >@@ -6958,11 +7186,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo402(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->srvheuristics, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->srvheuristics)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->srvheuristics)); >- if (ndr_get_array_length(ndr, &r->srvheuristics) > ndr_get_array_size(ndr, &r->srvheuristics)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->srvheuristics), ndr_get_array_length(ndr, &r->srvheuristics)); >+ size_srvheuristics_1 = ndr_get_array_size(ndr, &r->srvheuristics); >+ length_srvheuristics_1 = ndr_get_array_length(ndr, &r->srvheuristics); >+ if (length_srvheuristics_1 > size_srvheuristics_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_srvheuristics_1, length_srvheuristics_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_srvheuristics_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, length_srvheuristics_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_srvheuristics_0, 0); > } > } >@@ -7094,12 +7324,20 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo403(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo403 *r) > { > uint32_t _ptr_alerts; >+ uint32_t size_alerts_1 = 0; >+ uint32_t length_alerts_1 = 0; > TALLOC_CTX *_mem_save_alerts_0; > uint32_t _ptr_guestaccount; >+ uint32_t size_guestaccount_1 = 0; >+ uint32_t length_guestaccount_1 = 0; > TALLOC_CTX *_mem_save_guestaccount_0; > uint32_t _ptr_srvheuristics; >+ uint32_t size_srvheuristics_1 = 0; >+ uint32_t length_srvheuristics_1 = 0; > TALLOC_CTX *_mem_save_srvheuristics_0; > uint32_t _ptr_autopath; >+ uint32_t size_autopath_1 = 0; >+ uint32_t length_autopath_1 = 0; > TALLOC_CTX *_mem_save_autopath_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7165,11 +7403,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->alerts, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->alerts)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->alerts)); >- if (ndr_get_array_length(ndr, &r->alerts) > ndr_get_array_size(ndr, &r->alerts)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->alerts), ndr_get_array_length(ndr, &r->alerts)); >+ size_alerts_1 = ndr_get_array_size(ndr, &r->alerts); >+ length_alerts_1 = ndr_get_array_length(ndr, &r->alerts); >+ if (length_alerts_1 > size_alerts_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_alerts_1, length_alerts_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_alerts_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, length_alerts_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_alerts_0, 0); > } > if (r->guestaccount) { >@@ -7177,11 +7417,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->guestaccount, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->guestaccount)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->guestaccount)); >- if (ndr_get_array_length(ndr, &r->guestaccount) > ndr_get_array_size(ndr, &r->guestaccount)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->guestaccount), ndr_get_array_length(ndr, &r->guestaccount)); >+ size_guestaccount_1 = ndr_get_array_size(ndr, &r->guestaccount); >+ length_guestaccount_1 = ndr_get_array_length(ndr, &r->guestaccount); >+ if (length_guestaccount_1 > size_guestaccount_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_guestaccount_1, length_guestaccount_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_guestaccount_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, length_guestaccount_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_guestaccount_0, 0); > } > if (r->srvheuristics) { >@@ -7189,11 +7431,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->srvheuristics, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->srvheuristics)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->srvheuristics)); >- if (ndr_get_array_length(ndr, &r->srvheuristics) > ndr_get_array_size(ndr, &r->srvheuristics)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->srvheuristics), ndr_get_array_length(ndr, &r->srvheuristics)); >+ size_srvheuristics_1 = ndr_get_array_size(ndr, &r->srvheuristics); >+ length_srvheuristics_1 = ndr_get_array_length(ndr, &r->srvheuristics); >+ if (length_srvheuristics_1 > size_srvheuristics_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_srvheuristics_1, length_srvheuristics_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_srvheuristics_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, length_srvheuristics_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_srvheuristics_0, 0); > } > if (r->autopath) { >@@ -7201,11 +7445,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->autopath, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->autopath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->autopath)); >- if (ndr_get_array_length(ndr, &r->autopath) > ndr_get_array_size(ndr, &r->autopath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->autopath), ndr_get_array_length(ndr, &r->autopath)); >+ size_autopath_1 = ndr_get_array_size(ndr, &r->autopath); >+ length_autopath_1 = ndr_get_array_length(ndr, &r->autopath); >+ if (length_autopath_1 > size_autopath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_autopath_1, length_autopath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->autopath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->autopath, ndr_get_array_length(ndr, &r->autopath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_autopath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->autopath, length_autopath_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_autopath_0, 0); > } > } >@@ -7418,6 +7664,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo503(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo503(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo503 *r) > { > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7476,11 +7724,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo503(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > } >@@ -7616,6 +7866,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo599(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo599(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo599 *r) > { > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7687,11 +7939,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo599(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > } >@@ -7786,6 +8040,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo1005(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo1005(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo1005 *r) > { > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -7803,11 +8059,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo1005(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -10045,64 +10303,123 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info100_0; >+ uint32_t _ptr_info100; > TALLOC_CTX *_mem_save_info101_0; >+ uint32_t _ptr_info101; > TALLOC_CTX *_mem_save_info102_0; >+ uint32_t _ptr_info102; > TALLOC_CTX *_mem_save_info402_0; >+ uint32_t _ptr_info402; > TALLOC_CTX *_mem_save_info403_0; >+ uint32_t _ptr_info403; > TALLOC_CTX *_mem_save_info502_0; >+ uint32_t _ptr_info502; > TALLOC_CTX *_mem_save_info503_0; >+ uint32_t _ptr_info503; > TALLOC_CTX *_mem_save_info599_0; >+ uint32_t _ptr_info599; > TALLOC_CTX *_mem_save_info1005_0; >+ uint32_t _ptr_info1005; > TALLOC_CTX *_mem_save_info1010_0; >+ uint32_t _ptr_info1010; > TALLOC_CTX *_mem_save_info1016_0; >+ uint32_t _ptr_info1016; > TALLOC_CTX *_mem_save_info1017_0; >+ uint32_t _ptr_info1017; > TALLOC_CTX *_mem_save_info1018_0; >+ uint32_t _ptr_info1018; > TALLOC_CTX *_mem_save_info1107_0; >+ uint32_t _ptr_info1107; > TALLOC_CTX *_mem_save_info1501_0; >+ uint32_t _ptr_info1501; > TALLOC_CTX *_mem_save_info1502_0; >+ uint32_t _ptr_info1502; > TALLOC_CTX *_mem_save_info1503_0; >+ uint32_t _ptr_info1503; > TALLOC_CTX *_mem_save_info1506_0; >+ uint32_t _ptr_info1506; > TALLOC_CTX *_mem_save_info1509_0; >+ uint32_t _ptr_info1509; > TALLOC_CTX *_mem_save_info1510_0; >+ uint32_t _ptr_info1510; > TALLOC_CTX *_mem_save_info1511_0; >+ uint32_t _ptr_info1511; > TALLOC_CTX *_mem_save_info1512_0; >+ uint32_t _ptr_info1512; > TALLOC_CTX *_mem_save_info1513_0; >+ uint32_t _ptr_info1513; > TALLOC_CTX *_mem_save_info1514_0; >+ uint32_t _ptr_info1514; > TALLOC_CTX *_mem_save_info1515_0; >+ uint32_t _ptr_info1515; > TALLOC_CTX *_mem_save_info1516_0; >+ uint32_t _ptr_info1516; > TALLOC_CTX *_mem_save_info1518_0; >+ uint32_t _ptr_info1518; > TALLOC_CTX *_mem_save_info1520_0; >+ uint32_t _ptr_info1520; > TALLOC_CTX *_mem_save_info1521_0; >+ uint32_t _ptr_info1521; > TALLOC_CTX *_mem_save_info1522_0; >+ uint32_t _ptr_info1522; > TALLOC_CTX *_mem_save_info1523_0; >+ uint32_t _ptr_info1523; > TALLOC_CTX *_mem_save_info1524_0; >+ uint32_t _ptr_info1524; > TALLOC_CTX *_mem_save_info1525_0; >+ uint32_t _ptr_info1525; > TALLOC_CTX *_mem_save_info1528_0; >+ uint32_t _ptr_info1528; > TALLOC_CTX *_mem_save_info1529_0; >+ uint32_t _ptr_info1529; > TALLOC_CTX *_mem_save_info1530_0; >+ uint32_t _ptr_info1530; > TALLOC_CTX *_mem_save_info1533_0; >+ uint32_t _ptr_info1533; > TALLOC_CTX *_mem_save_info1534_0; >+ uint32_t _ptr_info1534; > TALLOC_CTX *_mem_save_info1535_0; >+ uint32_t _ptr_info1535; > TALLOC_CTX *_mem_save_info1536_0; >+ uint32_t _ptr_info1536; > TALLOC_CTX *_mem_save_info1537_0; >+ uint32_t _ptr_info1537; > TALLOC_CTX *_mem_save_info1538_0; >+ uint32_t _ptr_info1538; > TALLOC_CTX *_mem_save_info1539_0; >+ uint32_t _ptr_info1539; > TALLOC_CTX *_mem_save_info1540_0; >+ uint32_t _ptr_info1540; > TALLOC_CTX *_mem_save_info1541_0; >+ uint32_t _ptr_info1541; > TALLOC_CTX *_mem_save_info1542_0; >+ uint32_t _ptr_info1542; > TALLOC_CTX *_mem_save_info1543_0; >+ uint32_t _ptr_info1543; > TALLOC_CTX *_mem_save_info1544_0; >+ uint32_t _ptr_info1544; > TALLOC_CTX *_mem_save_info1545_0; >+ uint32_t _ptr_info1545; > TALLOC_CTX *_mem_save_info1546_0; >+ uint32_t _ptr_info1546; > TALLOC_CTX *_mem_save_info1547_0; >+ uint32_t _ptr_info1547; > TALLOC_CTX *_mem_save_info1548_0; >+ uint32_t _ptr_info1548; > TALLOC_CTX *_mem_save_info1549_0; >+ uint32_t _ptr_info1549; > TALLOC_CTX *_mem_save_info1550_0; >+ uint32_t _ptr_info1550; > TALLOC_CTX *_mem_save_info1552_0; >+ uint32_t _ptr_info1552; > TALLOC_CTX *_mem_save_info1553_0; >+ uint32_t _ptr_info1553; > TALLOC_CTX *_mem_save_info1554_0; >+ uint32_t _ptr_info1554; > TALLOC_CTX *_mem_save_info1555_0; >+ uint32_t _ptr_info1555; > TALLOC_CTX *_mem_save_info1556_0; >+ uint32_t _ptr_info1556; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -10112,7 +10429,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 100: { >- uint32_t _ptr_info100; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info100)); > if (_ptr_info100) { > NDR_PULL_ALLOC(ndr, r->info100); >@@ -10122,7 +10438,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 101: { >- uint32_t _ptr_info101; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info101)); > if (_ptr_info101) { > NDR_PULL_ALLOC(ndr, r->info101); >@@ -10132,7 +10447,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 102: { >- uint32_t _ptr_info102; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info102)); > if (_ptr_info102) { > NDR_PULL_ALLOC(ndr, r->info102); >@@ -10142,7 +10456,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 402: { >- uint32_t _ptr_info402; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info402)); > if (_ptr_info402) { > NDR_PULL_ALLOC(ndr, r->info402); >@@ -10152,7 +10465,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 403: { >- uint32_t _ptr_info403; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info403)); > if (_ptr_info403) { > NDR_PULL_ALLOC(ndr, r->info403); >@@ -10162,7 +10474,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 502: { >- uint32_t _ptr_info502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info502)); > if (_ptr_info502) { > NDR_PULL_ALLOC(ndr, r->info502); >@@ -10172,7 +10483,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 503: { >- uint32_t _ptr_info503; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info503)); > if (_ptr_info503) { > NDR_PULL_ALLOC(ndr, r->info503); >@@ -10182,7 +10492,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 599: { >- uint32_t _ptr_info599; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info599)); > if (_ptr_info599) { > NDR_PULL_ALLOC(ndr, r->info599); >@@ -10192,7 +10501,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1005: { >- uint32_t _ptr_info1005; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1005)); > if (_ptr_info1005) { > NDR_PULL_ALLOC(ndr, r->info1005); >@@ -10202,7 +10510,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1010: { >- uint32_t _ptr_info1010; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1010)); > if (_ptr_info1010) { > NDR_PULL_ALLOC(ndr, r->info1010); >@@ -10212,7 +10519,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1016: { >- uint32_t _ptr_info1016; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1016)); > if (_ptr_info1016) { > NDR_PULL_ALLOC(ndr, r->info1016); >@@ -10222,7 +10528,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1017: { >- uint32_t _ptr_info1017; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1017)); > if (_ptr_info1017) { > NDR_PULL_ALLOC(ndr, r->info1017); >@@ -10232,7 +10537,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1018: { >- uint32_t _ptr_info1018; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1018)); > if (_ptr_info1018) { > NDR_PULL_ALLOC(ndr, r->info1018); >@@ -10242,7 +10546,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1107: { >- uint32_t _ptr_info1107; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1107)); > if (_ptr_info1107) { > NDR_PULL_ALLOC(ndr, r->info1107); >@@ -10252,7 +10555,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1501: { >- uint32_t _ptr_info1501; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1501)); > if (_ptr_info1501) { > NDR_PULL_ALLOC(ndr, r->info1501); >@@ -10262,7 +10564,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1502: { >- uint32_t _ptr_info1502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1502)); > if (_ptr_info1502) { > NDR_PULL_ALLOC(ndr, r->info1502); >@@ -10272,7 +10573,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1503: { >- uint32_t _ptr_info1503; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1503)); > if (_ptr_info1503) { > NDR_PULL_ALLOC(ndr, r->info1503); >@@ -10282,7 +10582,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1506: { >- uint32_t _ptr_info1506; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1506)); > if (_ptr_info1506) { > NDR_PULL_ALLOC(ndr, r->info1506); >@@ -10292,7 +10591,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1509: { >- uint32_t _ptr_info1509; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1509)); > if (_ptr_info1509) { > NDR_PULL_ALLOC(ndr, r->info1509); >@@ -10302,7 +10600,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1510: { >- uint32_t _ptr_info1510; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1510)); > if (_ptr_info1510) { > NDR_PULL_ALLOC(ndr, r->info1510); >@@ -10312,7 +10609,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1511: { >- uint32_t _ptr_info1511; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1511)); > if (_ptr_info1511) { > NDR_PULL_ALLOC(ndr, r->info1511); >@@ -10322,7 +10618,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1512: { >- uint32_t _ptr_info1512; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1512)); > if (_ptr_info1512) { > NDR_PULL_ALLOC(ndr, r->info1512); >@@ -10332,7 +10627,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1513: { >- uint32_t _ptr_info1513; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1513)); > if (_ptr_info1513) { > NDR_PULL_ALLOC(ndr, r->info1513); >@@ -10342,7 +10636,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1514: { >- uint32_t _ptr_info1514; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1514)); > if (_ptr_info1514) { > NDR_PULL_ALLOC(ndr, r->info1514); >@@ -10352,7 +10645,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1515: { >- uint32_t _ptr_info1515; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1515)); > if (_ptr_info1515) { > NDR_PULL_ALLOC(ndr, r->info1515); >@@ -10362,7 +10654,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1516: { >- uint32_t _ptr_info1516; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1516)); > if (_ptr_info1516) { > NDR_PULL_ALLOC(ndr, r->info1516); >@@ -10372,7 +10663,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1518: { >- uint32_t _ptr_info1518; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1518)); > if (_ptr_info1518) { > NDR_PULL_ALLOC(ndr, r->info1518); >@@ -10382,7 +10672,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1520: { >- uint32_t _ptr_info1520; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1520)); > if (_ptr_info1520) { > NDR_PULL_ALLOC(ndr, r->info1520); >@@ -10392,7 +10681,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1521: { >- uint32_t _ptr_info1521; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1521)); > if (_ptr_info1521) { > NDR_PULL_ALLOC(ndr, r->info1521); >@@ -10402,7 +10690,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1522: { >- uint32_t _ptr_info1522; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1522)); > if (_ptr_info1522) { > NDR_PULL_ALLOC(ndr, r->info1522); >@@ -10412,7 +10699,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1523: { >- uint32_t _ptr_info1523; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1523)); > if (_ptr_info1523) { > NDR_PULL_ALLOC(ndr, r->info1523); >@@ -10422,7 +10708,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1524: { >- uint32_t _ptr_info1524; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1524)); > if (_ptr_info1524) { > NDR_PULL_ALLOC(ndr, r->info1524); >@@ -10432,7 +10717,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1525: { >- uint32_t _ptr_info1525; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1525)); > if (_ptr_info1525) { > NDR_PULL_ALLOC(ndr, r->info1525); >@@ -10442,7 +10726,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1528: { >- uint32_t _ptr_info1528; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1528)); > if (_ptr_info1528) { > NDR_PULL_ALLOC(ndr, r->info1528); >@@ -10452,7 +10735,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1529: { >- uint32_t _ptr_info1529; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1529)); > if (_ptr_info1529) { > NDR_PULL_ALLOC(ndr, r->info1529); >@@ -10462,7 +10744,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1530: { >- uint32_t _ptr_info1530; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1530)); > if (_ptr_info1530) { > NDR_PULL_ALLOC(ndr, r->info1530); >@@ -10472,7 +10753,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1533: { >- uint32_t _ptr_info1533; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1533)); > if (_ptr_info1533) { > NDR_PULL_ALLOC(ndr, r->info1533); >@@ -10482,7 +10762,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1534: { >- uint32_t _ptr_info1534; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1534)); > if (_ptr_info1534) { > NDR_PULL_ALLOC(ndr, r->info1534); >@@ -10492,7 +10771,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1535: { >- uint32_t _ptr_info1535; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1535)); > if (_ptr_info1535) { > NDR_PULL_ALLOC(ndr, r->info1535); >@@ -10502,7 +10780,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1536: { >- uint32_t _ptr_info1536; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1536)); > if (_ptr_info1536) { > NDR_PULL_ALLOC(ndr, r->info1536); >@@ -10512,7 +10789,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1537: { >- uint32_t _ptr_info1537; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1537)); > if (_ptr_info1537) { > NDR_PULL_ALLOC(ndr, r->info1537); >@@ -10522,7 +10798,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1538: { >- uint32_t _ptr_info1538; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1538)); > if (_ptr_info1538) { > NDR_PULL_ALLOC(ndr, r->info1538); >@@ -10532,7 +10807,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1539: { >- uint32_t _ptr_info1539; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1539)); > if (_ptr_info1539) { > NDR_PULL_ALLOC(ndr, r->info1539); >@@ -10542,7 +10816,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1540: { >- uint32_t _ptr_info1540; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1540)); > if (_ptr_info1540) { > NDR_PULL_ALLOC(ndr, r->info1540); >@@ -10552,7 +10825,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1541: { >- uint32_t _ptr_info1541; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1541)); > if (_ptr_info1541) { > NDR_PULL_ALLOC(ndr, r->info1541); >@@ -10562,7 +10834,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1542: { >- uint32_t _ptr_info1542; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1542)); > if (_ptr_info1542) { > NDR_PULL_ALLOC(ndr, r->info1542); >@@ -10572,7 +10843,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1543: { >- uint32_t _ptr_info1543; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1543)); > if (_ptr_info1543) { > NDR_PULL_ALLOC(ndr, r->info1543); >@@ -10582,7 +10852,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1544: { >- uint32_t _ptr_info1544; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1544)); > if (_ptr_info1544) { > NDR_PULL_ALLOC(ndr, r->info1544); >@@ -10592,7 +10861,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1545: { >- uint32_t _ptr_info1545; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1545)); > if (_ptr_info1545) { > NDR_PULL_ALLOC(ndr, r->info1545); >@@ -10602,7 +10870,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1546: { >- uint32_t _ptr_info1546; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1546)); > if (_ptr_info1546) { > NDR_PULL_ALLOC(ndr, r->info1546); >@@ -10612,7 +10879,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1547: { >- uint32_t _ptr_info1547; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1547)); > if (_ptr_info1547) { > NDR_PULL_ALLOC(ndr, r->info1547); >@@ -10622,7 +10888,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1548: { >- uint32_t _ptr_info1548; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1548)); > if (_ptr_info1548) { > NDR_PULL_ALLOC(ndr, r->info1548); >@@ -10632,7 +10897,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1549: { >- uint32_t _ptr_info1549; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1549)); > if (_ptr_info1549) { > NDR_PULL_ALLOC(ndr, r->info1549); >@@ -10642,7 +10906,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1550: { >- uint32_t _ptr_info1550; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1550)); > if (_ptr_info1550) { > NDR_PULL_ALLOC(ndr, r->info1550); >@@ -10652,7 +10915,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1552: { >- uint32_t _ptr_info1552; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1552)); > if (_ptr_info1552) { > NDR_PULL_ALLOC(ndr, r->info1552); >@@ -10662,7 +10924,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1553: { >- uint32_t _ptr_info1553; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1553)); > if (_ptr_info1553) { > NDR_PULL_ALLOC(ndr, r->info1553); >@@ -10672,7 +10933,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1554: { >- uint32_t _ptr_info1554; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1554)); > if (_ptr_info1554) { > NDR_PULL_ALLOC(ndr, r->info1554); >@@ -10682,7 +10942,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1555: { >- uint32_t _ptr_info1555; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1555)); > if (_ptr_info1555) { > NDR_PULL_ALLOC(ndr, r->info1555); >@@ -10692,7 +10951,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1556: { >- uint32_t _ptr_info1556; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1556)); > if (_ptr_info1556) { > NDR_PULL_ALLOC(ndr, r->info1556); >@@ -11806,11 +12064,13 @@ static enum ndr_err_code ndr_push_srvsvc_NetDiskInfo0(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_srvsvc_NetDiskInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetDiskInfo0 *r) > { >+ uint32_t size_disk_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__disk_offset)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__disk_length)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->disk, r->__disk_length, sizeof(uint16_t), CH_UTF16)); >+ size_disk_0 = r->__disk_length; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->disk, size_disk_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -11853,6 +12113,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetDiskInfo(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetDiskInfo(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetDiskInfo *r) > { > uint32_t _ptr_disks; >+ uint32_t size_disks_1 = 0; >+ uint32_t length_disks_1 = 0; > uint32_t cntr_disks_1; > TALLOC_CTX *_mem_save_disks_0; > TALLOC_CTX *_mem_save_disks_1; >@@ -11873,13 +12135,15 @@ static enum ndr_err_code ndr_pull_srvsvc_NetDiskInfo(struct ndr_pull *ndr, int n > NDR_PULL_SET_MEM_CTX(ndr, r->disks, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->disks)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->disks)); >- if (ndr_get_array_length(ndr, &r->disks) > ndr_get_array_size(ndr, &r->disks)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->disks), ndr_get_array_length(ndr, &r->disks)); >+ size_disks_1 = ndr_get_array_size(ndr, &r->disks); >+ length_disks_1 = ndr_get_array_length(ndr, &r->disks); >+ if (length_disks_1 > size_disks_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_disks_1, length_disks_1); > } >- NDR_PULL_ALLOC_N(ndr, r->disks, ndr_get_array_size(ndr, &r->disks)); >+ NDR_PULL_ALLOC_N(ndr, r->disks, size_disks_1); > _mem_save_disks_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->disks, 0); >- for (cntr_disks_1 = 0; cntr_disks_1 < ndr_get_array_length(ndr, &r->disks); cntr_disks_1++) { >+ for (cntr_disks_1 = 0; cntr_disks_1 < length_disks_1; cntr_disks_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetDiskInfo0(ndr, NDR_SCALARS, &r->disks[cntr_disks_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_disks_1, 0); >@@ -12034,10 +12298,15 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportInfo0(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo0 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_addr; >+ uint32_t size_addr_1 = 0; > TALLOC_CTX *_mem_save_addr_0; > uint32_t _ptr_net_addr; >+ uint32_t size_net_addr_1 = 0; >+ uint32_t length_net_addr_1 = 0; > TALLOC_CTX *_mem_save_net_addr_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -12069,19 +12338,22 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo0(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->addr) { > _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); >- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); >+ size_addr_1 = ndr_get_array_size(ndr, &r->addr); >+ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); > } > if (r->net_addr) { >@@ -12089,11 +12361,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo0(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); >- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); >+ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); >+ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); >+ if (length_net_addr_1 > size_net_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); > } > if (r->addr) { >@@ -12156,6 +12430,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportCtr0(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -12175,13 +12450,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr0(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -12260,12 +12536,19 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportInfo1(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo1 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_addr; >+ uint32_t size_addr_1 = 0; > TALLOC_CTX *_mem_save_addr_0; > uint32_t _ptr_net_addr; >+ uint32_t size_net_addr_1 = 0; >+ uint32_t length_net_addr_1 = 0; > TALLOC_CTX *_mem_save_net_addr_0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -12303,19 +12586,22 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->addr) { > _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); >- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); >+ size_addr_1 = ndr_get_array_size(ndr, &r->addr); >+ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); > } > if (r->net_addr) { >@@ -12323,11 +12609,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); >- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); >+ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); >+ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); >+ if (length_net_addr_1 > size_net_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); > } > if (r->domain) { >@@ -12335,11 +12623,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->addr) { >@@ -12408,6 +12698,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportCtr1(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -12427,13 +12718,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr1(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -12513,12 +12805,19 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportInfo2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo2 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_addr; >+ uint32_t size_addr_1 = 0; > TALLOC_CTX *_mem_save_addr_0; > uint32_t _ptr_net_addr; >+ uint32_t size_net_addr_1 = 0; >+ uint32_t length_net_addr_1 = 0; > TALLOC_CTX *_mem_save_net_addr_0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -12557,19 +12856,22 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->addr) { > _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); >- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); >+ size_addr_1 = ndr_get_array_size(ndr, &r->addr); >+ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); > } > if (r->net_addr) { >@@ -12577,11 +12879,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); >- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); >+ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); >+ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); >+ if (length_net_addr_1 > size_net_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); > } > if (r->domain) { >@@ -12589,11 +12893,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->addr) { >@@ -12663,6 +12969,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportCtr2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -12682,13 +12989,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr2(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -12770,13 +13078,21 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportInfo3(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo3 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_addr; >+ uint32_t size_addr_1 = 0; > TALLOC_CTX *_mem_save_addr_0; > uint32_t _ptr_net_addr; >+ uint32_t size_net_addr_1 = 0; >+ uint32_t length_net_addr_1 = 0; > TALLOC_CTX *_mem_save_net_addr_0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; >+ uint32_t size_unknown3_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->vcs)); >@@ -12807,7 +13123,8 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown2)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unknown3, 256)); >+ size_unknown3_0 = 256; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unknown3, size_unknown3_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -12816,19 +13133,22 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->addr) { > _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); >- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); >+ size_addr_1 = ndr_get_array_size(ndr, &r->addr); >+ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); > } > if (r->net_addr) { >@@ -12836,11 +13156,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); >- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); >+ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); >+ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); >+ if (length_net_addr_1 > size_net_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); > } > if (r->domain) { >@@ -12848,11 +13170,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->addr) { >@@ -12924,6 +13248,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportCtr3(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr3 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -12943,13 +13268,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr3(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo3(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo3(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -13054,9 +13380,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr(struct ndr_pull *ndr, i > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > TALLOC_CTX *_mem_save_ctr2_0; >+ uint32_t _ptr_ctr2; > TALLOC_CTX *_mem_save_ctr3_0; >+ uint32_t _ptr_ctr3; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -13066,7 +13396,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr(struct ndr_pull *ndr, i > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -13076,7 +13405,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr(struct ndr_pull *ndr, i > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -13086,7 +13414,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr(struct ndr_pull *ndr, i > break; } > > case 2: { >- uint32_t _ptr_ctr2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); > if (_ptr_ctr2) { > NDR_PULL_ALLOC(ndr, r->ctr2); >@@ -13096,7 +13423,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr(struct ndr_pull *ndr, i > break; } > > case 3: { >- uint32_t _ptr_ctr3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr3)); > if (_ptr_ctr3) { > NDR_PULL_ALLOC(ndr, r->ctr3); >@@ -13487,6 +13813,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevEnum(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_ctr_0; >@@ -13506,11 +13834,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevEnum(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -13652,6 +13982,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevGetInfo(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevGetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_device_name_0 = 0; >+ uint32_t length_device_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -13668,20 +14002,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevGetInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.device_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.device_name)); >- if (ndr_get_array_length(ndr, &r->in.device_name) > ndr_get_array_size(ndr, &r->in.device_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.device_name), ndr_get_array_length(ndr, &r->in.device_name)); >+ size_device_name_0 = ndr_get_array_size(ndr, &r->in.device_name); >+ length_device_name_0 = ndr_get_array_length(ndr, &r->in.device_name); >+ if (length_device_name_0 > size_device_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_name_0, length_device_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, length_device_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); >@@ -13759,6 +14097,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevControl(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevControl(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevControl *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_device_name_0 = 0; >+ uint32_t length_device_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -13772,20 +14114,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevControl(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.device_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.device_name)); >- if (ndr_get_array_length(ndr, &r->in.device_name) > ndr_get_array_size(ndr, &r->in.device_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.device_name), ndr_get_array_length(ndr, &r->in.device_name)); >+ size_device_name_0 = ndr_get_array_size(ndr, &r->in.device_name); >+ length_device_name_0 = ndr_get_array_length(ndr, &r->in.device_name); >+ if (length_device_name_0 > size_device_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_name_0, length_device_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, length_device_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.opcode)); > } > if (flags & NDR_OUT) { >@@ -13871,7 +14217,11 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQEnum(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_user_0; >@@ -13892,11 +14242,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQEnum(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); >@@ -13910,11 +14262,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQEnum(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); >- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->in.user); >+ length_user_1 = ndr_get_array_length(ndr, &r->in.user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -14066,6 +14420,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQGetInfo(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQGetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_queue_name_0 = 0; >+ uint32_t length_queue_name_0 = 0; >+ uint32_t size_user_0 = 0; >+ uint32_t length_user_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -14082,27 +14442,33 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQGetInfo(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); >- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); >+ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); >+ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); >+ if (length_queue_name_0 > size_queue_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); >- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); >+ size_user_0 = ndr_get_array_size(ndr, &r->in.user); >+ length_user_0 = ndr_get_array_length(ndr, &r->in.user); >+ if (length_user_0 > size_user_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_0, length_user_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); >@@ -14191,6 +14557,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQSetInfo(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQSetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQSetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_queue_name_0 = 0; >+ uint32_t length_queue_name_0 = 0; > uint32_t _ptr_parm_error; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_parm_error_0; >@@ -14208,20 +14578,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQSetInfo(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); >- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); >+ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); >+ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); >+ if (length_queue_name_0 > size_queue_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->in.info, r->in.level)); > NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.info)); >@@ -14323,6 +14697,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQPurge(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQPurge(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQPurge *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_queue_name_0 = 0; >+ uint32_t length_queue_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -14336,20 +14714,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQPurge(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); >- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); >+ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); >+ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); >+ if (length_queue_name_0 > size_queue_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -14413,6 +14795,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQPurgeSelf(struct ndr_push *n > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQPurgeSelf(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQPurgeSelf *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_queue_name_0 = 0; >+ uint32_t length_queue_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -14426,27 +14814,33 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQPurgeSelf(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); >- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); >+ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); >+ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); >+ if (length_queue_name_0 > size_queue_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -14531,7 +14925,11 @@ static enum ndr_err_code ndr_push_srvsvc_NetConnEnum(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetConnEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetConnEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_path_0; >@@ -14552,11 +14950,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_path)); >@@ -14570,11 +14970,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_1 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -14747,8 +15149,14 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileEnum(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetFileEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetFileEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_path_0; >@@ -14770,11 +15178,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_path)); >@@ -14788,11 +15198,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_1 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); >@@ -14806,11 +15218,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); >- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->in.user); >+ length_user_1 = ndr_get_array_length(ndr, &r->in.user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -14961,6 +15375,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileGetInfo(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetFileGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetFileGetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -14977,11 +15393,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileGetInfo(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.fid)); >@@ -15058,6 +15476,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileClose(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetFileClose(struct ndr_pull *ndr, int flags, struct srvsvc_NetFileClose *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -15071,11 +15491,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileClose(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.fid)); >@@ -15169,8 +15591,14 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessEnum(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetSessEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetSessEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_client_0; >@@ -15192,11 +15620,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client)); >@@ -15210,11 +15640,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.client)); >- if (ndr_get_array_length(ndr, &r->in.client) > ndr_get_array_size(ndr, &r->in.client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.client), ndr_get_array_length(ndr, &r->in.client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->in.client); >+ length_client_1 = ndr_get_array_length(ndr, &r->in.client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); >@@ -15228,11 +15660,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); >- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->in.user); >+ length_user_1 = ndr_get_array_length(ndr, &r->in.user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -15390,8 +15824,14 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessDel(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_srvsvc_NetSessDel(struct ndr_pull *ndr, int flags, struct srvsvc_NetSessDel *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_client_0; > TALLOC_CTX *_mem_save_user_0; >@@ -15407,11 +15847,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessDel(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client)); >@@ -15425,11 +15867,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessDel(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.client)); >- if (ndr_get_array_length(ndr, &r->in.client) > ndr_get_array_size(ndr, &r->in.client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.client), ndr_get_array_length(ndr, &r->in.client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->in.client); >+ length_client_1 = ndr_get_array_length(ndr, &r->in.client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); >@@ -15443,11 +15887,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessDel(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); >- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->in.user); >+ length_user_1 = ndr_get_array_length(ndr, &r->in.user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -15530,6 +15976,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareAdd(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetShareAdd(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareAdd *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_parm_error; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; >@@ -15548,11 +15996,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareAdd(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -15681,6 +16131,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareEnumAll(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareEnumAll(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareEnumAll *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_ctr_0; >@@ -15700,11 +16152,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareEnumAll(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -15846,6 +16300,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareGetInfo(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareGetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_share_name_0 = 0; >+ uint32_t length_share_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -15862,20 +16320,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareGetInfo(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); >- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); >+ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); >+ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); >+ if (length_share_name_0 > size_share_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); >@@ -15966,6 +16428,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareSetInfo(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareSetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareSetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_share_name_0 = 0; >+ uint32_t length_share_name_0 = 0; > uint32_t _ptr_parm_error; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; >@@ -15984,20 +16450,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareSetInfo(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); >- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); >+ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); >+ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); >+ if (length_share_name_0 > size_share_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.info); >@@ -16109,6 +16579,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareDel(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetShareDel(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareDel *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_share_name_0 = 0; >+ uint32_t length_share_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -16122,20 +16596,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareDel(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); >- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); >+ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); >+ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); >+ if (length_share_name_0 > size_share_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.reserved)); > } > if (flags & NDR_OUT) { >@@ -16198,6 +16676,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareDelSticky(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetShareDelSticky(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareDelSticky *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_share_name_0 = 0; >+ uint32_t length_share_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -16211,20 +16693,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareDelSticky(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); >- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); >+ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); >+ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); >+ if (length_share_name_0 > size_share_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.reserved)); > } > if (flags & NDR_OUT) { >@@ -16290,6 +16776,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCheck(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareCheck(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareCheck *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_device_name_0 = 0; >+ uint32_t length_device_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_type_0; > if (flags & NDR_IN) { >@@ -16306,20 +16796,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCheck(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.device_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.device_name)); >- if (ndr_get_array_length(ndr, &r->in.device_name) > ndr_get_array_size(ndr, &r->in.device_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.device_name), ndr_get_array_length(ndr, &r->in.device_name)); >+ size_device_name_0 = ndr_get_array_size(ndr, &r->in.device_name); >+ length_device_name_0 = ndr_get_array_length(ndr, &r->in.device_name); >+ if (length_device_name_0 > size_device_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_name_0, length_device_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, length_device_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.type); > ZERO_STRUCTP(r->out.type); > } >@@ -16394,6 +16888,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvGetInfo(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetSrvGetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -16410,11 +16906,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvGetInfo(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -16502,6 +17000,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvSetInfo(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvSetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetSrvSetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_parm_error; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; >@@ -16520,11 +17020,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvSetInfo(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -16654,6 +17156,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetDiskEnum(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetDiskEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetDiskEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; >@@ -16673,11 +17177,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetDiskEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -16827,7 +17333,11 @@ static enum ndr_err_code ndr_push_srvsvc_NetServerStatisticsGet(struct ndr_push > static enum ndr_err_code ndr_pull_srvsvc_NetServerStatisticsGet(struct ndr_pull *ndr, int flags, struct srvsvc_NetServerStatisticsGet *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_service; >+ uint32_t size_service_1 = 0; >+ uint32_t length_service_1 = 0; > uint32_t _ptr_stats; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_service_0; >@@ -16847,11 +17357,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerStatisticsGet(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service)); >@@ -16865,11 +17377,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerStatisticsGet(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.service, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service)); >- if (ndr_get_array_length(ndr, &r->in.service) > ndr_get_array_size(ndr, &r->in.service)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service), ndr_get_array_length(ndr, &r->in.service)); >+ size_service_1 = ndr_get_array_size(ndr, &r->in.service); >+ length_service_1 = ndr_get_array_length(ndr, &r->in.service); >+ if (length_service_1 > size_service_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_1, length_service_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service, ndr_get_array_length(ndr, &r->in.service), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service, length_service_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -16968,6 +17482,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportAdd(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetTransportAdd(struct ndr_pull *ndr, int flags, struct srvsvc_NetTransportAdd *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -16981,11 +17497,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportAdd(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -17069,6 +17587,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportEnum(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetTransportEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_transports_0; >@@ -17088,11 +17608,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportEnum(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -17229,6 +17751,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportDel(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetTransportDel(struct ndr_pull *ndr, int flags, struct srvsvc_NetTransportDel *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info0_0; > if (flags & NDR_IN) { >@@ -17243,11 +17767,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportDel(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -17324,6 +17850,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetRemoteTOD(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetRemoteTOD(struct ndr_pull *ndr, int flags, struct srvsvc_NetRemoteTOD *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; >@@ -17342,11 +17870,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetRemoteTOD(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.info); >@@ -17441,7 +17971,11 @@ static enum ndr_err_code ndr_push_srvsvc_NetSetServiceBits(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetSetServiceBits(struct ndr_pull *ndr, int flags, struct srvsvc_NetSetServiceBits *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_transport; >+ uint32_t size_transport_1 = 0; >+ uint32_t length_transport_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_transport_0; > if (flags & NDR_IN) { >@@ -17456,11 +17990,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSetServiceBits(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_transport)); >@@ -17474,11 +18010,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSetServiceBits(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.transport, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.transport)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.transport)); >- if (ndr_get_array_length(ndr, &r->in.transport) > ndr_get_array_size(ndr, &r->in.transport)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.transport), ndr_get_array_length(ndr, &r->in.transport)); >+ size_transport_1 = ndr_get_array_size(ndr, &r->in.transport); >+ length_transport_1 = ndr_get_array_length(ndr, &r->in.transport); >+ if (length_transport_1 > size_transport_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_1, length_transport_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, length_transport_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.servicebits)); >@@ -17554,6 +18092,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetPathType(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetPathType(struct ndr_pull *ndr, int flags, struct srvsvc_NetPathType *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_path_0 = 0; >+ uint32_t length_path_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_pathtype_0; > if (flags & NDR_IN) { >@@ -17570,20 +18112,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetPathType(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_0 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_0 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_0 > size_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_0, length_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.pathflags)); > NDR_PULL_ALLOC(ndr, r->out.pathtype); > ZERO_STRUCTP(r->out.pathtype); >@@ -17674,6 +18220,13 @@ static enum ndr_err_code ndr_push_srvsvc_NetPathCanonicalize(struct ndr_push *nd > static enum ndr_err_code ndr_pull_srvsvc_NetPathCanonicalize(struct ndr_pull *ndr, int flags, struct srvsvc_NetPathCanonicalize *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_path_0 = 0; >+ uint32_t length_path_0 = 0; >+ uint32_t size_can_path_0 = 0; >+ uint32_t size_prefix_0 = 0; >+ uint32_t length_prefix_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_pathtype_0; > if (flags & NDR_IN) { >@@ -17690,28 +18243,34 @@ static enum ndr_err_code ndr_pull_srvsvc_NetPathCanonicalize(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_0 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_0 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_0 > size_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_0, length_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.maxbuf)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.prefix)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.prefix)); >- if (ndr_get_array_length(ndr, &r->in.prefix) > ndr_get_array_size(ndr, &r->in.prefix)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.prefix), ndr_get_array_length(ndr, &r->in.prefix)); >+ size_prefix_0 = ndr_get_array_size(ndr, &r->in.prefix); >+ length_prefix_0 = ndr_get_array_length(ndr, &r->in.prefix); >+ if (length_prefix_0 > size_prefix_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_prefix_0, length_prefix_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.prefix), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.prefix, ndr_get_array_length(ndr, &r->in.prefix), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_prefix_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.prefix, length_prefix_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.pathtype); > } >@@ -17725,8 +18284,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetPathCanonicalize(struct ndr_pull *nd > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.can_path)); >- NDR_PULL_ALLOC_N(ndr, r->out.can_path, ndr_get_array_size(ndr, &r->out.can_path)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.can_path, ndr_get_array_size(ndr, &r->out.can_path))); >+ size_can_path_0 = ndr_get_array_size(ndr, &r->out.can_path); >+ NDR_PULL_ALLOC_N(ndr, r->out.can_path, size_can_path_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.can_path, size_can_path_0)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.pathtype); > } >@@ -17812,6 +18372,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetPathCompare(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetPathCompare(struct ndr_pull *ndr, int flags, struct srvsvc_NetPathCompare *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_path1_0 = 0; >+ uint32_t length_path1_0 = 0; >+ uint32_t size_path2_0 = 0; >+ uint32_t length_path2_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -17825,27 +18391,33 @@ static enum ndr_err_code ndr_pull_srvsvc_NetPathCompare(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path1)); >- if (ndr_get_array_length(ndr, &r->in.path1) > ndr_get_array_size(ndr, &r->in.path1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path1), ndr_get_array_length(ndr, &r->in.path1)); >+ size_path1_0 = ndr_get_array_size(ndr, &r->in.path1); >+ length_path1_0 = ndr_get_array_length(ndr, &r->in.path1); >+ if (length_path1_0 > size_path1_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path1_0, length_path1_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path1, ndr_get_array_length(ndr, &r->in.path1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path1_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path1, length_path1_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path2)); >- if (ndr_get_array_length(ndr, &r->in.path2) > ndr_get_array_size(ndr, &r->in.path2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path2), ndr_get_array_length(ndr, &r->in.path2)); >+ size_path2_0 = ndr_get_array_size(ndr, &r->in.path2); >+ length_path2_0 = ndr_get_array_length(ndr, &r->in.path2); >+ if (length_path2_0 > size_path2_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path2_0, length_path2_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path2, ndr_get_array_length(ndr, &r->in.path2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path2_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path2, length_path2_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.pathtype)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.pathflags)); > } >@@ -17912,6 +18484,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetNameValidate(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetNameValidate(struct ndr_pull *ndr, int flags, struct srvsvc_NetNameValidate *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_name_0 = 0; >+ uint32_t length_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -17925,20 +18501,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetNameValidate(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name)); >- if (ndr_get_array_length(ndr, &r->in.name) > ndr_get_array_size(ndr, &r->in.name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name), ndr_get_array_length(ndr, &r->in.name)); >+ size_name_0 = ndr_get_array_size(ndr, &r->in.name); >+ length_name_0 = ndr_get_array_length(ndr, &r->in.name); >+ if (length_name_0 > size_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_0, length_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, length_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_type)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } >@@ -18049,6 +18629,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetPRNameCompare(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetPRNameCompare(struct ndr_pull *ndr, int flags, struct srvsvc_NetPRNameCompare *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_name1_0 = 0; >+ uint32_t length_name1_0 = 0; >+ uint32_t size_name2_0 = 0; >+ uint32_t length_name2_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -18062,27 +18648,33 @@ static enum ndr_err_code ndr_pull_srvsvc_NetPRNameCompare(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name1)); >- if (ndr_get_array_length(ndr, &r->in.name1) > ndr_get_array_size(ndr, &r->in.name1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name1), ndr_get_array_length(ndr, &r->in.name1)); >+ size_name1_0 = ndr_get_array_size(ndr, &r->in.name1); >+ length_name1_0 = ndr_get_array_length(ndr, &r->in.name1); >+ if (length_name1_0 > size_name1_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name1_0, length_name1_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name1, ndr_get_array_length(ndr, &r->in.name1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name1_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name1, length_name1_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name2)); >- if (ndr_get_array_length(ndr, &r->in.name2) > ndr_get_array_size(ndr, &r->in.name2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name2), ndr_get_array_length(ndr, &r->in.name2)); >+ size_name2_0 = ndr_get_array_size(ndr, &r->in.name2); >+ length_name2_0 = ndr_get_array_length(ndr, &r->in.name2); >+ if (length_name2_0 > size_name2_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name2_0, length_name2_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name2, ndr_get_array_length(ndr, &r->in.name2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name2_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name2, length_name2_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_type)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } >@@ -18164,6 +18756,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareEnum(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_ctr_0; >@@ -18183,11 +18777,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareEnum(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -18328,6 +18924,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareDelStart(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetShareDelStart(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareDelStart *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_share_0 = 0; >+ uint32_t length_share_0 = 0; > uint32_t _ptr_hnd; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_hnd_0; >@@ -18345,20 +18945,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareDelStart(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); >- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); >+ size_share_0 = ndr_get_array_size(ndr, &r->in.share); >+ length_share_0 = ndr_get_array_length(ndr, &r->in.share); >+ if (length_share_0 > size_share_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_0, length_share_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.reserved)); > } > if (flags & NDR_OUT) { >@@ -18542,7 +19146,13 @@ static enum ndr_err_code ndr_push_srvsvc_NetGetFileSecurity(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_srvsvc_NetGetFileSecurity(struct ndr_pull *ndr, int flags, struct srvsvc_NetGetFileSecurity *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; >+ uint32_t size_file_0 = 0; >+ uint32_t length_file_0 = 0; > uint32_t _ptr_sd_buf; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_share_0; >@@ -18562,11 +19172,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetGetFileSecurity(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_share)); >@@ -18580,20 +19192,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetGetFileSecurity(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); >- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->in.share); >+ length_share_1 = ndr_get_array_length(ndr, &r->in.share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.file)); >- if (ndr_get_array_length(ndr, &r->in.file) > ndr_get_array_size(ndr, &r->in.file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.file), ndr_get_array_length(ndr, &r->in.file)); >+ size_file_0 = ndr_get_array_size(ndr, &r->in.file); >+ length_file_0 = ndr_get_array_length(ndr, &r->in.file); >+ if (length_file_0 > size_file_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_file_0, length_file_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_file_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, length_file_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_security_secinfo(ndr, NDR_SCALARS, &r->in.securityinformation)); > NDR_PULL_ALLOC(ndr, r->out.sd_buf); > ZERO_STRUCTP(r->out.sd_buf); >@@ -18702,7 +19318,13 @@ static enum ndr_err_code ndr_push_srvsvc_NetSetFileSecurity(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_srvsvc_NetSetFileSecurity(struct ndr_pull *ndr, int flags, struct srvsvc_NetSetFileSecurity *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; >+ uint32_t size_file_0 = 0; >+ uint32_t length_file_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_share_0; > TALLOC_CTX *_mem_save_sd_buf_0; >@@ -18718,11 +19340,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSetFileSecurity(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_share)); >@@ -18736,20 +19360,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSetFileSecurity(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); >- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->in.share); >+ length_share_1 = ndr_get_array_length(ndr, &r->in.share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.file)); >- if (ndr_get_array_length(ndr, &r->in.file) > ndr_get_array_size(ndr, &r->in.file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.file), ndr_get_array_length(ndr, &r->in.file)); >+ size_file_0 = ndr_get_array_size(ndr, &r->in.file); >+ length_file_0 = ndr_get_array_length(ndr, &r->in.file); >+ if (length_file_0 > size_file_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_file_0, length_file_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_file_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, length_file_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_security_secinfo(ndr, NDR_SCALARS, &r->in.securityinformation)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.sd_buf); >@@ -18827,6 +19455,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetServerTransportAddEx(struct ndr_push > static enum ndr_err_code ndr_pull_srvsvc_NetServerTransportAddEx(struct ndr_pull *ndr, int flags, struct srvsvc_NetServerTransportAddEx *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -18840,11 +19470,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerTransportAddEx(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -18924,8 +19556,14 @@ static enum ndr_err_code ndr_push_srvsvc_NetServerSetServiceBitsEx(struct ndr_pu > static enum ndr_err_code ndr_pull_srvsvc_NetServerSetServiceBitsEx(struct ndr_pull *ndr, int flags, struct srvsvc_NetServerSetServiceBitsEx *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_emulated_server_unc; >+ uint32_t size_emulated_server_unc_1 = 0; >+ uint32_t length_emulated_server_unc_1 = 0; > uint32_t _ptr_transport; >+ uint32_t size_transport_1 = 0; >+ uint32_t length_transport_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_emulated_server_unc_0; > TALLOC_CTX *_mem_save_transport_0; >@@ -18941,11 +19579,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerSetServiceBitsEx(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_emulated_server_unc)); >@@ -18959,11 +19599,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerSetServiceBitsEx(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.emulated_server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.emulated_server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.emulated_server_unc)); >- if (ndr_get_array_length(ndr, &r->in.emulated_server_unc) > ndr_get_array_size(ndr, &r->in.emulated_server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.emulated_server_unc), ndr_get_array_length(ndr, &r->in.emulated_server_unc)); >+ size_emulated_server_unc_1 = ndr_get_array_size(ndr, &r->in.emulated_server_unc); >+ length_emulated_server_unc_1 = ndr_get_array_length(ndr, &r->in.emulated_server_unc); >+ if (length_emulated_server_unc_1 > size_emulated_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_emulated_server_unc_1, length_emulated_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.emulated_server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.emulated_server_unc, ndr_get_array_length(ndr, &r->in.emulated_server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_emulated_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.emulated_server_unc, length_emulated_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_emulated_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_transport)); >@@ -18977,11 +19619,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerSetServiceBitsEx(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.transport, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.transport)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.transport)); >- if (ndr_get_array_length(ndr, &r->in.transport) > ndr_get_array_size(ndr, &r->in.transport)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.transport), ndr_get_array_length(ndr, &r->in.transport)); >+ size_transport_1 = ndr_get_array_size(ndr, &r->in.transport); >+ length_transport_1 = ndr_get_array_length(ndr, &r->in.transport); >+ if (length_transport_1 > size_transport_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_1, length_transport_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, length_transport_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.servicebitsofinterest)); >diff --git a/librpc/gen_ndr/ndr_svcctl.c b/librpc/gen_ndr/ndr_svcctl.c >index e67d793..bc9e357 100644 >--- a/librpc/gen_ndr/ndr_svcctl.c >+++ b/librpc/gen_ndr/ndr_svcctl.c >@@ -28,6 +28,8 @@ static enum ndr_err_code ndr_push_SERVICE_LOCK_STATUS(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_SERVICE_LOCK_STATUS(struct ndr_pull *ndr, int ndr_flags, struct SERVICE_LOCK_STATUS *r) > { > uint32_t _ptr_lock_owner; >+ uint32_t size_lock_owner_1 = 0; >+ uint32_t length_lock_owner_1 = 0; > TALLOC_CTX *_mem_save_lock_owner_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -47,11 +49,13 @@ static enum ndr_err_code ndr_pull_SERVICE_LOCK_STATUS(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->lock_owner, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->lock_owner)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->lock_owner)); >- if (ndr_get_array_length(ndr, &r->lock_owner) > ndr_get_array_size(ndr, &r->lock_owner)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->lock_owner), ndr_get_array_length(ndr, &r->lock_owner)); >+ size_lock_owner_1 = ndr_get_array_size(ndr, &r->lock_owner); >+ length_lock_owner_1 = ndr_get_array_length(ndr, &r->lock_owner); >+ if (length_lock_owner_1 > size_lock_owner_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_lock_owner_1, length_lock_owner_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->lock_owner), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lock_owner, ndr_get_array_length(ndr, &r->lock_owner), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_lock_owner_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lock_owner, length_lock_owner_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_lock_owner_0, 0); > } > } >@@ -765,14 +769,24 @@ _PUBLIC_ enum ndr_err_code ndr_push_QUERY_SERVICE_CONFIG(struct ndr_push *ndr, i > _PUBLIC_ enum ndr_err_code ndr_pull_QUERY_SERVICE_CONFIG(struct ndr_pull *ndr, int ndr_flags, struct QUERY_SERVICE_CONFIG *r) > { > uint32_t _ptr_executablepath; >+ uint32_t size_executablepath_1 = 0; >+ uint32_t length_executablepath_1 = 0; > TALLOC_CTX *_mem_save_executablepath_0; > uint32_t _ptr_loadordergroup; >+ uint32_t size_loadordergroup_1 = 0; >+ uint32_t length_loadordergroup_1 = 0; > TALLOC_CTX *_mem_save_loadordergroup_0; > uint32_t _ptr_dependencies; >+ uint32_t size_dependencies_1 = 0; >+ uint32_t length_dependencies_1 = 0; > TALLOC_CTX *_mem_save_dependencies_0; > uint32_t _ptr_startname; >+ uint32_t size_startname_1 = 0; >+ uint32_t length_startname_1 = 0; > TALLOC_CTX *_mem_save_startname_0; > uint32_t _ptr_displayname; >+ uint32_t size_displayname_1 = 0; >+ uint32_t length_displayname_1 = 0; > TALLOC_CTX *_mem_save_displayname_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -818,11 +832,19 @@ _PUBLIC_ enum ndr_err_code ndr_pull_QUERY_SERVICE_CONFIG(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->executablepath, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->executablepath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->executablepath)); >- if (ndr_get_array_length(ndr, &r->executablepath) > ndr_get_array_size(ndr, &r->executablepath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->executablepath), ndr_get_array_length(ndr, &r->executablepath)); >+ size_executablepath_1 = ndr_get_array_size(ndr, &r->executablepath); >+ if (size_executablepath_1 > 8192) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ length_executablepath_1 = ndr_get_array_length(ndr, &r->executablepath); >+ if (length_executablepath_1 > 8192) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ if (length_executablepath_1 > size_executablepath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_executablepath_1, length_executablepath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->executablepath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->executablepath, ndr_get_array_length(ndr, &r->executablepath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_executablepath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->executablepath, length_executablepath_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_executablepath_0, 0); > } > if (r->loadordergroup) { >@@ -830,11 +852,19 @@ _PUBLIC_ enum ndr_err_code ndr_pull_QUERY_SERVICE_CONFIG(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->loadordergroup, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->loadordergroup)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->loadordergroup)); >- if (ndr_get_array_length(ndr, &r->loadordergroup) > ndr_get_array_size(ndr, &r->loadordergroup)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->loadordergroup), ndr_get_array_length(ndr, &r->loadordergroup)); >+ size_loadordergroup_1 = ndr_get_array_size(ndr, &r->loadordergroup); >+ if (size_loadordergroup_1 > 8192) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ length_loadordergroup_1 = ndr_get_array_length(ndr, &r->loadordergroup); >+ if (length_loadordergroup_1 > 8192) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ if (length_loadordergroup_1 > size_loadordergroup_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_loadordergroup_1, length_loadordergroup_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->loadordergroup), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->loadordergroup, ndr_get_array_length(ndr, &r->loadordergroup), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_loadordergroup_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->loadordergroup, length_loadordergroup_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_loadordergroup_0, 0); > } > if (r->dependencies) { >@@ -842,11 +872,19 @@ _PUBLIC_ enum ndr_err_code ndr_pull_QUERY_SERVICE_CONFIG(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->dependencies, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dependencies)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dependencies)); >- if (ndr_get_array_length(ndr, &r->dependencies) > ndr_get_array_size(ndr, &r->dependencies)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dependencies), ndr_get_array_length(ndr, &r->dependencies)); >+ size_dependencies_1 = ndr_get_array_size(ndr, &r->dependencies); >+ if (size_dependencies_1 > 8192) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ length_dependencies_1 = ndr_get_array_length(ndr, &r->dependencies); >+ if (length_dependencies_1 > 8192) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ if (length_dependencies_1 > size_dependencies_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dependencies), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dependencies, ndr_get_array_length(ndr, &r->dependencies), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); > } > if (r->startname) { >@@ -854,11 +892,19 @@ _PUBLIC_ enum ndr_err_code ndr_pull_QUERY_SERVICE_CONFIG(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->startname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->startname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->startname)); >- if (ndr_get_array_length(ndr, &r->startname) > ndr_get_array_size(ndr, &r->startname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->startname), ndr_get_array_length(ndr, &r->startname)); >+ size_startname_1 = ndr_get_array_size(ndr, &r->startname); >+ if (size_startname_1 > 8192) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ length_startname_1 = ndr_get_array_length(ndr, &r->startname); >+ if (length_startname_1 > 8192) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->startname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->startname, ndr_get_array_length(ndr, &r->startname), sizeof(uint16_t), CH_UTF16)); >+ if (length_startname_1 > size_startname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_startname_1, length_startname_1); >+ } >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_startname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->startname, length_startname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_startname_0, 0); > } > if (r->displayname) { >@@ -866,11 +912,19 @@ _PUBLIC_ enum ndr_err_code ndr_pull_QUERY_SERVICE_CONFIG(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->displayname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->displayname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->displayname)); >- if (ndr_get_array_length(ndr, &r->displayname) > ndr_get_array_size(ndr, &r->displayname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->displayname), ndr_get_array_length(ndr, &r->displayname)); >+ size_displayname_1 = ndr_get_array_size(ndr, &r->displayname); >+ if (size_displayname_1 > 8192) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ length_displayname_1 = ndr_get_array_length(ndr, &r->displayname); >+ if (length_displayname_1 > 8192) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->displayname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->displayname, ndr_get_array_length(ndr, &r->displayname), sizeof(uint16_t), CH_UTF16)); >+ if (length_displayname_1 > size_displayname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_displayname_1, length_displayname_1); >+ } >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_displayname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->displayname, length_displayname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_displayname_0, 0); > } > } >@@ -944,6 +998,8 @@ static enum ndr_err_code ndr_push_svcctl_ArgumentString(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_svcctl_ArgumentString(struct ndr_pull *ndr, int ndr_flags, struct svcctl_ArgumentString *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -961,11 +1017,19 @@ static enum ndr_err_code ndr_pull_svcctl_ArgumentString(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ if (size_string_1 > SC_MAX_ARGUMENT_LENGTH) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > SC_MAX_ARGUMENT_LENGTH) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_string_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > } >@@ -1219,6 +1283,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_SERVICE_FAILURE_ACTIONS(struct ndr_pull *ndr > uint32_t _ptr_command; > TALLOC_CTX *_mem_save_command_0; > uint32_t _ptr_actions; >+ uint32_t size_actions_1 = 0; > uint32_t cntr_actions_1; > TALLOC_CTX *_mem_save_actions_0; > TALLOC_CTX *_mem_save_actions_1; >@@ -1300,10 +1365,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_SERVICE_FAILURE_ACTIONS(struct ndr_pull *ndr > _mem_save_actions_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->actions, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->actions)); >- NDR_PULL_ALLOC_N(ndr, r->actions, ndr_get_array_size(ndr, &r->actions)); >+ size_actions_1 = ndr_get_array_size(ndr, &r->actions); >+ NDR_PULL_ALLOC_N(ndr, r->actions, size_actions_1); > _mem_save_actions_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->actions, 0); >- for (cntr_actions_1 = 0; cntr_actions_1 < r->num_actions; cntr_actions_1++) { >+ for (cntr_actions_1 = 0; cntr_actions_1 < size_actions_1; cntr_actions_1++) { > NDR_CHECK(ndr_pull_SC_ACTION(ndr, NDR_SCALARS, &r->actions[cntr_actions_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_actions_1, 0); >@@ -1700,6 +1766,7 @@ static enum ndr_err_code ndr_push_svcctl_QueryServiceObjectSecurity(struct ndr_p > > static enum ndr_err_code ndr_pull_svcctl_QueryServiceObjectSecurity(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceObjectSecurity *r) > { >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_needed_0; > if (flags & NDR_IN) { >@@ -1724,10 +1791,11 @@ static enum ndr_err_code ndr_pull_svcctl_QueryServiceObjectSecurity(struct ndr_p > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -1804,6 +1872,7 @@ static enum ndr_err_code ndr_push_svcctl_SetServiceObjectSecurity(struct ndr_pus > > static enum ndr_err_code ndr_pull_svcctl_SetServiceObjectSecurity(struct ndr_pull *ndr, int flags, struct svcctl_SetServiceObjectSecurity *r) > { >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -1815,10 +1884,11 @@ static enum ndr_err_code ndr_pull_svcctl_SetServiceObjectSecurity(struct ndr_pul > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_security_secinfo(ndr, NDR_SCALARS, &r->in.security_flags)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, size_buffer_1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); > if (r->in.buffer) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.buffer, r->in.offered)); >@@ -2228,11 +2298,23 @@ static enum ndr_err_code ndr_push_svcctl_ChangeServiceConfigW(struct ndr_push *n > static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *ndr, int flags, struct svcctl_ChangeServiceConfigW *r) > { > uint32_t _ptr_binary_path; >+ uint32_t size_binary_path_1 = 0; >+ uint32_t length_binary_path_1 = 0; > uint32_t _ptr_load_order_group; >+ uint32_t size_load_order_group_1 = 0; >+ uint32_t length_load_order_group_1 = 0; > uint32_t _ptr_dependencies; >+ uint32_t size_dependencies_1 = 0; >+ uint32_t length_dependencies_1 = 0; > uint32_t _ptr_service_start_name; >+ uint32_t size_service_start_name_1 = 0; >+ uint32_t length_service_start_name_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > uint32_t _ptr_display_name; >+ uint32_t size_display_name_1 = 0; >+ uint32_t length_display_name_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_binary_path_0; > TALLOC_CTX *_mem_save_load_order_group_0; >@@ -2265,11 +2347,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.binary_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); >- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); >+ size_binary_path_1 = ndr_get_array_size(ndr, &r->in.binary_path); >+ length_binary_path_1 = ndr_get_array_length(ndr, &r->in.binary_path); >+ if (length_binary_path_1 > size_binary_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_1, length_binary_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_binary_path_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_load_order_group)); >@@ -2283,11 +2367,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.load_order_group, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.load_order_group)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.load_order_group)); >- if (ndr_get_array_length(ndr, &r->in.load_order_group) > ndr_get_array_size(ndr, &r->in.load_order_group)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.load_order_group), ndr_get_array_length(ndr, &r->in.load_order_group)); >+ size_load_order_group_1 = ndr_get_array_size(ndr, &r->in.load_order_group); >+ length_load_order_group_1 = ndr_get_array_length(ndr, &r->in.load_order_group); >+ if (length_load_order_group_1 > size_load_order_group_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_load_order_group_1, length_load_order_group_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_load_order_group_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, length_load_order_group_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_load_order_group_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dependencies)); >@@ -2301,11 +2387,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dependencies)); >- if (ndr_get_array_length(ndr, &r->in.dependencies) > ndr_get_array_size(ndr, &r->in.dependencies)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dependencies), ndr_get_array_length(ndr, &r->in.dependencies)); >+ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); >+ length_dependencies_1 = ndr_get_array_length(ndr, &r->in.dependencies); >+ if (length_dependencies_1 > size_dependencies_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service_start_name)); >@@ -2319,11 +2407,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); >- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); >+ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); >+ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); >+ if (length_service_start_name_1 > size_service_start_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); >@@ -2337,11 +2427,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); >- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->in.password); >+ length_password_1 = ndr_get_array_length(ndr, &r->in.password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name)); >@@ -2355,11 +2447,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.display_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.display_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.display_name)); >- if (ndr_get_array_length(ndr, &r->in.display_name) > ndr_get_array_size(ndr, &r->in.display_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.display_name), ndr_get_array_length(ndr, &r->in.display_name)); >+ size_display_name_1 = ndr_get_array_size(ndr, &r->in.display_name); >+ length_display_name_1 = ndr_get_array_length(ndr, &r->in.display_name); >+ if (length_display_name_1 > size_display_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_1, length_display_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, length_display_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.tag_id); >@@ -2519,12 +2613,24 @@ static enum ndr_err_code ndr_push_svcctl_CreateServiceW(struct ndr_push *ndr, in > > static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, int flags, struct svcctl_CreateServiceW *r) > { >+ uint32_t size_ServiceName_0 = 0; >+ uint32_t length_ServiceName_0 = 0; > uint32_t _ptr_DisplayName; >+ uint32_t size_DisplayName_1 = 0; >+ uint32_t length_DisplayName_1 = 0; >+ uint32_t size_binary_path_0 = 0; >+ uint32_t length_binary_path_0 = 0; > uint32_t _ptr_LoadOrderGroupKey; >+ uint32_t size_LoadOrderGroupKey_1 = 0; >+ uint32_t length_LoadOrderGroupKey_1 = 0; > uint32_t _ptr_TagId; > uint32_t _ptr_dependencies; >+ uint32_t size_dependencies_1 = 0; > uint32_t _ptr_service_start_name; >+ uint32_t size_service_start_name_1 = 0; >+ uint32_t length_service_start_name_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; > TALLOC_CTX *_mem_save_scmanager_handle_0; > TALLOC_CTX *_mem_save_DisplayName_0; > TALLOC_CTX *_mem_save_LoadOrderGroupKey_0; >@@ -2545,11 +2651,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_scmanager_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); >- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); >+ size_ServiceName_0 = ndr_get_array_size(ndr, &r->in.ServiceName); >+ length_ServiceName_0 = ndr_get_array_length(ndr, &r->in.ServiceName); >+ if (length_ServiceName_0 > size_ServiceName_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_0, length_ServiceName_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DisplayName)); > if (_ptr_DisplayName) { > NDR_PULL_ALLOC(ndr, r->in.DisplayName); >@@ -2561,11 +2669,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.DisplayName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DisplayName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DisplayName)); >- if (ndr_get_array_length(ndr, &r->in.DisplayName) > ndr_get_array_size(ndr, &r->in.DisplayName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DisplayName), ndr_get_array_length(ndr, &r->in.DisplayName)); >+ size_DisplayName_1 = ndr_get_array_size(ndr, &r->in.DisplayName); >+ length_DisplayName_1 = ndr_get_array_length(ndr, &r->in.DisplayName); >+ if (length_DisplayName_1 > size_DisplayName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DisplayName_1, length_DisplayName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_DisplayName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, length_DisplayName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DisplayName_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.desired_access)); >@@ -2574,11 +2684,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_svcctl_ErrorControl(ndr, NDR_SCALARS, &r->in.error_control)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); >- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); >+ size_binary_path_0 = ndr_get_array_size(ndr, &r->in.binary_path); >+ length_binary_path_0 = ndr_get_array_length(ndr, &r->in.binary_path); >+ if (length_binary_path_0 > size_binary_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_0, length_binary_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_LoadOrderGroupKey)); > if (_ptr_LoadOrderGroupKey) { > NDR_PULL_ALLOC(ndr, r->in.LoadOrderGroupKey); >@@ -2590,11 +2702,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.LoadOrderGroupKey, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.LoadOrderGroupKey)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.LoadOrderGroupKey)); >- if (ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey) > ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey), ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey)); >+ size_LoadOrderGroupKey_1 = ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey); >+ length_LoadOrderGroupKey_1 = ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey); >+ if (length_LoadOrderGroupKey_1 > size_LoadOrderGroupKey_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_LoadOrderGroupKey_1, length_LoadOrderGroupKey_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_LoadOrderGroupKey_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, length_LoadOrderGroupKey_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_LoadOrderGroupKey_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_TagId)); >@@ -2619,8 +2733,9 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > _mem_save_dependencies_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); >- NDR_PULL_ALLOC_N(ndr, r->in.dependencies, ndr_get_array_size(ndr, &r->in.dependencies)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.dependencies, ndr_get_array_size(ndr, &r->in.dependencies))); >+ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); >+ NDR_PULL_ALLOC_N(ndr, r->in.dependencies, size_dependencies_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.dependencies, size_dependencies_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.dependencies_size)); >@@ -2635,11 +2750,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); >- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); >+ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); >+ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); >+ if (length_service_start_name_1 > size_service_start_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); >@@ -2652,8 +2769,9 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > _mem_save_password_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); >- NDR_PULL_ALLOC_N(ndr, r->in.password, ndr_get_array_size(ndr, &r->in.password)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.password, ndr_get_array_size(ndr, &r->in.password))); >+ size_password_1 = ndr_get_array_size(ndr, &r->in.password); >+ NDR_PULL_ALLOC_N(ndr, r->in.password, size_password_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.password, size_password_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.password_size)); >@@ -2801,6 +2919,7 @@ static enum ndr_err_code ndr_push_svcctl_EnumDependentServicesW(struct ndr_push > > static enum ndr_err_code ndr_pull_svcctl_EnumDependentServicesW(struct ndr_pull *ndr, int flags, struct svcctl_EnumDependentServicesW *r) > { >+ uint32_t size_service_status_1 = 0; > TALLOC_CTX *_mem_save_service_0; > TALLOC_CTX *_mem_save_needed_0; > TALLOC_CTX *_mem_save_services_returned_0; >@@ -2828,10 +2947,11 @@ static enum ndr_err_code ndr_pull_svcctl_EnumDependentServicesW(struct ndr_pull > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.service_status)); >+ size_service_status_1 = ndr_get_array_size(ndr, &r->out.service_status); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.service_status, ndr_get_array_size(ndr, &r->out.service_status)); >+ NDR_PULL_ALLOC_N(ndr, r->out.service_status, size_service_status_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service_status, ndr_get_array_size(ndr, &r->out.service_status))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service_status, size_service_status_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -2939,6 +3059,7 @@ static enum ndr_err_code ndr_push_svcctl_EnumServicesStatusW(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusW(struct ndr_pull *ndr, int flags, struct svcctl_EnumServicesStatusW *r) > { >+ uint32_t size_service_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_needed_0; >@@ -2981,10 +3102,11 @@ static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusW(struct ndr_pull *nd > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.service)); >+ size_service_1 = ndr_get_array_size(ndr, &r->out.service); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.service, ndr_get_array_size(ndr, &r->out.service)); >+ NDR_PULL_ALLOC_N(ndr, r->out.service, size_service_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, ndr_get_array_size(ndr, &r->out.service))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, size_service_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -3109,7 +3231,11 @@ static enum ndr_err_code ndr_push_svcctl_OpenSCManagerW(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerW(struct ndr_pull *ndr, int flags, struct svcctl_OpenSCManagerW *r) > { > uint32_t _ptr_MachineName; >+ uint32_t size_MachineName_1 = 0; >+ uint32_t length_MachineName_1 = 0; > uint32_t _ptr_DatabaseName; >+ uint32_t size_DatabaseName_1 = 0; >+ uint32_t length_DatabaseName_1 = 0; > TALLOC_CTX *_mem_save_MachineName_0; > TALLOC_CTX *_mem_save_DatabaseName_0; > TALLOC_CTX *_mem_save_handle_0; >@@ -3127,11 +3253,13 @@ static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.MachineName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.MachineName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.MachineName)); >- if (ndr_get_array_length(ndr, &r->in.MachineName) > ndr_get_array_size(ndr, &r->in.MachineName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.MachineName), ndr_get_array_length(ndr, &r->in.MachineName)); >+ size_MachineName_1 = ndr_get_array_size(ndr, &r->in.MachineName); >+ length_MachineName_1 = ndr_get_array_length(ndr, &r->in.MachineName); >+ if (length_MachineName_1 > size_MachineName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_MachineName_1, length_MachineName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.MachineName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.MachineName, ndr_get_array_length(ndr, &r->in.MachineName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_MachineName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.MachineName, length_MachineName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_MachineName_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DatabaseName)); >@@ -3145,11 +3273,13 @@ static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.DatabaseName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DatabaseName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DatabaseName)); >- if (ndr_get_array_length(ndr, &r->in.DatabaseName) > ndr_get_array_size(ndr, &r->in.DatabaseName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DatabaseName), ndr_get_array_length(ndr, &r->in.DatabaseName)); >+ size_DatabaseName_1 = ndr_get_array_size(ndr, &r->in.DatabaseName); >+ length_DatabaseName_1 = ndr_get_array_length(ndr, &r->in.DatabaseName); >+ if (length_DatabaseName_1 > size_DatabaseName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DatabaseName_1, length_DatabaseName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DatabaseName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DatabaseName, ndr_get_array_length(ndr, &r->in.DatabaseName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_DatabaseName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DatabaseName, length_DatabaseName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DatabaseName_0, 0); > } > NDR_CHECK(ndr_pull_svcctl_MgrAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); >@@ -3232,6 +3362,8 @@ static enum ndr_err_code ndr_push_svcctl_OpenServiceW(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_svcctl_OpenServiceW(struct ndr_pull *ndr, int flags, struct svcctl_OpenServiceW *r) > { >+ uint32_t size_ServiceName_0 = 0; >+ uint32_t length_ServiceName_0 = 0; > TALLOC_CTX *_mem_save_scmanager_handle_0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { >@@ -3246,11 +3378,13 @@ static enum ndr_err_code ndr_pull_svcctl_OpenServiceW(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_scmanager_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); >- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); >+ size_ServiceName_0 = ndr_get_array_size(ndr, &r->in.ServiceName); >+ length_ServiceName_0 = ndr_get_array_length(ndr, &r->in.ServiceName); >+ if (length_ServiceName_0 > size_ServiceName_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_0, length_ServiceName_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_svcctl_ServiceAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); > NDR_PULL_ALLOC(ndr, r->out.handle); > ZERO_STRUCTP(r->out.handle); >@@ -3530,6 +3664,7 @@ static enum ndr_err_code ndr_push_svcctl_StartServiceW(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_svcctl_StartServiceW(struct ndr_pull *ndr, int flags, struct svcctl_StartServiceW *r) > { > uint32_t _ptr_Arguments; >+ uint32_t size_Arguments_1 = 0; > uint32_t cntr_Arguments_1; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_Arguments_0; >@@ -3556,13 +3691,14 @@ static enum ndr_err_code ndr_pull_svcctl_StartServiceW(struct ndr_pull *ndr, int > _mem_save_Arguments_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.Arguments, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Arguments)); >- NDR_PULL_ALLOC_N(ndr, r->in.Arguments, ndr_get_array_size(ndr, &r->in.Arguments)); >+ size_Arguments_1 = ndr_get_array_size(ndr, &r->in.Arguments); >+ NDR_PULL_ALLOC_N(ndr, r->in.Arguments, size_Arguments_1); > _mem_save_Arguments_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.Arguments, 0); >- for (cntr_Arguments_1 = 0; cntr_Arguments_1 < r->in.NumArgs; cntr_Arguments_1++) { >+ for (cntr_Arguments_1 = 0; cntr_Arguments_1 < size_Arguments_1; cntr_Arguments_1++) { > NDR_CHECK(ndr_pull_svcctl_ArgumentString(ndr, NDR_SCALARS, &r->in.Arguments[cntr_Arguments_1])); > } >- for (cntr_Arguments_1 = 0; cntr_Arguments_1 < r->in.NumArgs; cntr_Arguments_1++) { >+ for (cntr_Arguments_1 = 0; cntr_Arguments_1 < size_Arguments_1; cntr_Arguments_1++) { > NDR_CHECK(ndr_pull_svcctl_ArgumentString(ndr, NDR_BUFFERS, &r->in.Arguments[cntr_Arguments_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Arguments_1, 0); >@@ -3662,7 +3798,11 @@ static enum ndr_err_code ndr_push_svcctl_GetServiceDisplayNameW(struct ndr_push > static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameW(struct ndr_pull *ndr, int flags, struct svcctl_GetServiceDisplayNameW *r) > { > uint32_t _ptr_service_name; >+ uint32_t size_service_name_1 = 0; >+ uint32_t length_service_name_1 = 0; > uint32_t _ptr_display_name; >+ uint32_t size_display_name_2 = 0; >+ uint32_t length_display_name_2 = 0; > uint32_t _ptr_display_name_length; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_service_name_0; >@@ -3690,11 +3830,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameW(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_name)); >- if (ndr_get_array_length(ndr, &r->in.service_name) > ndr_get_array_size(ndr, &r->in.service_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_name), ndr_get_array_length(ndr, &r->in.service_name)); >+ size_service_name_1 = ndr_get_array_size(ndr, &r->in.service_name); >+ length_service_name_1 = ndr_get_array_length(ndr, &r->in.service_name); >+ if (length_service_name_1 > size_service_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_name_1, length_service_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, length_service_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name_length)); >@@ -3729,11 +3871,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameW(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, *r->out.display_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.display_name)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.display_name)); >- if (ndr_get_array_length(ndr, r->out.display_name) > ndr_get_array_size(ndr, r->out.display_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.display_name), ndr_get_array_length(ndr, r->out.display_name)); >+ size_display_name_2 = ndr_get_array_size(ndr, r->out.display_name); >+ length_display_name_2 = ndr_get_array_length(ndr, r->out.display_name); >+ if (length_display_name_2 > size_display_name_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_2, length_display_name_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.display_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.display_name, ndr_get_array_length(ndr, r->out.display_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.display_name, length_display_name_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, LIBNDR_FLAG_REF_ALLOC); >@@ -3848,7 +3992,11 @@ static enum ndr_err_code ndr_push_svcctl_GetServiceKeyNameW(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameW(struct ndr_pull *ndr, int flags, struct svcctl_GetServiceKeyNameW *r) > { > uint32_t _ptr_service_name; >+ uint32_t size_service_name_1 = 0; >+ uint32_t length_service_name_1 = 0; > uint32_t _ptr_key_name; >+ uint32_t size_key_name_2 = 0; >+ uint32_t length_key_name_2 = 0; > uint32_t _ptr_display_name_length; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_service_name_0; >@@ -3876,11 +4024,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameW(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_name)); >- if (ndr_get_array_length(ndr, &r->in.service_name) > ndr_get_array_size(ndr, &r->in.service_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_name), ndr_get_array_length(ndr, &r->in.service_name)); >+ size_service_name_1 = ndr_get_array_size(ndr, &r->in.service_name); >+ length_service_name_1 = ndr_get_array_length(ndr, &r->in.service_name); >+ if (length_service_name_1 > size_service_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_name_1, length_service_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, length_service_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name_length)); >@@ -3915,11 +4065,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameW(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, *r->out.key_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.key_name)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.key_name)); >- if (ndr_get_array_length(ndr, r->out.key_name) > ndr_get_array_size(ndr, r->out.key_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.key_name), ndr_get_array_length(ndr, r->out.key_name)); >+ size_key_name_2 = ndr_get_array_size(ndr, r->out.key_name); >+ length_key_name_2 = ndr_get_array_length(ndr, r->out.key_name); >+ if (length_key_name_2 > size_key_name_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_2, length_key_name_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.key_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.key_name, ndr_get_array_length(ndr, r->out.key_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.key_name, length_key_name_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_name_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_name_0, LIBNDR_FLAG_REF_ALLOC); >@@ -4124,11 +4276,23 @@ static enum ndr_err_code ndr_push_svcctl_ChangeServiceConfigA(struct ndr_push *n > static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *ndr, int flags, struct svcctl_ChangeServiceConfigA *r) > { > uint32_t _ptr_binary_path; >+ uint32_t size_binary_path_1 = 0; >+ uint32_t length_binary_path_1 = 0; > uint32_t _ptr_load_order_group; >+ uint32_t size_load_order_group_1 = 0; >+ uint32_t length_load_order_group_1 = 0; > uint32_t _ptr_dependencies; >+ uint32_t size_dependencies_1 = 0; >+ uint32_t length_dependencies_1 = 0; > uint32_t _ptr_service_start_name; >+ uint32_t size_service_start_name_1 = 0; >+ uint32_t length_service_start_name_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > uint32_t _ptr_display_name; >+ uint32_t size_display_name_1 = 0; >+ uint32_t length_display_name_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_binary_path_0; > TALLOC_CTX *_mem_save_load_order_group_0; >@@ -4161,11 +4325,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.binary_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); >- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); >+ size_binary_path_1 = ndr_get_array_size(ndr, &r->in.binary_path); >+ length_binary_path_1 = ndr_get_array_length(ndr, &r->in.binary_path); >+ if (length_binary_path_1 > size_binary_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_1, length_binary_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_binary_path_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_load_order_group)); >@@ -4179,11 +4345,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.load_order_group, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.load_order_group)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.load_order_group)); >- if (ndr_get_array_length(ndr, &r->in.load_order_group) > ndr_get_array_size(ndr, &r->in.load_order_group)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.load_order_group), ndr_get_array_length(ndr, &r->in.load_order_group)); >+ size_load_order_group_1 = ndr_get_array_size(ndr, &r->in.load_order_group); >+ length_load_order_group_1 = ndr_get_array_length(ndr, &r->in.load_order_group); >+ if (length_load_order_group_1 > size_load_order_group_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_load_order_group_1, length_load_order_group_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_load_order_group_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, length_load_order_group_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_load_order_group_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dependencies)); >@@ -4197,11 +4365,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dependencies)); >- if (ndr_get_array_length(ndr, &r->in.dependencies) > ndr_get_array_size(ndr, &r->in.dependencies)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dependencies), ndr_get_array_length(ndr, &r->in.dependencies)); >+ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); >+ length_dependencies_1 = ndr_get_array_length(ndr, &r->in.dependencies); >+ if (length_dependencies_1 > size_dependencies_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service_start_name)); >@@ -4215,11 +4385,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); >- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); >+ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); >+ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); >+ if (length_service_start_name_1 > size_service_start_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); >@@ -4233,11 +4405,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); >- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->in.password); >+ length_password_1 = ndr_get_array_length(ndr, &r->in.password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name)); >@@ -4251,11 +4425,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.display_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.display_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.display_name)); >- if (ndr_get_array_length(ndr, &r->in.display_name) > ndr_get_array_size(ndr, &r->in.display_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.display_name), ndr_get_array_length(ndr, &r->in.display_name)); >+ size_display_name_1 = ndr_get_array_size(ndr, &r->in.display_name); >+ length_display_name_1 = ndr_get_array_length(ndr, &r->in.display_name); >+ if (length_display_name_1 > size_display_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_1, length_display_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, length_display_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.tag_id); >@@ -4416,13 +4592,27 @@ static enum ndr_err_code ndr_push_svcctl_CreateServiceA(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, int flags, struct svcctl_CreateServiceA *r) > { > uint32_t _ptr_ServiceName; >+ uint32_t size_ServiceName_1 = 0; >+ uint32_t length_ServiceName_1 = 0; > uint32_t _ptr_DisplayName; >+ uint32_t size_DisplayName_1 = 0; >+ uint32_t length_DisplayName_1 = 0; > uint32_t _ptr_binary_path; >+ uint32_t size_binary_path_1 = 0; >+ uint32_t length_binary_path_1 = 0; > uint32_t _ptr_LoadOrderGroupKey; >+ uint32_t size_LoadOrderGroupKey_1 = 0; >+ uint32_t length_LoadOrderGroupKey_1 = 0; > uint32_t _ptr_TagId; > uint32_t _ptr_dependencies; >+ uint32_t size_dependencies_1 = 0; >+ uint32_t length_dependencies_1 = 0; > uint32_t _ptr_service_start_name; >+ uint32_t size_service_start_name_1 = 0; >+ uint32_t length_service_start_name_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_ServiceName_0; > TALLOC_CTX *_mem_save_DisplayName_0; >@@ -4453,11 +4643,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.ServiceName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); >- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); >+ size_ServiceName_1 = ndr_get_array_size(ndr, &r->in.ServiceName); >+ length_ServiceName_1 = ndr_get_array_length(ndr, &r->in.ServiceName); >+ if (length_ServiceName_1 > size_ServiceName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_1, length_ServiceName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ServiceName_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DisplayName)); >@@ -4471,11 +4663,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.DisplayName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DisplayName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DisplayName)); >- if (ndr_get_array_length(ndr, &r->in.DisplayName) > ndr_get_array_size(ndr, &r->in.DisplayName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DisplayName), ndr_get_array_length(ndr, &r->in.DisplayName)); >+ size_DisplayName_1 = ndr_get_array_size(ndr, &r->in.DisplayName); >+ length_DisplayName_1 = ndr_get_array_length(ndr, &r->in.DisplayName); >+ if (length_DisplayName_1 > size_DisplayName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DisplayName_1, length_DisplayName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_DisplayName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, length_DisplayName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DisplayName_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.desired_access)); >@@ -4493,11 +4687,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.binary_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); >- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); >+ size_binary_path_1 = ndr_get_array_size(ndr, &r->in.binary_path); >+ length_binary_path_1 = ndr_get_array_length(ndr, &r->in.binary_path); >+ if (length_binary_path_1 > size_binary_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_1, length_binary_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_binary_path_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_LoadOrderGroupKey)); >@@ -4511,11 +4707,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.LoadOrderGroupKey, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.LoadOrderGroupKey)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.LoadOrderGroupKey)); >- if (ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey) > ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey), ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey)); >+ size_LoadOrderGroupKey_1 = ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey); >+ length_LoadOrderGroupKey_1 = ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey); >+ if (length_LoadOrderGroupKey_1 > size_LoadOrderGroupKey_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_LoadOrderGroupKey_1, length_LoadOrderGroupKey_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_LoadOrderGroupKey_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, length_LoadOrderGroupKey_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_LoadOrderGroupKey_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dependencies)); >@@ -4529,11 +4727,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dependencies)); >- if (ndr_get_array_length(ndr, &r->in.dependencies) > ndr_get_array_size(ndr, &r->in.dependencies)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dependencies), ndr_get_array_length(ndr, &r->in.dependencies)); >+ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); >+ length_dependencies_1 = ndr_get_array_length(ndr, &r->in.dependencies); >+ if (length_dependencies_1 > size_dependencies_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service_start_name)); >@@ -4547,11 +4747,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); >- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); >+ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); >+ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); >+ if (length_service_start_name_1 > size_service_start_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); >@@ -4565,11 +4767,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); >- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->in.password); >+ length_password_1 = ndr_get_array_length(ndr, &r->in.password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > } >@@ -4830,6 +5034,7 @@ static enum ndr_err_code ndr_push_svcctl_EnumServicesStatusA(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusA(struct ndr_pull *ndr, int flags, struct svcctl_EnumServicesStatusA *r) > { >+ uint32_t size_service_0 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_needed_0; >@@ -4867,8 +5072,9 @@ static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusA(struct ndr_pull *nd > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.service)); >- NDR_PULL_ALLOC_N(ndr, r->out.service, ndr_get_array_size(ndr, &r->out.service)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, ndr_get_array_size(ndr, &r->out.service))); >+ size_service_0 = ndr_get_array_size(ndr, &r->out.service); >+ NDR_PULL_ALLOC_N(ndr, r->out.service, size_service_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, size_service_0)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -4984,7 +5190,11 @@ static enum ndr_err_code ndr_push_svcctl_OpenSCManagerA(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerA(struct ndr_pull *ndr, int flags, struct svcctl_OpenSCManagerA *r) > { > uint32_t _ptr_MachineName; >+ uint32_t size_MachineName_1 = 0; >+ uint32_t length_MachineName_1 = 0; > uint32_t _ptr_DatabaseName; >+ uint32_t size_DatabaseName_1 = 0; >+ uint32_t length_DatabaseName_1 = 0; > TALLOC_CTX *_mem_save_MachineName_0; > TALLOC_CTX *_mem_save_DatabaseName_0; > TALLOC_CTX *_mem_save_handle_0; >@@ -5002,11 +5212,13 @@ static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.MachineName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.MachineName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.MachineName)); >- if (ndr_get_array_length(ndr, &r->in.MachineName) > ndr_get_array_size(ndr, &r->in.MachineName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.MachineName), ndr_get_array_length(ndr, &r->in.MachineName)); >+ size_MachineName_1 = ndr_get_array_size(ndr, &r->in.MachineName); >+ length_MachineName_1 = ndr_get_array_length(ndr, &r->in.MachineName); >+ if (length_MachineName_1 > size_MachineName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_MachineName_1, length_MachineName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.MachineName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.MachineName, ndr_get_array_length(ndr, &r->in.MachineName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_MachineName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.MachineName, length_MachineName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_MachineName_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DatabaseName)); >@@ -5020,11 +5232,13 @@ static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.DatabaseName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DatabaseName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DatabaseName)); >- if (ndr_get_array_length(ndr, &r->in.DatabaseName) > ndr_get_array_size(ndr, &r->in.DatabaseName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DatabaseName), ndr_get_array_length(ndr, &r->in.DatabaseName)); >+ size_DatabaseName_1 = ndr_get_array_size(ndr, &r->in.DatabaseName); >+ length_DatabaseName_1 = ndr_get_array_length(ndr, &r->in.DatabaseName); >+ if (length_DatabaseName_1 > size_DatabaseName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DatabaseName_1, length_DatabaseName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DatabaseName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DatabaseName, ndr_get_array_length(ndr, &r->in.DatabaseName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_DatabaseName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DatabaseName, length_DatabaseName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DatabaseName_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.access_mask)); >@@ -5107,6 +5321,8 @@ static enum ndr_err_code ndr_push_svcctl_OpenServiceA(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_svcctl_OpenServiceA(struct ndr_pull *ndr, int flags, struct svcctl_OpenServiceA *r) > { > uint32_t _ptr_ServiceName; >+ uint32_t size_ServiceName_1 = 0; >+ uint32_t length_ServiceName_1 = 0; > TALLOC_CTX *_mem_save_scmanager_handle_0; > TALLOC_CTX *_mem_save_ServiceName_0; > if (flags & NDR_IN) { >@@ -5128,11 +5344,13 @@ static enum ndr_err_code ndr_pull_svcctl_OpenServiceA(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.ServiceName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); >- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); >+ size_ServiceName_1 = ndr_get_array_size(ndr, &r->in.ServiceName); >+ length_ServiceName_1 = ndr_get_array_length(ndr, &r->in.ServiceName); >+ if (length_ServiceName_1 > size_ServiceName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_1, length_ServiceName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ServiceName_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.access_mask)); >@@ -5197,6 +5415,7 @@ static enum ndr_err_code ndr_push_svcctl_QueryServiceConfigA(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfigA(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceConfigA *r) > { >+ uint32_t size_query_0 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_needed_0; > if (flags & NDR_IN) { >@@ -5214,8 +5433,9 @@ static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfigA(struct ndr_pull *nd > ZERO_STRUCTP(r->out.needed); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.query, r->in.offered); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.query, r->in.offered)); >+ size_query_0 = r->in.offered; >+ NDR_PULL_ALLOC_N(ndr, r->out.query, size_query_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.query, size_query_0)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -5382,6 +5602,8 @@ static enum ndr_err_code ndr_push_svcctl_StartServiceA(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_svcctl_StartServiceA(struct ndr_pull *ndr, int flags, struct svcctl_StartServiceA *r) > { > uint32_t _ptr_Arguments; >+ uint32_t size_Arguments_1 = 0; >+ uint32_t length_Arguments_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_Arguments_0; > if (flags & NDR_IN) { >@@ -5404,11 +5626,13 @@ static enum ndr_err_code ndr_pull_svcctl_StartServiceA(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.Arguments, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Arguments)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Arguments)); >- if (ndr_get_array_length(ndr, &r->in.Arguments) > ndr_get_array_size(ndr, &r->in.Arguments)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Arguments), ndr_get_array_length(ndr, &r->in.Arguments)); >+ size_Arguments_1 = ndr_get_array_size(ndr, &r->in.Arguments); >+ length_Arguments_1 = ndr_get_array_length(ndr, &r->in.Arguments); >+ if (length_Arguments_1 > size_Arguments_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Arguments_1, length_Arguments_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Arguments), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Arguments, ndr_get_array_length(ndr, &r->in.Arguments), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Arguments_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Arguments, length_Arguments_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Arguments_0, 0); > } > } >@@ -5492,7 +5716,11 @@ static enum ndr_err_code ndr_push_svcctl_GetServiceDisplayNameA(struct ndr_push > static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameA(struct ndr_pull *ndr, int flags, struct svcctl_GetServiceDisplayNameA *r) > { > uint32_t _ptr_service_name; >+ uint32_t size_service_name_1 = 0; >+ uint32_t length_service_name_1 = 0; > uint32_t _ptr_display_name; >+ uint32_t size_display_name_2 = 0; >+ uint32_t length_display_name_2 = 0; > uint32_t _ptr_display_name_length; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_service_name_0; >@@ -5520,11 +5748,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameA(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_name)); >- if (ndr_get_array_length(ndr, &r->in.service_name) > ndr_get_array_size(ndr, &r->in.service_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_name), ndr_get_array_length(ndr, &r->in.service_name)); >+ size_service_name_1 = ndr_get_array_size(ndr, &r->in.service_name); >+ length_service_name_1 = ndr_get_array_length(ndr, &r->in.service_name); >+ if (length_service_name_1 > size_service_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_name_1, length_service_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, length_service_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name_length)); >@@ -5559,11 +5789,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameA(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, *r->out.display_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.display_name)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.display_name)); >- if (ndr_get_array_length(ndr, r->out.display_name) > ndr_get_array_size(ndr, r->out.display_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.display_name), ndr_get_array_length(ndr, r->out.display_name)); >+ size_display_name_2 = ndr_get_array_size(ndr, r->out.display_name); >+ length_display_name_2 = ndr_get_array_length(ndr, r->out.display_name); >+ if (length_display_name_2 > size_display_name_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_2, length_display_name_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.display_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.display_name, ndr_get_array_length(ndr, r->out.display_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.display_name, length_display_name_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, LIBNDR_FLAG_REF_ALLOC); >@@ -5678,7 +5910,11 @@ static enum ndr_err_code ndr_push_svcctl_GetServiceKeyNameA(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameA(struct ndr_pull *ndr, int flags, struct svcctl_GetServiceKeyNameA *r) > { > uint32_t _ptr_service_name; >+ uint32_t size_service_name_1 = 0; >+ uint32_t length_service_name_1 = 0; > uint32_t _ptr_key_name; >+ uint32_t size_key_name_2 = 0; >+ uint32_t length_key_name_2 = 0; > uint32_t _ptr_display_name_length; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_service_name_0; >@@ -5706,11 +5942,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameA(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_name)); >- if (ndr_get_array_length(ndr, &r->in.service_name) > ndr_get_array_size(ndr, &r->in.service_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_name), ndr_get_array_length(ndr, &r->in.service_name)); >+ size_service_name_1 = ndr_get_array_size(ndr, &r->in.service_name); >+ length_service_name_1 = ndr_get_array_length(ndr, &r->in.service_name); >+ if (length_service_name_1 > size_service_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_name_1, length_service_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, length_service_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name_length)); >@@ -5745,11 +5983,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameA(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, *r->out.key_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.key_name)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.key_name)); >- if (ndr_get_array_length(ndr, r->out.key_name) > ndr_get_array_size(ndr, r->out.key_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.key_name), ndr_get_array_length(ndr, r->out.key_name)); >+ size_key_name_2 = ndr_get_array_size(ndr, r->out.key_name); >+ length_key_name_2 = ndr_get_array_length(ndr, r->out.key_name); >+ if (length_key_name_2 > size_key_name_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_2, length_key_name_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.key_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.key_name, ndr_get_array_length(ndr, r->out.key_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.key_name, length_key_name_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_name_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_name_0, LIBNDR_FLAG_REF_ALLOC); >@@ -6095,6 +6335,7 @@ static enum ndr_err_code ndr_push_svcctl_QueryServiceConfig2A(struct ndr_push *n > > static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfig2A(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceConfig2A *r) > { >+ uint32_t size_buffer_0 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_needed_0; > if (flags & NDR_IN) { >@@ -6113,8 +6354,9 @@ static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfig2A(struct ndr_pull *n > ZERO_STRUCTP(r->out.needed); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, r->in.offered); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, r->in.offered)); >+ size_buffer_0 = r->in.offered; >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_0)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -6186,6 +6428,7 @@ static enum ndr_err_code ndr_push_svcctl_QueryServiceConfig2W(struct ndr_push *n > > static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfig2W(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceConfig2W *r) > { >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_needed_0; > if (flags & NDR_IN) { >@@ -6210,10 +6453,11 @@ static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfig2W(struct ndr_pull *n > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -6294,6 +6538,7 @@ static enum ndr_err_code ndr_push_svcctl_QueryServiceStatusEx(struct ndr_push *n > > static enum ndr_err_code ndr_pull_svcctl_QueryServiceStatusEx(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceStatusEx *r) > { >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_needed_0; > if (flags & NDR_IN) { >@@ -6318,10 +6563,11 @@ static enum ndr_err_code ndr_pull_svcctl_QueryServiceStatusEx(struct ndr_pull *n > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -6422,8 +6668,11 @@ static enum ndr_err_code ndr_push_EnumServicesStatusExA(struct ndr_push *ndr, in > > static enum ndr_err_code ndr_pull_EnumServicesStatusExA(struct ndr_pull *ndr, int flags, struct EnumServicesStatusExA *r) > { >+ uint32_t size_services_0 = 0; > uint32_t _ptr_resume_handle; > uint32_t _ptr_group_name; >+ uint32_t size_group_name_2 = 0; >+ uint32_t length_group_name_2 = 0; > TALLOC_CTX *_mem_save_scmanager_0; > TALLOC_CTX *_mem_save_needed_0; > TALLOC_CTX *_mem_save_service_returned_0; >@@ -6464,8 +6713,9 @@ static enum ndr_err_code ndr_pull_EnumServicesStatusExA(struct ndr_pull *ndr, in > ZERO_STRUCTP(r->out.group_name); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.services, r->in.offered); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.services, r->in.offered)); >+ size_services_0 = r->in.offered; >+ NDR_PULL_ALLOC_N(ndr, r->out.services, size_services_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.services, size_services_0)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -6508,11 +6758,13 @@ static enum ndr_err_code ndr_pull_EnumServicesStatusExA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, *r->out.group_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.group_name)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.group_name)); >- if (ndr_get_array_length(ndr, r->out.group_name) > ndr_get_array_size(ndr, r->out.group_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.group_name), ndr_get_array_length(ndr, r->out.group_name)); >+ size_group_name_2 = ndr_get_array_size(ndr, r->out.group_name); >+ length_group_name_2 = ndr_get_array_length(ndr, r->out.group_name); >+ if (length_group_name_2 > size_group_name_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_group_name_2, length_group_name_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.group_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.group_name, ndr_get_array_length(ndr, r->out.group_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_group_name_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.group_name, length_group_name_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_name_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_name_0, LIBNDR_FLAG_REF_ALLOC); >@@ -6628,8 +6880,11 @@ static enum ndr_err_code ndr_push_EnumServicesStatusExW(struct ndr_push *ndr, in > > static enum ndr_err_code ndr_pull_EnumServicesStatusExW(struct ndr_pull *ndr, int flags, struct EnumServicesStatusExW *r) > { >+ uint32_t size_services_1 = 0; > uint32_t _ptr_resume_handle; > uint32_t _ptr_group_name; >+ uint32_t size_group_name_1 = 0; >+ uint32_t length_group_name_1 = 0; > TALLOC_CTX *_mem_save_scmanager_0; > TALLOC_CTX *_mem_save_needed_0; > TALLOC_CTX *_mem_save_service_returned_0; >@@ -6678,11 +6933,13 @@ static enum ndr_err_code ndr_pull_EnumServicesStatusExW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.group_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.group_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.group_name)); >- if (ndr_get_array_length(ndr, &r->in.group_name) > ndr_get_array_size(ndr, &r->in.group_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.group_name), ndr_get_array_length(ndr, &r->in.group_name)); >+ size_group_name_1 = ndr_get_array_size(ndr, &r->in.group_name); >+ length_group_name_1 = ndr_get_array_length(ndr, &r->in.group_name); >+ if (length_group_name_1 > size_group_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_group_name_1, length_group_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.group_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.group_name, ndr_get_array_length(ndr, &r->in.group_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_group_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.group_name, length_group_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_name_0, 0); > } > NDR_PULL_ALLOC_N(ndr, r->out.services, r->in.offered); >@@ -6694,10 +6951,11 @@ static enum ndr_err_code ndr_pull_EnumServicesStatusExW(struct ndr_pull *ndr, in > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.services)); >+ size_services_1 = ndr_get_array_size(ndr, &r->out.services); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.services, ndr_get_array_size(ndr, &r->out.services)); >+ NDR_PULL_ALLOC_N(ndr, r->out.services, size_services_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.services, ndr_get_array_size(ndr, &r->out.services))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.services, size_services_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >diff --git a/librpc/gen_ndr/ndr_winreg.c b/librpc/gen_ndr/ndr_winreg.c >index 6f432d3..8d0006f 100644 >--- a/librpc/gen_ndr/ndr_winreg.c >+++ b/librpc/gen_ndr/ndr_winreg.c >@@ -58,6 +58,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_winreg_String(struct ndr_push *ndr, int ndr_ > _PUBLIC_ enum ndr_err_code ndr_pull_winreg_String(struct ndr_pull *ndr, int ndr_flags, struct winreg_String *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -77,11 +79,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_String(struct ndr_pull *ndr, int ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > } >@@ -126,6 +130,8 @@ static enum ndr_err_code ndr_push_KeySecurityData(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_KeySecurityData(struct ndr_pull *ndr, int ndr_flags, struct KeySecurityData *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; >+ uint32_t length_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -145,11 +151,13 @@ static enum ndr_err_code ndr_pull_KeySecurityData(struct ndr_pull *ndr, int ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); >- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ length_data_1 = ndr_get_array_length(ndr, &r->data); >+ if (length_data_1 > size_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_length(ndr, &r->data))); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, length_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -266,6 +274,8 @@ static enum ndr_err_code ndr_push_winreg_StringBuf(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_winreg_StringBuf(struct ndr_pull *ndr, int ndr_flags, struct winreg_StringBuf *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -285,10 +295,12 @@ static enum ndr_err_code ndr_pull_winreg_StringBuf(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->name) { >@@ -339,6 +351,8 @@ static enum ndr_err_code ndr_push_winreg_ValNameBuf(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_winreg_ValNameBuf(struct ndr_pull *ndr, int ndr_flags, struct winreg_ValNameBuf *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -358,10 +372,12 @@ static enum ndr_err_code ndr_pull_winreg_ValNameBuf(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->name) { >@@ -1563,6 +1579,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_EnumValue(struct ndr_pull *ndr, int f > { > uint32_t _ptr_type; > uint32_t _ptr_value; >+ uint32_t size_value_1 = 0; >+ uint32_t length_value_1 = 0; > uint32_t _ptr_size; > uint32_t _ptr_length; > TALLOC_CTX *_mem_save_handle_0; >@@ -1612,11 +1630,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_EnumValue(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.value, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value)); >- if (ndr_get_array_length(ndr, &r->in.value) > ndr_get_array_size(ndr, &r->in.value)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value), ndr_get_array_length(ndr, &r->in.value)); >+ size_value_1 = ndr_get_array_size(ndr, &r->in.value); >+ length_value_1 = ndr_get_array_length(ndr, &r->in.value); >+ if (length_value_1 > size_value_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_1, length_value_1); > } >- NDR_PULL_ALLOC_N(ndr, r->in.value, ndr_get_array_size(ndr, &r->in.value)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.value, ndr_get_array_length(ndr, &r->in.value))); >+ NDR_PULL_ALLOC_N(ndr, r->in.value, size_value_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.value, length_value_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_value_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_size)); >@@ -1685,11 +1705,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_EnumValue(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->out.value, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.value)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.value)); >- if (ndr_get_array_length(ndr, &r->out.value) > ndr_get_array_size(ndr, &r->out.value)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.value), ndr_get_array_length(ndr, &r->out.value)); >+ size_value_1 = ndr_get_array_size(ndr, &r->out.value); >+ length_value_1 = ndr_get_array_length(ndr, &r->out.value); >+ if (length_value_1 > size_value_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_1, length_value_1); > } >- NDR_PULL_ALLOC_N(ndr, r->out.value, ndr_get_array_size(ndr, &r->out.value)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.value, ndr_get_array_length(ndr, &r->out.value))); >+ NDR_PULL_ALLOC_N(ndr, r->out.value, size_value_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.value, length_value_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_value_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_size)); >@@ -2527,6 +2549,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_QueryValue(struct ndr_pull *ndr, int > { > uint32_t _ptr_type; > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; >+ uint32_t length_data_1 = 0; > uint32_t _ptr_data_size; > uint32_t _ptr_data_length; > TALLOC_CTX *_mem_save_handle_0; >@@ -2575,11 +2599,19 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_QueryValue(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.data)); >- if (ndr_get_array_length(ndr, &r->in.data) > ndr_get_array_size(ndr, &r->in.data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.data), ndr_get_array_length(ndr, &r->in.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->in.data); >+ if (size_data_1 > 0x4000000) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_length(ndr, &r->in.data))); >+ length_data_1 = ndr_get_array_length(ndr, &r->in.data); >+ if (length_data_1 > 0x4000000) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ if (length_data_1 > size_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); >+ } >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, length_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_data_size)); >@@ -2639,11 +2671,19 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_QueryValue(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->out.data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.data)); >- if (ndr_get_array_length(ndr, &r->out.data) > ndr_get_array_size(ndr, &r->out.data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.data), ndr_get_array_length(ndr, &r->out.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->out.data); >+ if (size_data_1 > 0x4000000) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ length_data_1 = ndr_get_array_length(ndr, &r->out.data); >+ if (length_data_1 > 0x4000000) { >+ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); >+ } >+ if (length_data_1 > size_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_length(ndr, &r->out.data))); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, length_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_data_size)); >@@ -3076,6 +3116,7 @@ static enum ndr_err_code ndr_push_winreg_SetValue(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_winreg_SetValue(struct ndr_pull *ndr, int flags, struct winreg_SetValue *r) > { >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -3088,10 +3129,11 @@ static enum ndr_err_code ndr_pull_winreg_SetValue(struct ndr_pull *ndr, int flag > NDR_CHECK(ndr_pull_winreg_String(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.name)); > NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, &r->in.type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->in.data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.size)); > if (r->in.data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.data, r->in.size)); >@@ -3656,8 +3698,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_winreg_QueryMultipleValues(struct ndr_push * > > _PUBLIC_ enum ndr_err_code ndr_pull_winreg_QueryMultipleValues(struct ndr_pull *ndr, int flags, struct winreg_QueryMultipleValues *r) > { >+ uint32_t size_values_1 = 0; >+ uint32_t length_values_1 = 0; > uint32_t cntr_values_1; > uint32_t _ptr_buffer; >+ uint32_t size_buffer_1 = 0; >+ uint32_t length_buffer_1 = 0; > TALLOC_CTX *_mem_save_key_handle_0; > TALLOC_CTX *_mem_save_values_1; > TALLOC_CTX *_mem_save_buffer_0; >@@ -3674,19 +3720,21 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_QueryMultipleValues(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.values)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.values)); >- if (ndr_get_array_length(ndr, &r->in.values) > ndr_get_array_size(ndr, &r->in.values)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.values), ndr_get_array_length(ndr, &r->in.values)); >+ size_values_1 = ndr_get_array_size(ndr, &r->in.values); >+ length_values_1 = ndr_get_array_length(ndr, &r->in.values); >+ if (length_values_1 > size_values_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_values_1, length_values_1); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.values, ndr_get_array_size(ndr, &r->in.values)); >+ NDR_PULL_ALLOC_N(ndr, r->in.values, size_values_1); > } >- memcpy(r->out.values, r->in.values, (ndr_get_array_size(ndr, &r->in.values)) * sizeof(*r->in.values)); >+ memcpy(r->out.values, r->in.values, (size_values_1) * sizeof(*r->in.values)); > _mem_save_values_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.values, 0); >- for (cntr_values_1 = 0; cntr_values_1 < ndr_get_array_length(ndr, &r->in.values); cntr_values_1++) { >+ for (cntr_values_1 = 0; cntr_values_1 < length_values_1; cntr_values_1++) { > NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_SCALARS, &r->in.values[cntr_values_1])); > } >- for (cntr_values_1 = 0; cntr_values_1 < ndr_get_array_length(ndr, &r->in.values); cntr_values_1++) { >+ for (cntr_values_1 = 0; cntr_values_1 < length_values_1; cntr_values_1++) { > NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_BUFFERS, &r->in.values[cntr_values_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_values_1, 0); >@@ -3702,11 +3750,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_QueryMultipleValues(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.buffer)); >- if (ndr_get_array_length(ndr, &r->in.buffer) > ndr_get_array_size(ndr, &r->in.buffer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.buffer), ndr_get_array_length(ndr, &r->in.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); >+ length_buffer_1 = ndr_get_array_length(ndr, &r->in.buffer); >+ if (length_buffer_1 > size_buffer_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); > } >- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_length(ndr, &r->in.buffer))); >+ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, length_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -3736,19 +3786,21 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_QueryMultipleValues(struct ndr_pull * > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.values)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.values)); >- if (ndr_get_array_length(ndr, &r->out.values) > ndr_get_array_size(ndr, &r->out.values)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.values), ndr_get_array_length(ndr, &r->out.values)); >+ size_values_1 = ndr_get_array_size(ndr, &r->out.values); >+ length_values_1 = ndr_get_array_length(ndr, &r->out.values); >+ if (length_values_1 > size_values_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_values_1, length_values_1); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.values, ndr_get_array_size(ndr, &r->out.values)); >+ NDR_PULL_ALLOC_N(ndr, r->out.values, size_values_1); > } >- memcpy(r->out.values, r->in.values, (ndr_get_array_size(ndr, &r->out.values)) * sizeof(*r->in.values)); >+ memcpy(r->out.values, r->in.values, (size_values_1) * sizeof(*r->in.values)); > _mem_save_values_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.values, 0); >- for (cntr_values_1 = 0; cntr_values_1 < ndr_get_array_length(ndr, &r->out.values); cntr_values_1++) { >+ for (cntr_values_1 = 0; cntr_values_1 < length_values_1; cntr_values_1++) { > NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_SCALARS, &r->out.values[cntr_values_1])); > } >- for (cntr_values_1 = 0; cntr_values_1 < ndr_get_array_length(ndr, &r->out.values); cntr_values_1++) { >+ for (cntr_values_1 = 0; cntr_values_1 < length_values_1; cntr_values_1++) { > NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_BUFFERS, &r->out.values[cntr_values_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_values_1, 0); >@@ -3763,11 +3815,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_winreg_QueryMultipleValues(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->out.buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer)); >- if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); >+ length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer); >+ if (length_buffer_1 > size_buffer_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); > } >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_length(ndr, &r->out.buffer))); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, length_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >diff --git a/librpc/gen_ndr/ndr_wkssvc.c b/librpc/gen_ndr/ndr_wkssvc.c >index 012f296..afc5494 100644 >--- a/librpc/gen_ndr/ndr_wkssvc.c >+++ b/librpc/gen_ndr/ndr_wkssvc.c >@@ -36,8 +36,12 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaInfo100(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo100(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaInfo100 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_domain_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -64,11 +68,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo100(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->domain_name) { >@@ -76,11 +82,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo100(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); >- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > } >@@ -147,10 +155,16 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaInfo101(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo101(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaInfo101 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_domain_name_0; > uint32_t _ptr_lan_root; >+ uint32_t size_lan_root_1 = 0; >+ uint32_t length_lan_root_1 = 0; > TALLOC_CTX *_mem_save_lan_root_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -183,11 +197,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo101(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->domain_name) { >@@ -195,11 +211,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo101(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); >- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > if (r->lan_root) { >@@ -207,11 +225,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo101(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->lan_root, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->lan_root)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->lan_root)); >- if (ndr_get_array_length(ndr, &r->lan_root) > ndr_get_array_size(ndr, &r->lan_root)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->lan_root), ndr_get_array_length(ndr, &r->lan_root)); >+ size_lan_root_1 = ndr_get_array_size(ndr, &r->lan_root); >+ length_lan_root_1 = ndr_get_array_length(ndr, &r->lan_root); >+ if (length_lan_root_1 > size_lan_root_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_lan_root_1, length_lan_root_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->lan_root), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lan_root, ndr_get_array_length(ndr, &r->lan_root), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_lan_root_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lan_root, length_lan_root_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_lan_root_0, 0); > } > } >@@ -285,10 +305,16 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaInfo102(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo102(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaInfo102 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_domain_name_0; > uint32_t _ptr_lan_root; >+ uint32_t size_lan_root_1 = 0; >+ uint32_t length_lan_root_1 = 0; > TALLOC_CTX *_mem_save_lan_root_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -322,11 +348,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo102(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->domain_name) { >@@ -334,11 +362,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo102(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); >- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > if (r->lan_root) { >@@ -346,11 +376,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo102(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->lan_root, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->lan_root)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->lan_root)); >- if (ndr_get_array_length(ndr, &r->lan_root) > ndr_get_array_size(ndr, &r->lan_root)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->lan_root), ndr_get_array_length(ndr, &r->lan_root)); >+ size_lan_root_1 = ndr_get_array_size(ndr, &r->lan_root); >+ length_lan_root_1 = ndr_get_array_length(ndr, &r->lan_root); >+ if (length_lan_root_1 > size_lan_root_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_lan_root_1, length_lan_root_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->lan_root), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lan_root, ndr_get_array_length(ndr, &r->lan_root), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_lan_root_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lan_root, length_lan_root_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_lan_root_0, 0); > } > } >@@ -1932,41 +1964,77 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info100_0; >+ uint32_t _ptr_info100; > TALLOC_CTX *_mem_save_info101_0; >+ uint32_t _ptr_info101; > TALLOC_CTX *_mem_save_info102_0; >+ uint32_t _ptr_info102; > TALLOC_CTX *_mem_save_info502_0; >+ uint32_t _ptr_info502; > TALLOC_CTX *_mem_save_info1010_0; >+ uint32_t _ptr_info1010; > TALLOC_CTX *_mem_save_info1011_0; >+ uint32_t _ptr_info1011; > TALLOC_CTX *_mem_save_info1012_0; >+ uint32_t _ptr_info1012; > TALLOC_CTX *_mem_save_info1013_0; >+ uint32_t _ptr_info1013; > TALLOC_CTX *_mem_save_info1018_0; >+ uint32_t _ptr_info1018; > TALLOC_CTX *_mem_save_info1023_0; >+ uint32_t _ptr_info1023; > TALLOC_CTX *_mem_save_info1027_0; >+ uint32_t _ptr_info1027; > TALLOC_CTX *_mem_save_info1028_0; >+ uint32_t _ptr_info1028; > TALLOC_CTX *_mem_save_info1032_0; >+ uint32_t _ptr_info1032; > TALLOC_CTX *_mem_save_info1033_0; >+ uint32_t _ptr_info1033; > TALLOC_CTX *_mem_save_info1041_0; >+ uint32_t _ptr_info1041; > TALLOC_CTX *_mem_save_info1042_0; >+ uint32_t _ptr_info1042; > TALLOC_CTX *_mem_save_info1043_0; >+ uint32_t _ptr_info1043; > TALLOC_CTX *_mem_save_info1044_0; >+ uint32_t _ptr_info1044; > TALLOC_CTX *_mem_save_info1045_0; >+ uint32_t _ptr_info1045; > TALLOC_CTX *_mem_save_info1046_0; >+ uint32_t _ptr_info1046; > TALLOC_CTX *_mem_save_info1047_0; >+ uint32_t _ptr_info1047; > TALLOC_CTX *_mem_save_info1048_0; >+ uint32_t _ptr_info1048; > TALLOC_CTX *_mem_save_info1049_0; >+ uint32_t _ptr_info1049; > TALLOC_CTX *_mem_save_info1050_0; >+ uint32_t _ptr_info1050; > TALLOC_CTX *_mem_save_info1051_0; >+ uint32_t _ptr_info1051; > TALLOC_CTX *_mem_save_info1052_0; >+ uint32_t _ptr_info1052; > TALLOC_CTX *_mem_save_info1053_0; >+ uint32_t _ptr_info1053; > TALLOC_CTX *_mem_save_info1054_0; >+ uint32_t _ptr_info1054; > TALLOC_CTX *_mem_save_info1055_0; >+ uint32_t _ptr_info1055; > TALLOC_CTX *_mem_save_info1056_0; >+ uint32_t _ptr_info1056; > TALLOC_CTX *_mem_save_info1057_0; >+ uint32_t _ptr_info1057; > TALLOC_CTX *_mem_save_info1058_0; >+ uint32_t _ptr_info1058; > TALLOC_CTX *_mem_save_info1059_0; >+ uint32_t _ptr_info1059; > TALLOC_CTX *_mem_save_info1060_0; >+ uint32_t _ptr_info1060; > TALLOC_CTX *_mem_save_info1061_0; >+ uint32_t _ptr_info1061; > TALLOC_CTX *_mem_save_info1062_0; >+ uint32_t _ptr_info1062; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -1976,7 +2044,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 100: { >- uint32_t _ptr_info100; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info100)); > if (_ptr_info100) { > NDR_PULL_ALLOC(ndr, r->info100); >@@ -1986,7 +2053,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 101: { >- uint32_t _ptr_info101; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info101)); > if (_ptr_info101) { > NDR_PULL_ALLOC(ndr, r->info101); >@@ -1996,7 +2062,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 102: { >- uint32_t _ptr_info102; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info102)); > if (_ptr_info102) { > NDR_PULL_ALLOC(ndr, r->info102); >@@ -2006,7 +2071,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 502: { >- uint32_t _ptr_info502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info502)); > if (_ptr_info502) { > NDR_PULL_ALLOC(ndr, r->info502); >@@ -2016,7 +2080,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1010: { >- uint32_t _ptr_info1010; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1010)); > if (_ptr_info1010) { > NDR_PULL_ALLOC(ndr, r->info1010); >@@ -2026,7 +2089,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1011: { >- uint32_t _ptr_info1011; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1011)); > if (_ptr_info1011) { > NDR_PULL_ALLOC(ndr, r->info1011); >@@ -2036,7 +2098,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1012: { >- uint32_t _ptr_info1012; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1012)); > if (_ptr_info1012) { > NDR_PULL_ALLOC(ndr, r->info1012); >@@ -2046,7 +2107,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1013: { >- uint32_t _ptr_info1013; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1013)); > if (_ptr_info1013) { > NDR_PULL_ALLOC(ndr, r->info1013); >@@ -2056,7 +2116,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1018: { >- uint32_t _ptr_info1018; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1018)); > if (_ptr_info1018) { > NDR_PULL_ALLOC(ndr, r->info1018); >@@ -2066,7 +2125,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1023: { >- uint32_t _ptr_info1023; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1023)); > if (_ptr_info1023) { > NDR_PULL_ALLOC(ndr, r->info1023); >@@ -2076,7 +2134,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1027: { >- uint32_t _ptr_info1027; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1027)); > if (_ptr_info1027) { > NDR_PULL_ALLOC(ndr, r->info1027); >@@ -2086,7 +2143,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1028: { >- uint32_t _ptr_info1028; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1028)); > if (_ptr_info1028) { > NDR_PULL_ALLOC(ndr, r->info1028); >@@ -2096,7 +2152,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1032: { >- uint32_t _ptr_info1032; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1032)); > if (_ptr_info1032) { > NDR_PULL_ALLOC(ndr, r->info1032); >@@ -2106,7 +2161,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1033: { >- uint32_t _ptr_info1033; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1033)); > if (_ptr_info1033) { > NDR_PULL_ALLOC(ndr, r->info1033); >@@ -2116,7 +2170,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1041: { >- uint32_t _ptr_info1041; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1041)); > if (_ptr_info1041) { > NDR_PULL_ALLOC(ndr, r->info1041); >@@ -2126,7 +2179,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1042: { >- uint32_t _ptr_info1042; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1042)); > if (_ptr_info1042) { > NDR_PULL_ALLOC(ndr, r->info1042); >@@ -2136,7 +2188,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1043: { >- uint32_t _ptr_info1043; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1043)); > if (_ptr_info1043) { > NDR_PULL_ALLOC(ndr, r->info1043); >@@ -2146,7 +2197,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1044: { >- uint32_t _ptr_info1044; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1044)); > if (_ptr_info1044) { > NDR_PULL_ALLOC(ndr, r->info1044); >@@ -2156,7 +2206,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1045: { >- uint32_t _ptr_info1045; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1045)); > if (_ptr_info1045) { > NDR_PULL_ALLOC(ndr, r->info1045); >@@ -2166,7 +2215,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1046: { >- uint32_t _ptr_info1046; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1046)); > if (_ptr_info1046) { > NDR_PULL_ALLOC(ndr, r->info1046); >@@ -2176,7 +2224,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1047: { >- uint32_t _ptr_info1047; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1047)); > if (_ptr_info1047) { > NDR_PULL_ALLOC(ndr, r->info1047); >@@ -2186,7 +2233,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1048: { >- uint32_t _ptr_info1048; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1048)); > if (_ptr_info1048) { > NDR_PULL_ALLOC(ndr, r->info1048); >@@ -2196,7 +2242,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1049: { >- uint32_t _ptr_info1049; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1049)); > if (_ptr_info1049) { > NDR_PULL_ALLOC(ndr, r->info1049); >@@ -2206,7 +2251,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1050: { >- uint32_t _ptr_info1050; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1050)); > if (_ptr_info1050) { > NDR_PULL_ALLOC(ndr, r->info1050); >@@ -2216,7 +2260,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1051: { >- uint32_t _ptr_info1051; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1051)); > if (_ptr_info1051) { > NDR_PULL_ALLOC(ndr, r->info1051); >@@ -2226,7 +2269,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1052: { >- uint32_t _ptr_info1052; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1052)); > if (_ptr_info1052) { > NDR_PULL_ALLOC(ndr, r->info1052); >@@ -2236,7 +2278,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1053: { >- uint32_t _ptr_info1053; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1053)); > if (_ptr_info1053) { > NDR_PULL_ALLOC(ndr, r->info1053); >@@ -2246,7 +2287,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1054: { >- uint32_t _ptr_info1054; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1054)); > if (_ptr_info1054) { > NDR_PULL_ALLOC(ndr, r->info1054); >@@ -2256,7 +2296,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1055: { >- uint32_t _ptr_info1055; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1055)); > if (_ptr_info1055) { > NDR_PULL_ALLOC(ndr, r->info1055); >@@ -2266,7 +2305,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1056: { >- uint32_t _ptr_info1056; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1056)); > if (_ptr_info1056) { > NDR_PULL_ALLOC(ndr, r->info1056); >@@ -2276,7 +2314,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1057: { >- uint32_t _ptr_info1057; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1057)); > if (_ptr_info1057) { > NDR_PULL_ALLOC(ndr, r->info1057); >@@ -2286,7 +2323,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1058: { >- uint32_t _ptr_info1058; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1058)); > if (_ptr_info1058) { > NDR_PULL_ALLOC(ndr, r->info1058); >@@ -2296,7 +2332,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1059: { >- uint32_t _ptr_info1059; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1059)); > if (_ptr_info1059) { > NDR_PULL_ALLOC(ndr, r->info1059); >@@ -2306,7 +2341,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1060: { >- uint32_t _ptr_info1060; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1060)); > if (_ptr_info1060) { > NDR_PULL_ALLOC(ndr, r->info1060); >@@ -2316,7 +2350,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1061: { >- uint32_t _ptr_info1061; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1061)); > if (_ptr_info1061) { > NDR_PULL_ALLOC(ndr, r->info1061); >@@ -2326,7 +2359,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo(struct ndr_pull *ndr, int > break; } > > case 1062: { >- uint32_t _ptr_info1062; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1062)); > if (_ptr_info1062) { > NDR_PULL_ALLOC(ndr, r->info1062); >@@ -3031,6 +3063,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetrWkstaUserInfo0(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrWkstaUserInfo0 *r) > { > uint32_t _ptr_user_name; >+ uint32_t size_user_name_1 = 0; >+ uint32_t length_user_name_1 = 0; > TALLOC_CTX *_mem_save_user_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3048,11 +3082,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo0(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); >- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); >+ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); >+ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); >+ if (length_user_name_1 > size_user_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); > } > } >@@ -3098,6 +3134,7 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaEnumUsersCtr0(struct ndr_push * > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsersCtr0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaEnumUsersCtr0 *r) > { > uint32_t _ptr_user0; >+ uint32_t size_user0_1 = 0; > uint32_t cntr_user0_1; > TALLOC_CTX *_mem_save_user0_0; > TALLOC_CTX *_mem_save_user0_1; >@@ -3117,13 +3154,14 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsersCtr0(struct ndr_pull * > _mem_save_user0_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->user0, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user0)); >- NDR_PULL_ALLOC_N(ndr, r->user0, ndr_get_array_size(ndr, &r->user0)); >+ size_user0_1 = ndr_get_array_size(ndr, &r->user0); >+ NDR_PULL_ALLOC_N(ndr, r->user0, size_user0_1); > _mem_save_user0_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->user0, 0); >- for (cntr_user0_1 = 0; cntr_user0_1 < r->entries_read; cntr_user0_1++) { >+ for (cntr_user0_1 = 0; cntr_user0_1 < size_user0_1; cntr_user0_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetrWkstaUserInfo0(ndr, NDR_SCALARS, &r->user0[cntr_user0_1])); > } >- for (cntr_user0_1 = 0; cntr_user0_1 < r->entries_read; cntr_user0_1++) { >+ for (cntr_user0_1 = 0; cntr_user0_1 < size_user0_1; cntr_user0_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetrWkstaUserInfo0(ndr, NDR_BUFFERS, &r->user0[cntr_user0_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user0_1, 0); >@@ -3202,12 +3240,20 @@ static enum ndr_err_code ndr_push_wkssvc_NetrWkstaUserInfo1(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo1(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrWkstaUserInfo1 *r) > { > uint32_t _ptr_user_name; >+ uint32_t size_user_name_1 = 0; >+ uint32_t length_user_name_1 = 0; > TALLOC_CTX *_mem_save_user_name_0; > uint32_t _ptr_logon_domain; >+ uint32_t size_logon_domain_1 = 0; >+ uint32_t length_logon_domain_1 = 0; > TALLOC_CTX *_mem_save_logon_domain_0; > uint32_t _ptr_other_domains; >+ uint32_t size_other_domains_1 = 0; >+ uint32_t length_other_domains_1 = 0; > TALLOC_CTX *_mem_save_other_domains_0; > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3243,11 +3289,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo1(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); >- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); >+ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); >+ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); >+ if (length_user_name_1 > size_user_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); > } > if (r->logon_domain) { >@@ -3255,11 +3303,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo1(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->logon_domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->logon_domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->logon_domain)); >- if (ndr_get_array_length(ndr, &r->logon_domain) > ndr_get_array_size(ndr, &r->logon_domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->logon_domain), ndr_get_array_length(ndr, &r->logon_domain)); >+ size_logon_domain_1 = ndr_get_array_size(ndr, &r->logon_domain); >+ length_logon_domain_1 = ndr_get_array_length(ndr, &r->logon_domain); >+ if (length_logon_domain_1 > size_logon_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_domain_1, length_logon_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->logon_domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->logon_domain, ndr_get_array_length(ndr, &r->logon_domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->logon_domain, length_logon_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_domain_0, 0); > } > if (r->other_domains) { >@@ -3267,11 +3317,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo1(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->other_domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->other_domains)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->other_domains)); >- if (ndr_get_array_length(ndr, &r->other_domains) > ndr_get_array_size(ndr, &r->other_domains)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->other_domains), ndr_get_array_length(ndr, &r->other_domains)); >+ size_other_domains_1 = ndr_get_array_size(ndr, &r->other_domains); >+ length_other_domains_1 = ndr_get_array_length(ndr, &r->other_domains); >+ if (length_other_domains_1 > size_other_domains_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_other_domains_1, length_other_domains_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->other_domains), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->other_domains, ndr_get_array_length(ndr, &r->other_domains), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_other_domains_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->other_domains, length_other_domains_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_other_domains_0, 0); > } > if (r->logon_server) { >@@ -3279,11 +3331,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo1(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->logon_server)); >- if (ndr_get_array_length(ndr, &r->logon_server) > ndr_get_array_size(ndr, &r->logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->logon_server), ndr_get_array_length(ndr, &r->logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->logon_server, ndr_get_array_length(ndr, &r->logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > } >@@ -3347,6 +3401,7 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaEnumUsersCtr1(struct ndr_push * > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsersCtr1(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaEnumUsersCtr1 *r) > { > uint32_t _ptr_user1; >+ uint32_t size_user1_1 = 0; > uint32_t cntr_user1_1; > TALLOC_CTX *_mem_save_user1_0; > TALLOC_CTX *_mem_save_user1_1; >@@ -3366,13 +3421,14 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsersCtr1(struct ndr_pull * > _mem_save_user1_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->user1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user1)); >- NDR_PULL_ALLOC_N(ndr, r->user1, ndr_get_array_size(ndr, &r->user1)); >+ size_user1_1 = ndr_get_array_size(ndr, &r->user1); >+ NDR_PULL_ALLOC_N(ndr, r->user1, size_user1_1); > _mem_save_user1_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->user1, 0); >- for (cntr_user1_1 = 0; cntr_user1_1 < r->entries_read; cntr_user1_1++) { >+ for (cntr_user1_1 = 0; cntr_user1_1 < size_user1_1; cntr_user1_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetrWkstaUserInfo1(ndr, NDR_SCALARS, &r->user1[cntr_user1_1])); > } >- for (cntr_user1_1 = 0; cntr_user1_1 < r->entries_read; cntr_user1_1++) { >+ for (cntr_user1_1 = 0; cntr_user1_1 < size_user1_1; cntr_user1_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetrWkstaUserInfo1(ndr, NDR_BUFFERS, &r->user1[cntr_user1_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user1_1, 0); >@@ -3455,7 +3511,9 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsersCtr(struct ndr_pull *n > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_user0_0; >+ uint32_t _ptr_user0; > TALLOC_CTX *_mem_save_user1_0; >+ uint32_t _ptr_user1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -3465,7 +3523,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsersCtr(struct ndr_pull *n > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_user0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user0)); > if (_ptr_user0) { > NDR_PULL_ALLOC(ndr, r->user0); >@@ -3475,7 +3532,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsersCtr(struct ndr_pull *n > break; } > > case 1: { >- uint32_t _ptr_user1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user1)); > if (_ptr_user1) { > NDR_PULL_ALLOC(ndr, r->user1); >@@ -3605,6 +3661,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetrWkstaUserInfo1101(struct ndr_push * > static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo1101(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrWkstaUserInfo1101 *r) > { > uint32_t _ptr_other_domains; >+ uint32_t size_other_domains_1 = 0; >+ uint32_t length_other_domains_1 = 0; > TALLOC_CTX *_mem_save_other_domains_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3622,11 +3680,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo1101(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->other_domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->other_domains)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->other_domains)); >- if (ndr_get_array_length(ndr, &r->other_domains) > ndr_get_array_size(ndr, &r->other_domains)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->other_domains), ndr_get_array_length(ndr, &r->other_domains)); >+ size_other_domains_1 = ndr_get_array_size(ndr, &r->other_domains); >+ length_other_domains_1 = ndr_get_array_length(ndr, &r->other_domains); >+ if (length_other_domains_1 > size_other_domains_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_other_domains_1, length_other_domains_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->other_domains), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->other_domains, ndr_get_array_length(ndr, &r->other_domains), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_other_domains_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->other_domains, length_other_domains_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_other_domains_0, 0); > } > } >@@ -3702,8 +3762,11 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo(struct ndr_pull *ndr, > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info1101_0; >+ uint32_t _ptr_info1101; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -3713,7 +3776,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo(struct ndr_pull *ndr, > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -3723,7 +3785,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo(struct ndr_pull *ndr, > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -3733,7 +3794,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo(struct ndr_pull *ndr, > break; } > > case 1101: { >- uint32_t _ptr_info1101; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1101)); > if (_ptr_info1101) { > NDR_PULL_ALLOC(ndr, r->info1101); >@@ -3851,8 +3911,12 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaTransportInfo0(struct ndr_push > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportInfo0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaTransportInfo0 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_address; >+ uint32_t size_address_1 = 0; >+ uint32_t length_address_1 = 0; > TALLOC_CTX *_mem_save_address_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -3879,11 +3943,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportInfo0(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->address) { >@@ -3891,11 +3957,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportInfo0(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->address)); >- if (ndr_get_array_length(ndr, &r->address) > ndr_get_array_size(ndr, &r->address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->address), ndr_get_array_length(ndr, &r->address)); >+ size_address_1 = ndr_get_array_size(ndr, &r->address); >+ length_address_1 = ndr_get_array_length(ndr, &r->address); >+ if (length_address_1 > size_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_address_1, length_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->address, ndr_get_array_length(ndr, &r->address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->address, length_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_address_0, 0); > } > } >@@ -3950,6 +4018,7 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaTransportCtr0(struct ndr_push * > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportCtr0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaTransportCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -3969,13 +4038,14 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportCtr0(struct ndr_pull * > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetWkstaTransportInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetWkstaTransportInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -4048,6 +4118,7 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportCtr(struct ndr_pull *n > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -4057,7 +4128,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportCtr(struct ndr_pull *n > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -4176,8 +4246,12 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseInfo3(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo3(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseInfo3 *r) > { > uint32_t _ptr_unknown1; >+ uint32_t size_unknown1_1 = 0; >+ uint32_t length_unknown1_1 = 0; > TALLOC_CTX *_mem_save_unknown1_0; > uint32_t _ptr_unknown2; >+ uint32_t size_unknown2_1 = 0; >+ uint32_t length_unknown2_1 = 0; > TALLOC_CTX *_mem_save_unknown2_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4201,11 +4275,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->unknown1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown1)); >- if (ndr_get_array_length(ndr, &r->unknown1) > ndr_get_array_size(ndr, &r->unknown1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown1), ndr_get_array_length(ndr, &r->unknown1)); >+ size_unknown1_1 = ndr_get_array_size(ndr, &r->unknown1); >+ length_unknown1_1 = ndr_get_array_length(ndr, &r->unknown1); >+ if (length_unknown1_1 > size_unknown1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown1_1, length_unknown1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown1, ndr_get_array_length(ndr, &r->unknown1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown1, length_unknown1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown1_0, 0); > } > if (r->unknown2) { >@@ -4213,11 +4289,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->unknown2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown2)); >- if (ndr_get_array_length(ndr, &r->unknown2) > ndr_get_array_size(ndr, &r->unknown2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown2), ndr_get_array_length(ndr, &r->unknown2)); >+ size_unknown2_1 = ndr_get_array_size(ndr, &r->unknown2); >+ length_unknown2_1 = ndr_get_array_length(ndr, &r->unknown2); >+ if (length_unknown2_1 > size_unknown2_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown2_1, length_unknown2_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown2_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, length_unknown2_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown2_0, 0); > } > } >@@ -4296,14 +4374,24 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseInfo2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo2(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseInfo2 *r) > { > uint32_t _ptr_local; >+ uint32_t size_local_1 = 0; >+ uint32_t length_local_1 = 0; > TALLOC_CTX *_mem_save_local_0; > uint32_t _ptr_remote; >+ uint32_t size_remote_1 = 0; >+ uint32_t length_remote_1 = 0; > TALLOC_CTX *_mem_save_remote_0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_password_0; > uint32_t _ptr_user_name; >+ uint32_t size_user_name_1 = 0; >+ uint32_t length_user_name_1 = 0; > TALLOC_CTX *_mem_save_user_name_0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_domain_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4349,11 +4437,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->local, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->local)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->local)); >- if (ndr_get_array_length(ndr, &r->local) > ndr_get_array_size(ndr, &r->local)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->local), ndr_get_array_length(ndr, &r->local)); >+ size_local_1 = ndr_get_array_size(ndr, &r->local); >+ length_local_1 = ndr_get_array_length(ndr, &r->local); >+ if (length_local_1 > size_local_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_local_1, length_local_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_local_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, length_local_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_local_0, 0); > } > if (r->remote) { >@@ -4361,11 +4451,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->remote, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->remote)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->remote)); >- if (ndr_get_array_length(ndr, &r->remote) > ndr_get_array_size(ndr, &r->remote)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote), ndr_get_array_length(ndr, &r->remote)); >+ size_remote_1 = ndr_get_array_size(ndr, &r->remote); >+ length_remote_1 = ndr_get_array_length(ndr, &r->remote); >+ if (length_remote_1 > size_remote_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_1, length_remote_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, length_remote_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_0, 0); > } > if (r->password) { >@@ -4373,11 +4465,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->password)); >- if (ndr_get_array_length(ndr, &r->password) > ndr_get_array_size(ndr, &r->password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->password), ndr_get_array_length(ndr, &r->password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->password); >+ length_password_1 = ndr_get_array_length(ndr, &r->password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > if (r->user_name) { >@@ -4385,11 +4479,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); >- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); >+ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); >+ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); >+ if (length_user_name_1 > size_user_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); > } > if (r->domain_name) { >@@ -4397,11 +4493,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); >- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > } >@@ -4488,10 +4586,16 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo1(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseInfo1 *r) > { > uint32_t _ptr_local; >+ uint32_t size_local_1 = 0; >+ uint32_t length_local_1 = 0; > TALLOC_CTX *_mem_save_local_0; > uint32_t _ptr_remote; >+ uint32_t size_remote_1 = 0; >+ uint32_t length_remote_1 = 0; > TALLOC_CTX *_mem_save_remote_0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_password_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4525,11 +4629,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->local, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->local)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->local)); >- if (ndr_get_array_length(ndr, &r->local) > ndr_get_array_size(ndr, &r->local)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->local), ndr_get_array_length(ndr, &r->local)); >+ size_local_1 = ndr_get_array_size(ndr, &r->local); >+ length_local_1 = ndr_get_array_length(ndr, &r->local); >+ if (length_local_1 > size_local_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_local_1, length_local_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_local_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, length_local_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_local_0, 0); > } > if (r->remote) { >@@ -4537,11 +4643,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->remote, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->remote)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->remote)); >- if (ndr_get_array_length(ndr, &r->remote) > ndr_get_array_size(ndr, &r->remote)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote), ndr_get_array_length(ndr, &r->remote)); >+ size_remote_1 = ndr_get_array_size(ndr, &r->remote); >+ length_remote_1 = ndr_get_array_length(ndr, &r->remote); >+ if (length_remote_1 > size_remote_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_1, length_remote_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, length_remote_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_0, 0); > } > if (r->password) { >@@ -4549,11 +4657,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->password)); >- if (ndr_get_array_length(ndr, &r->password) > ndr_get_array_size(ndr, &r->password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->password), ndr_get_array_length(ndr, &r->password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->password); >+ length_password_1 = ndr_get_array_length(ndr, &r->password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > } >@@ -4617,8 +4727,12 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseInfo0(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseInfo0 *r) > { > uint32_t _ptr_local; >+ uint32_t size_local_1 = 0; >+ uint32_t length_local_1 = 0; > TALLOC_CTX *_mem_save_local_0; > uint32_t _ptr_remote; >+ uint32_t size_remote_1 = 0; >+ uint32_t length_remote_1 = 0; > TALLOC_CTX *_mem_save_remote_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -4642,11 +4756,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo0(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->local, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->local)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->local)); >- if (ndr_get_array_length(ndr, &r->local) > ndr_get_array_size(ndr, &r->local)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->local), ndr_get_array_length(ndr, &r->local)); >+ size_local_1 = ndr_get_array_size(ndr, &r->local); >+ length_local_1 = ndr_get_array_length(ndr, &r->local); >+ if (length_local_1 > size_local_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_local_1, length_local_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_local_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, length_local_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_local_0, 0); > } > if (r->remote) { >@@ -4654,11 +4770,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo0(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->remote, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->remote)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->remote)); >- if (ndr_get_array_length(ndr, &r->remote) > ndr_get_array_size(ndr, &r->remote)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote), ndr_get_array_length(ndr, &r->remote)); >+ size_remote_1 = ndr_get_array_size(ndr, &r->remote); >+ length_remote_1 = ndr_get_array_length(ndr, &r->remote); >+ if (length_remote_1 > size_remote_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_1, length_remote_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, length_remote_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_0, 0); > } > } >@@ -4750,9 +4868,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseGetInfoCtr(struct ndr_pull *ndr, > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -4762,7 +4884,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseGetInfoCtr(struct ndr_pull *ndr, > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -4772,7 +4893,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseGetInfoCtr(struct ndr_pull *ndr, > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -4782,7 +4902,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseGetInfoCtr(struct ndr_pull *ndr, > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -4792,7 +4911,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseGetInfoCtr(struct ndr_pull *ndr, > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -4923,6 +5041,7 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseEnumCtr2(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr2(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseEnumCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4942,13 +5061,14 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr2(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5011,6 +5131,7 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseEnumCtr1(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr1(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseEnumCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -5030,13 +5151,14 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr1(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5099,6 +5221,7 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseEnumCtr0(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseEnumCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -5118,13 +5241,14 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr0(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5217,8 +5341,11 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr(struct ndr_pull *ndr, in > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > TALLOC_CTX *_mem_save_ctr2_0; >+ uint32_t _ptr_ctr2; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -5228,7 +5355,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -5238,7 +5364,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr(struct ndr_pull *ndr, in > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -5248,7 +5373,6 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr(struct ndr_pull *ndr, in > break; } > > case 2: { >- uint32_t _ptr_ctr2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); > if (_ptr_ctr2) { > NDR_PULL_ALLOC(ndr, r->ctr2); >@@ -5621,12 +5745,14 @@ static enum ndr_err_code ndr_push_wkssvc_PasswordBuffer(struct ndr_push *ndr, in > > static enum ndr_err_code ndr_pull_wkssvc_PasswordBuffer(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_PasswordBuffer *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 524)); >+ size_data_0 = 524; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -5734,6 +5860,7 @@ static enum ndr_err_code ndr_push_wkssvc_ComputerNamesCtr(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_wkssvc_ComputerNamesCtr(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_ComputerNamesCtr *r) > { > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; > uint32_t cntr_computer_name_1; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_computer_name_1; >@@ -5753,13 +5880,14 @@ static enum ndr_err_code ndr_pull_wkssvc_ComputerNamesCtr(struct ndr_pull *ndr, > _mem_save_computer_name_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_name)); >- NDR_PULL_ALLOC_N(ndr, r->computer_name, ndr_get_array_size(ndr, &r->computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->computer_name); >+ NDR_PULL_ALLOC_N(ndr, r->computer_name, size_computer_name_1); > _mem_save_computer_name_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->computer_name, 0); >- for (cntr_computer_name_1 = 0; cntr_computer_name_1 < r->count; cntr_computer_name_1++) { >+ for (cntr_computer_name_1 = 0; cntr_computer_name_1 < size_computer_name_1; cntr_computer_name_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->computer_name[cntr_computer_name_1])); > } >- for (cntr_computer_name_1 = 0; cntr_computer_name_1 < r->count; cntr_computer_name_1++) { >+ for (cntr_computer_name_1 = 0; cntr_computer_name_1 < size_computer_name_1; cntr_computer_name_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->computer_name[cntr_computer_name_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_1, 0); >@@ -5822,6 +5950,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaGetInfo(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaGetInfo(struct ndr_pull *ndr, int flags, struct wkssvc_NetWkstaGetInfo *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -5838,11 +5968,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaGetInfo(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -5930,6 +6062,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaSetInfo(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaSetInfo(struct ndr_pull *ndr, int flags, struct wkssvc_NetWkstaSetInfo *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; > TALLOC_CTX *_mem_save_parm_error_0; >@@ -5947,11 +6081,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaSetInfo(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -6068,6 +6204,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaEnumUsers(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsers(struct ndr_pull *ndr, int flags, struct wkssvc_NetWkstaEnumUsers *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; >@@ -6087,11 +6225,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsers(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -6229,6 +6369,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetrWkstaUserGetInfo(struct ndr_push *n > static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserGetInfo(struct ndr_pull *ndr, int flags, struct wkssvc_NetrWkstaUserGetInfo *r) > { > uint32_t _ptr_unknown; >+ uint32_t size_unknown_1 = 0; >+ uint32_t length_unknown_1 = 0; > TALLOC_CTX *_mem_save_unknown_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -6245,11 +6387,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserGetInfo(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown)); >- if (ndr_get_array_length(ndr, &r->in.unknown) > ndr_get_array_size(ndr, &r->in.unknown)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown), ndr_get_array_length(ndr, &r->in.unknown)); >+ size_unknown_1 = ndr_get_array_size(ndr, &r->in.unknown); >+ length_unknown_1 = ndr_get_array_length(ndr, &r->in.unknown); >+ if (length_unknown_1 > size_unknown_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown_1, length_unknown_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, length_unknown_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -6337,6 +6481,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetrWkstaUserSetInfo(struct ndr_push *n > static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserSetInfo(struct ndr_pull *ndr, int flags, struct wkssvc_NetrWkstaUserSetInfo *r) > { > uint32_t _ptr_unknown; >+ uint32_t size_unknown_1 = 0; >+ uint32_t length_unknown_1 = 0; > uint32_t _ptr_parm_err; > TALLOC_CTX *_mem_save_unknown_0; > TALLOC_CTX *_mem_save_info_0; >@@ -6355,11 +6501,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserSetInfo(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown)); >- if (ndr_get_array_length(ndr, &r->in.unknown) > ndr_get_array_size(ndr, &r->in.unknown)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown), ndr_get_array_length(ndr, &r->in.unknown)); >+ size_unknown_1 = ndr_get_array_size(ndr, &r->in.unknown); >+ length_unknown_1 = ndr_get_array_length(ndr, &r->in.unknown); >+ if (length_unknown_1 > size_unknown_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown_1, length_unknown_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, length_unknown_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -6488,6 +6636,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetWkstaTransportEnum(struct ndr_push * > static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportEnum(struct ndr_pull *ndr, int flags, struct wkssvc_NetWkstaTransportEnum *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; >@@ -6507,11 +6657,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportEnum(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -6656,6 +6808,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetrWkstaTransportAdd(struct ndr_push * > static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaTransportAdd(struct ndr_pull *ndr, int flags, struct wkssvc_NetrWkstaTransportAdd *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_parm_err; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info0_0; >@@ -6674,11 +6828,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaTransportAdd(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -6792,7 +6948,11 @@ static enum ndr_err_code ndr_push_wkssvc_NetrWkstaTransportDel(struct ndr_push * > static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaTransportDel(struct ndr_pull *ndr, int flags, struct wkssvc_NetrWkstaTransportDel *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_transport_name; >+ uint32_t size_transport_name_1 = 0; >+ uint32_t length_transport_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_transport_name_0; > if (flags & NDR_IN) { >@@ -6807,11 +6967,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaTransportDel(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_transport_name)); >@@ -6825,11 +6987,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaTransportDel(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.transport_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.transport_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.transport_name)); >- if (ndr_get_array_length(ndr, &r->in.transport_name) > ndr_get_array_size(ndr, &r->in.transport_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.transport_name), ndr_get_array_length(ndr, &r->in.transport_name)); >+ size_transport_name_1 = ndr_get_array_size(ndr, &r->in.transport_name); >+ length_transport_name_1 = ndr_get_array_length(ndr, &r->in.transport_name); >+ if (length_transport_name_1 > size_transport_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_name_1, length_transport_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.transport_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport_name, ndr_get_array_length(ndr, &r->in.transport_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport_name, length_transport_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown3)); >@@ -6908,6 +7072,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseAdd(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_wkssvc_NetrUseAdd(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUseAdd *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_parm_err; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_ctr_0; >@@ -6926,11 +7092,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseAdd(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -7051,6 +7219,10 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseGetInfo(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_wkssvc_NetrUseGetInfo(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUseGetInfo *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_use_name_1 = 0; >+ uint32_t length_use_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_ctr_0; > if (flags & NDR_IN) { >@@ -7067,20 +7239,24 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseGetInfo(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.use_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.use_name)); >- if (ndr_get_array_length(ndr, &r->in.use_name) > ndr_get_array_size(ndr, &r->in.use_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.use_name), ndr_get_array_length(ndr, &r->in.use_name)); >+ size_use_name_1 = ndr_get_array_size(ndr, &r->in.use_name); >+ length_use_name_1 = ndr_get_array_length(ndr, &r->in.use_name); >+ if (length_use_name_1 > size_use_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_use_name_1, length_use_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.use_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.use_name, ndr_get_array_length(ndr, &r->in.use_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_use_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.use_name, length_use_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_PULL_ALLOC(ndr, r->out.ctr); > ZERO_STRUCTP(r->out.ctr); >@@ -7164,6 +7340,10 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseDel(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_wkssvc_NetrUseDel(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUseDel *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_use_name_1 = 0; >+ uint32_t length_use_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_name)); >@@ -7177,20 +7357,24 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseDel(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.use_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.use_name)); >- if (ndr_get_array_length(ndr, &r->in.use_name) > ndr_get_array_size(ndr, &r->in.use_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.use_name), ndr_get_array_length(ndr, &r->in.use_name)); >+ size_use_name_1 = ndr_get_array_size(ndr, &r->in.use_name); >+ length_use_name_1 = ndr_get_array_length(ndr, &r->in.use_name); >+ if (length_use_name_1 > size_use_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_use_name_1, length_use_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.use_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.use_name, ndr_get_array_length(ndr, &r->in.use_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_use_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.use_name, length_use_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.force_cond)); > } > if (flags & NDR_OUT) { >@@ -7272,6 +7456,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUseEnum(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnum(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUseEnum *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; >@@ -7291,11 +7477,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -7447,7 +7635,14 @@ static enum ndr_err_code ndr_push_wkssvc_NetrMessageBufferSend(struct ndr_push * > static enum ndr_err_code ndr_pull_wkssvc_NetrMessageBufferSend(struct ndr_pull *ndr, int flags, struct wkssvc_NetrMessageBufferSend *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_message_name_1 = 0; >+ uint32_t length_message_name_1 = 0; > uint32_t _ptr_message_sender_name; >+ uint32_t size_message_sender_name_1 = 0; >+ uint32_t length_message_sender_name_1 = 0; >+ uint32_t size_message_buffer_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_message_sender_name_0; > if (flags & NDR_IN) { >@@ -7462,20 +7657,24 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrMessageBufferSend(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.message_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.message_name)); >- if (ndr_get_array_length(ndr, &r->in.message_name) > ndr_get_array_size(ndr, &r->in.message_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.message_name), ndr_get_array_length(ndr, &r->in.message_name)); >+ size_message_name_1 = ndr_get_array_size(ndr, &r->in.message_name); >+ length_message_name_1 = ndr_get_array_length(ndr, &r->in.message_name); >+ if (length_message_name_1 > size_message_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_message_name_1, length_message_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.message_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.message_name, ndr_get_array_length(ndr, &r->in.message_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_message_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.message_name, length_message_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_message_sender_name)); > if (_ptr_message_sender_name) { > NDR_PULL_ALLOC(ndr, r->in.message_sender_name); >@@ -7487,18 +7686,21 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrMessageBufferSend(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.message_sender_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.message_sender_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.message_sender_name)); >- if (ndr_get_array_length(ndr, &r->in.message_sender_name) > ndr_get_array_size(ndr, &r->in.message_sender_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.message_sender_name), ndr_get_array_length(ndr, &r->in.message_sender_name)); >+ size_message_sender_name_1 = ndr_get_array_size(ndr, &r->in.message_sender_name); >+ length_message_sender_name_1 = ndr_get_array_length(ndr, &r->in.message_sender_name); >+ if (length_message_sender_name_1 > size_message_sender_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_message_sender_name_1, length_message_sender_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.message_sender_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.message_sender_name, ndr_get_array_length(ndr, &r->in.message_sender_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_message_sender_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.message_sender_name, length_message_sender_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_message_sender_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.message_buffer)); >+ size_message_buffer_1 = ndr_get_array_size(ndr, &r->in.message_buffer); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.message_buffer, ndr_get_array_size(ndr, &r->in.message_buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->in.message_buffer, size_message_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.message_buffer, ndr_get_array_size(ndr, &r->in.message_buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.message_buffer, size_message_buffer_1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.message_size)); > if (r->in.message_buffer) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.message_buffer, r->in.message_size)); >@@ -7588,7 +7790,11 @@ static enum ndr_err_code ndr_push_wkssvc_NetrWorkstationStatisticsGet(struct ndr > static enum ndr_err_code ndr_pull_wkssvc_NetrWorkstationStatisticsGet(struct ndr_pull *ndr, int flags, struct wkssvc_NetrWorkstationStatisticsGet *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_unknown2; >+ uint32_t size_unknown2_1 = 0; >+ uint32_t length_unknown2_1 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_unknown2_0; >@@ -7608,11 +7814,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWorkstationStatisticsGet(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown2)); >@@ -7626,11 +7834,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrWorkstationStatisticsGet(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown2)); >- if (ndr_get_array_length(ndr, &r->in.unknown2) > ndr_get_array_size(ndr, &r->in.unknown2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown2), ndr_get_array_length(ndr, &r->in.unknown2)); >+ size_unknown2_1 = ndr_get_array_size(ndr, &r->in.unknown2); >+ length_unknown2_1 = ndr_get_array_length(ndr, &r->in.unknown2); >+ if (length_unknown2_1 > size_unknown2_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown2_1, length_unknown2_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown2, ndr_get_array_length(ndr, &r->in.unknown2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown2_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown2, length_unknown2_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown2_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown3)); >@@ -7725,14 +7935,18 @@ static enum ndr_err_code ndr_push_wkssvc_NetrLogonDomainNameAdd(struct ndr_push > > static enum ndr_err_code ndr_pull_wkssvc_NetrLogonDomainNameAdd(struct ndr_pull *ndr, int flags, struct wkssvc_NetrLogonDomainNameAdd *r) > { >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -7784,14 +7998,18 @@ static enum ndr_err_code ndr_push_wkssvc_NetrLogonDomainNameDel(struct ndr_push > > static enum ndr_err_code ndr_pull_wkssvc_NetrLogonDomainNameDel(struct ndr_pull *ndr, int flags, struct wkssvc_NetrLogonDomainNameDel *r) > { >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -7873,9 +8091,19 @@ static enum ndr_err_code ndr_push_wkssvc_NetrJoinDomain(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain(struct ndr_pull *ndr, int flags, struct wkssvc_NetrJoinDomain *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_account_ou; >+ uint32_t size_account_ou_1 = 0; >+ uint32_t length_account_ou_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_account_ou_0; > TALLOC_CTX *_mem_save_Account_0; >@@ -7892,20 +8120,24 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_account_ou)); > if (_ptr_account_ou) { > NDR_PULL_ALLOC(ndr, r->in.account_ou); >@@ -7917,11 +8149,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.account_ou, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_ou)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_ou)); >- if (ndr_get_array_length(ndr, &r->in.account_ou) > ndr_get_array_size(ndr, &r->in.account_ou)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_ou), ndr_get_array_length(ndr, &r->in.account_ou)); >+ size_account_ou_1 = ndr_get_array_size(ndr, &r->in.account_ou); >+ length_account_ou_1 = ndr_get_array_length(ndr, &r->in.account_ou); >+ if (length_account_ou_1 > size_account_ou_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_ou_1, length_account_ou_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_ou), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_ou, ndr_get_array_length(ndr, &r->in.account_ou), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_ou_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_ou, length_account_ou_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_ou_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); >@@ -7935,11 +8169,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); >@@ -7953,11 +8189,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); >- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->in.password); >+ length_password_1 = ndr_get_array_length(ndr, &r->in.password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_wkssvc_joinflags(ndr, NDR_SCALARS, &r->in.join_flags)); >@@ -8053,8 +8291,14 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUnjoinDomain(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_wkssvc_NetrUnjoinDomain(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUnjoinDomain *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_Account_0; > TALLOC_CTX *_mem_save_password_0; >@@ -8070,11 +8314,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUnjoinDomain(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); >@@ -8088,11 +8334,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUnjoinDomain(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); >@@ -8106,11 +8354,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUnjoinDomain(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); >- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->in.password); >+ length_password_1 = ndr_get_array_length(ndr, &r->in.password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_wkssvc_joinflags(ndr, NDR_SCALARS, &r->in.unjoin_flags)); >@@ -8203,9 +8453,17 @@ static enum ndr_err_code ndr_push_wkssvc_NetrRenameMachineInDomain(struct ndr_pu > static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain(struct ndr_pull *ndr, int flags, struct wkssvc_NetrRenameMachineInDomain *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_NewMachineName; >+ uint32_t size_NewMachineName_1 = 0; >+ uint32_t length_NewMachineName_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_NewMachineName_0; > TALLOC_CTX *_mem_save_Account_0; >@@ -8222,11 +8480,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_NewMachineName)); >@@ -8240,11 +8500,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.NewMachineName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.NewMachineName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.NewMachineName)); >- if (ndr_get_array_length(ndr, &r->in.NewMachineName) > ndr_get_array_size(ndr, &r->in.NewMachineName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.NewMachineName), ndr_get_array_length(ndr, &r->in.NewMachineName)); >+ size_NewMachineName_1 = ndr_get_array_size(ndr, &r->in.NewMachineName); >+ length_NewMachineName_1 = ndr_get_array_length(ndr, &r->in.NewMachineName); >+ if (length_NewMachineName_1 > size_NewMachineName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_NewMachineName_1, length_NewMachineName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.NewMachineName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewMachineName, ndr_get_array_length(ndr, &r->in.NewMachineName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_NewMachineName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewMachineName, length_NewMachineName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_NewMachineName_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); >@@ -8258,11 +8520,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); >@@ -8276,11 +8540,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); >- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->in.password); >+ length_password_1 = ndr_get_array_length(ndr, &r->in.password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_wkssvc_renameflags(ndr, NDR_SCALARS, &r->in.RenameOptions)); >@@ -8379,8 +8645,16 @@ static enum ndr_err_code ndr_push_wkssvc_NetrValidateName(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_wkssvc_NetrValidateName(struct ndr_pull *ndr, int flags, struct wkssvc_NetrValidateName *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_Password; >+ uint32_t size_Password_1 = 0; >+ uint32_t length_Password_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_Account_0; > TALLOC_CTX *_mem_save_Password_0; >@@ -8396,20 +8670,24 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrValidateName(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name)); >- if (ndr_get_array_length(ndr, &r->in.name) > ndr_get_array_size(ndr, &r->in.name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name), ndr_get_array_length(ndr, &r->in.name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->in.name); >+ length_name_1 = ndr_get_array_length(ndr, &r->in.name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); > if (_ptr_Account) { > NDR_PULL_ALLOC(ndr, r->in.Account); >@@ -8421,11 +8699,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrValidateName(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Password)); >@@ -8439,11 +8719,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrValidateName(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.Password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Password)); >- if (ndr_get_array_length(ndr, &r->in.Password) > ndr_get_array_size(ndr, &r->in.Password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Password), ndr_get_array_length(ndr, &r->in.Password)); >+ size_Password_1 = ndr_get_array_size(ndr, &r->in.Password); >+ length_Password_1 = ndr_get_array_length(ndr, &r->in.Password); >+ if (length_Password_1 > size_Password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Password_1, length_Password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Password, ndr_get_array_length(ndr, &r->in.Password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Password, length_Password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Password_0, 0); > } > NDR_CHECK(ndr_pull_wkssvc_NetValidateNameType(ndr, NDR_SCALARS, &r->in.name_type)); >@@ -8542,7 +8824,11 @@ static enum ndr_err_code ndr_push_wkssvc_NetrGetJoinInformation(struct ndr_push > static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinInformation(struct ndr_pull *ndr, int flags, struct wkssvc_NetrGetJoinInformation *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_name_buffer; >+ uint32_t size_name_buffer_2 = 0; >+ uint32_t length_name_buffer_2 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_name_buffer_0; > TALLOC_CTX *_mem_save_name_buffer_1; >@@ -8561,11 +8847,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinInformation(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -8584,11 +8872,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinInformation(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, *r->in.name_buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->in.name_buffer)); > NDR_CHECK(ndr_pull_array_length(ndr, r->in.name_buffer)); >- if (ndr_get_array_length(ndr, r->in.name_buffer) > ndr_get_array_size(ndr, r->in.name_buffer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->in.name_buffer), ndr_get_array_length(ndr, r->in.name_buffer)); >+ size_name_buffer_2 = ndr_get_array_size(ndr, r->in.name_buffer); >+ length_name_buffer_2 = ndr_get_array_length(ndr, r->in.name_buffer); >+ if (length_name_buffer_2 > size_name_buffer_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_buffer_2, length_name_buffer_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->in.name_buffer), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.name_buffer, ndr_get_array_length(ndr, r->in.name_buffer), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_buffer_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.name_buffer, length_name_buffer_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_buffer_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_buffer_0, LIBNDR_FLAG_REF_ALLOC); >@@ -8614,11 +8904,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinInformation(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, *r->out.name_buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.name_buffer)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.name_buffer)); >- if (ndr_get_array_length(ndr, r->out.name_buffer) > ndr_get_array_size(ndr, r->out.name_buffer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.name_buffer), ndr_get_array_length(ndr, r->out.name_buffer)); >+ size_name_buffer_2 = ndr_get_array_size(ndr, r->out.name_buffer); >+ length_name_buffer_2 = ndr_get_array_length(ndr, r->out.name_buffer); >+ if (length_name_buffer_2 > size_name_buffer_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_buffer_2, length_name_buffer_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.name_buffer), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.name_buffer, ndr_get_array_length(ndr, r->out.name_buffer), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_buffer_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.name_buffer, length_name_buffer_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_buffer_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_buffer_0, LIBNDR_FLAG_REF_ALLOC); >@@ -8751,10 +9043,21 @@ static enum ndr_err_code ndr_push_wkssvc_NetrGetJoinableOus(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus(struct ndr_pull *ndr, int flags, struct wkssvc_NetrGetJoinableOus *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_unknown; >+ uint32_t size_unknown_1 = 0; >+ uint32_t length_unknown_1 = 0; > uint32_t _ptr_ous; >+ uint32_t size_ous_2 = 0; > uint32_t cntr_ous_2; >+ uint32_t size_ous_4 = 0; >+ uint32_t length_ous_4 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_Account_0; > TALLOC_CTX *_mem_save_unknown_0; >@@ -8777,20 +9080,24 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); > if (_ptr_Account) { > NDR_PULL_ALLOC(ndr, r->in.Account); >@@ -8802,11 +9109,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown)); >@@ -8820,11 +9129,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown)); >- if (ndr_get_array_length(ndr, &r->in.unknown) > ndr_get_array_size(ndr, &r->in.unknown)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown), ndr_get_array_length(ndr, &r->in.unknown)); >+ size_unknown_1 = ndr_get_array_size(ndr, &r->in.unknown); >+ length_unknown_1 = ndr_get_array_length(ndr, &r->in.unknown); >+ if (length_unknown_1 > size_unknown_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown_1, length_unknown_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, length_unknown_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -8862,10 +9173,11 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus(struct ndr_pull *ndr > _mem_save_ous_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, *r->out.ous, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.ous)); >- NDR_PULL_ALLOC_N(ndr, *r->out.ous, ndr_get_array_size(ndr, r->out.ous)); >+ size_ous_2 = ndr_get_array_size(ndr, r->out.ous); >+ NDR_PULL_ALLOC_N(ndr, *r->out.ous, size_ous_2); > _mem_save_ous_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, *r->out.ous, 0); >- for (cntr_ous_2 = 0; cntr_ous_2 < *r->out.num_ous; cntr_ous_2++) { >+ for (cntr_ous_2 = 0; cntr_ous_2 < size_ous_2; cntr_ous_2++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ous)); > if (_ptr_ous) { > NDR_PULL_ALLOC(ndr, (*r->out.ous)[cntr_ous_2]); >@@ -8873,17 +9185,19 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus(struct ndr_pull *ndr > (*r->out.ous)[cntr_ous_2] = NULL; > } > } >- for (cntr_ous_2 = 0; cntr_ous_2 < *r->out.num_ous; cntr_ous_2++) { >+ for (cntr_ous_2 = 0; cntr_ous_2 < size_ous_2; cntr_ous_2++) { > if ((*r->out.ous)[cntr_ous_2]) { > _mem_save_ous_3 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, (*r->out.ous)[cntr_ous_2], 0); > NDR_CHECK(ndr_pull_array_size(ndr, &(*r->out.ous)[cntr_ous_2])); > NDR_CHECK(ndr_pull_array_length(ndr, &(*r->out.ous)[cntr_ous_2])); >- if (ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]) > ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2])) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2]), ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2])); >+ size_ous_4 = ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2]); >+ length_ous_4 = ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]); >+ if (length_ous_4 > size_ous_4) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ous_4, length_ous_4); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.ous)[cntr_ous_2], ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ous_4, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.ous)[cntr_ous_2], length_ous_4, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ous_3, 0); > } > } >@@ -9020,8 +9334,16 @@ static enum ndr_err_code ndr_push_wkssvc_NetrJoinDomain2(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain2(struct ndr_pull *ndr, int flags, struct wkssvc_NetrJoinDomain2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_account_ou; >+ uint32_t size_account_ou_1 = 0; >+ uint32_t length_account_ou_1 = 0; > uint32_t _ptr_admin_account; >+ uint32_t size_admin_account_1 = 0; >+ uint32_t length_admin_account_1 = 0; > uint32_t _ptr_encrypted_password; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_account_ou_0; >@@ -9039,20 +9361,24 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_account_ou)); > if (_ptr_account_ou) { > NDR_PULL_ALLOC(ndr, r->in.account_ou); >@@ -9064,11 +9390,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.account_ou, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_ou)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_ou)); >- if (ndr_get_array_length(ndr, &r->in.account_ou) > ndr_get_array_size(ndr, &r->in.account_ou)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_ou), ndr_get_array_length(ndr, &r->in.account_ou)); >+ size_account_ou_1 = ndr_get_array_size(ndr, &r->in.account_ou); >+ length_account_ou_1 = ndr_get_array_length(ndr, &r->in.account_ou); >+ if (length_account_ou_1 > size_account_ou_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_ou_1, length_account_ou_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_ou), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_ou, ndr_get_array_length(ndr, &r->in.account_ou), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_ou_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_ou, length_account_ou_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_ou_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_admin_account)); >@@ -9082,11 +9410,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.admin_account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.admin_account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.admin_account)); >- if (ndr_get_array_length(ndr, &r->in.admin_account) > ndr_get_array_size(ndr, &r->in.admin_account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.admin_account), ndr_get_array_length(ndr, &r->in.admin_account)); >+ size_admin_account_1 = ndr_get_array_size(ndr, &r->in.admin_account); >+ length_admin_account_1 = ndr_get_array_length(ndr, &r->in.admin_account); >+ if (length_admin_account_1 > size_admin_account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_admin_account_1, length_admin_account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.admin_account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.admin_account, ndr_get_array_length(ndr, &r->in.admin_account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_admin_account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.admin_account, length_admin_account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_admin_account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_encrypted_password)); >@@ -9191,7 +9521,11 @@ static enum ndr_err_code ndr_push_wkssvc_NetrUnjoinDomain2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_wkssvc_NetrUnjoinDomain2(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUnjoinDomain2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_account; >+ uint32_t size_account_1 = 0; >+ uint32_t length_account_1 = 0; > uint32_t _ptr_encrypted_password; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_account_0; >@@ -9208,11 +9542,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUnjoinDomain2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_account)); >@@ -9226,11 +9562,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrUnjoinDomain2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account)); >- if (ndr_get_array_length(ndr, &r->in.account) > ndr_get_array_size(ndr, &r->in.account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account), ndr_get_array_length(ndr, &r->in.account)); >+ size_account_1 = ndr_get_array_size(ndr, &r->in.account); >+ length_account_1 = ndr_get_array_length(ndr, &r->in.account); >+ if (length_account_1 > size_account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_1, length_account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account, ndr_get_array_length(ndr, &r->in.account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account, length_account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_encrypted_password)); >@@ -9332,8 +9670,14 @@ static enum ndr_err_code ndr_push_wkssvc_NetrRenameMachineInDomain2(struct ndr_p > static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain2(struct ndr_pull *ndr, int flags, struct wkssvc_NetrRenameMachineInDomain2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_NewMachineName; >+ uint32_t size_NewMachineName_1 = 0; >+ uint32_t length_NewMachineName_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_EncryptedPassword; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_NewMachineName_0; >@@ -9351,11 +9695,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain2(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_NewMachineName)); >@@ -9369,11 +9715,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain2(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.NewMachineName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.NewMachineName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.NewMachineName)); >- if (ndr_get_array_length(ndr, &r->in.NewMachineName) > ndr_get_array_size(ndr, &r->in.NewMachineName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.NewMachineName), ndr_get_array_length(ndr, &r->in.NewMachineName)); >+ size_NewMachineName_1 = ndr_get_array_size(ndr, &r->in.NewMachineName); >+ length_NewMachineName_1 = ndr_get_array_length(ndr, &r->in.NewMachineName); >+ if (length_NewMachineName_1 > size_NewMachineName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_NewMachineName_1, length_NewMachineName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.NewMachineName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewMachineName, ndr_get_array_length(ndr, &r->in.NewMachineName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_NewMachineName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewMachineName, length_NewMachineName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_NewMachineName_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); >@@ -9387,11 +9735,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain2(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); >@@ -9499,7 +9849,13 @@ static enum ndr_err_code ndr_push_wkssvc_NetrValidateName2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_wkssvc_NetrValidateName2(struct ndr_pull *ndr, int flags, struct wkssvc_NetrValidateName2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_EncryptedPassword; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_Account_0; >@@ -9516,20 +9872,24 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrValidateName2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name)); >- if (ndr_get_array_length(ndr, &r->in.name) > ndr_get_array_size(ndr, &r->in.name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name), ndr_get_array_length(ndr, &r->in.name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->in.name); >+ length_name_1 = ndr_get_array_length(ndr, &r->in.name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); > if (_ptr_Account) { > NDR_PULL_ALLOC(ndr, r->in.Account); >@@ -9541,11 +9901,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrValidateName2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); >@@ -9677,10 +10039,19 @@ static enum ndr_err_code ndr_push_wkssvc_NetrGetJoinableOus2(struct ndr_push *nd > static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus2(struct ndr_pull *ndr, int flags, struct wkssvc_NetrGetJoinableOus2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_EncryptedPassword; > uint32_t _ptr_ous; >+ uint32_t size_ous_2 = 0; > uint32_t cntr_ous_2; >+ uint32_t size_ous_4 = 0; >+ uint32_t length_ous_4 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_Account_0; > TALLOC_CTX *_mem_save_EncryptedPassword_0; >@@ -9703,20 +10074,24 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus2(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); > if (_ptr_Account) { > NDR_PULL_ALLOC(ndr, r->in.Account); >@@ -9728,11 +10103,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus2(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); >@@ -9782,10 +10159,11 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus2(struct ndr_pull *nd > _mem_save_ous_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, *r->out.ous, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.ous)); >- NDR_PULL_ALLOC_N(ndr, *r->out.ous, ndr_get_array_size(ndr, r->out.ous)); >+ size_ous_2 = ndr_get_array_size(ndr, r->out.ous); >+ NDR_PULL_ALLOC_N(ndr, *r->out.ous, size_ous_2); > _mem_save_ous_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, *r->out.ous, 0); >- for (cntr_ous_2 = 0; cntr_ous_2 < *r->out.num_ous; cntr_ous_2++) { >+ for (cntr_ous_2 = 0; cntr_ous_2 < size_ous_2; cntr_ous_2++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ous)); > if (_ptr_ous) { > NDR_PULL_ALLOC(ndr, (*r->out.ous)[cntr_ous_2]); >@@ -9793,17 +10171,19 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus2(struct ndr_pull *nd > (*r->out.ous)[cntr_ous_2] = NULL; > } > } >- for (cntr_ous_2 = 0; cntr_ous_2 < *r->out.num_ous; cntr_ous_2++) { >+ for (cntr_ous_2 = 0; cntr_ous_2 < size_ous_2; cntr_ous_2++) { > if ((*r->out.ous)[cntr_ous_2]) { > _mem_save_ous_3 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, (*r->out.ous)[cntr_ous_2], 0); > NDR_CHECK(ndr_pull_array_size(ndr, &(*r->out.ous)[cntr_ous_2])); > NDR_CHECK(ndr_pull_array_length(ndr, &(*r->out.ous)[cntr_ous_2])); >- if (ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]) > ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2])) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2]), ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2])); >+ size_ous_4 = ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2]); >+ length_ous_4 = ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]); >+ if (length_ous_4 > size_ous_4) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ous_4, length_ous_4); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.ous)[cntr_ous_2], ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ous_4, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.ous)[cntr_ous_2], length_ous_4, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ous_3, 0); > } > } >@@ -9933,8 +10313,14 @@ static enum ndr_err_code ndr_push_wkssvc_NetrAddAlternateComputerName(struct ndr > static enum ndr_err_code ndr_pull_wkssvc_NetrAddAlternateComputerName(struct ndr_pull *ndr, int flags, struct wkssvc_NetrAddAlternateComputerName *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_NewAlternateMachineName; >+ uint32_t size_NewAlternateMachineName_1 = 0; >+ uint32_t length_NewAlternateMachineName_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_EncryptedPassword; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_NewAlternateMachineName_0; >@@ -9952,11 +10338,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrAddAlternateComputerName(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_NewAlternateMachineName)); >@@ -9970,11 +10358,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrAddAlternateComputerName(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.NewAlternateMachineName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.NewAlternateMachineName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.NewAlternateMachineName)); >- if (ndr_get_array_length(ndr, &r->in.NewAlternateMachineName) > ndr_get_array_size(ndr, &r->in.NewAlternateMachineName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.NewAlternateMachineName), ndr_get_array_length(ndr, &r->in.NewAlternateMachineName)); >+ size_NewAlternateMachineName_1 = ndr_get_array_size(ndr, &r->in.NewAlternateMachineName); >+ length_NewAlternateMachineName_1 = ndr_get_array_length(ndr, &r->in.NewAlternateMachineName); >+ if (length_NewAlternateMachineName_1 > size_NewAlternateMachineName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_NewAlternateMachineName_1, length_NewAlternateMachineName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.NewAlternateMachineName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewAlternateMachineName, ndr_get_array_length(ndr, &r->in.NewAlternateMachineName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_NewAlternateMachineName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewAlternateMachineName, length_NewAlternateMachineName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_NewAlternateMachineName_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); >@@ -9988,11 +10378,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrAddAlternateComputerName(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); >@@ -10100,8 +10492,14 @@ static enum ndr_err_code ndr_push_wkssvc_NetrRemoveAlternateComputerName(struct > static enum ndr_err_code ndr_pull_wkssvc_NetrRemoveAlternateComputerName(struct ndr_pull *ndr, int flags, struct wkssvc_NetrRemoveAlternateComputerName *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_AlternateMachineNameToRemove; >+ uint32_t size_AlternateMachineNameToRemove_1 = 0; >+ uint32_t length_AlternateMachineNameToRemove_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_EncryptedPassword; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_AlternateMachineNameToRemove_0; >@@ -10119,11 +10517,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrRemoveAlternateComputerName(struct > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_AlternateMachineNameToRemove)); >@@ -10137,11 +10537,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrRemoveAlternateComputerName(struct > NDR_PULL_SET_MEM_CTX(ndr, r->in.AlternateMachineNameToRemove, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.AlternateMachineNameToRemove)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.AlternateMachineNameToRemove)); >- if (ndr_get_array_length(ndr, &r->in.AlternateMachineNameToRemove) > ndr_get_array_size(ndr, &r->in.AlternateMachineNameToRemove)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.AlternateMachineNameToRemove), ndr_get_array_length(ndr, &r->in.AlternateMachineNameToRemove)); >+ size_AlternateMachineNameToRemove_1 = ndr_get_array_size(ndr, &r->in.AlternateMachineNameToRemove); >+ length_AlternateMachineNameToRemove_1 = ndr_get_array_length(ndr, &r->in.AlternateMachineNameToRemove); >+ if (length_AlternateMachineNameToRemove_1 > size_AlternateMachineNameToRemove_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_AlternateMachineNameToRemove_1, length_AlternateMachineNameToRemove_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.AlternateMachineNameToRemove), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.AlternateMachineNameToRemove, ndr_get_array_length(ndr, &r->in.AlternateMachineNameToRemove), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_AlternateMachineNameToRemove_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.AlternateMachineNameToRemove, length_AlternateMachineNameToRemove_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_AlternateMachineNameToRemove_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); >@@ -10155,11 +10557,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrRemoveAlternateComputerName(struct > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); >@@ -10267,8 +10671,14 @@ static enum ndr_err_code ndr_push_wkssvc_NetrSetPrimaryComputername(struct ndr_p > static enum ndr_err_code ndr_pull_wkssvc_NetrSetPrimaryComputername(struct ndr_pull *ndr, int flags, struct wkssvc_NetrSetPrimaryComputername *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_primary_name; >+ uint32_t size_primary_name_1 = 0; >+ uint32_t length_primary_name_1 = 0; > uint32_t _ptr_Account; >+ uint32_t size_Account_1 = 0; >+ uint32_t length_Account_1 = 0; > uint32_t _ptr_EncryptedPassword; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_primary_name_0; >@@ -10286,11 +10696,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrSetPrimaryComputername(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_primary_name)); >@@ -10304,11 +10716,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrSetPrimaryComputername(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.primary_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.primary_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.primary_name)); >- if (ndr_get_array_length(ndr, &r->in.primary_name) > ndr_get_array_size(ndr, &r->in.primary_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.primary_name), ndr_get_array_length(ndr, &r->in.primary_name)); >+ size_primary_name_1 = ndr_get_array_size(ndr, &r->in.primary_name); >+ length_primary_name_1 = ndr_get_array_length(ndr, &r->in.primary_name); >+ if (length_primary_name_1 > size_primary_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_primary_name_1, length_primary_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.primary_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.primary_name, ndr_get_array_length(ndr, &r->in.primary_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_primary_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.primary_name, length_primary_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_primary_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); >@@ -10322,11 +10736,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrSetPrimaryComputername(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); >- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); >+ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); >+ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); >+ if (length_Account_1 > size_Account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); >@@ -10424,6 +10840,8 @@ static enum ndr_err_code ndr_push_wkssvc_NetrEnumerateComputerNames(struct ndr_p > static enum ndr_err_code ndr_pull_wkssvc_NetrEnumerateComputerNames(struct ndr_pull *ndr, int flags, struct wkssvc_NetrEnumerateComputerNames *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_ctr; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_ctr_0; >@@ -10442,11 +10860,13 @@ static enum ndr_err_code ndr_pull_wkssvc_NetrEnumerateComputerNames(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_wkssvc_ComputerNameType(ndr, NDR_SCALARS, &r->in.name_type)); >diff --git a/librpc/gen_ndr/ndr_xattr.c b/librpc/gen_ndr/ndr_xattr.c >index bbffd50..5cce8c3 100644 >--- a/librpc/gen_ndr/ndr_xattr.c >+++ b/librpc/gen_ndr/ndr_xattr.c >@@ -461,6 +461,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_xattr_DosEAs(struct ndr_push *ndr, int ndr_f > _PUBLIC_ enum ndr_err_code ndr_pull_xattr_DosEAs(struct ndr_pull *ndr, int ndr_flags, struct xattr_DosEAs *r) > { > uint32_t _ptr_eas; >+ uint32_t size_eas_1 = 0; > uint32_t cntr_eas_1; > TALLOC_CTX *_mem_save_eas_0; > TALLOC_CTX *_mem_save_eas_1; >@@ -480,10 +481,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_xattr_DosEAs(struct ndr_pull *ndr, int ndr_f > _mem_save_eas_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->eas, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->eas)); >- NDR_PULL_ALLOC_N(ndr, r->eas, ndr_get_array_size(ndr, &r->eas)); >+ size_eas_1 = ndr_get_array_size(ndr, &r->eas); >+ NDR_PULL_ALLOC_N(ndr, r->eas, size_eas_1); > _mem_save_eas_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->eas, 0); >- for (cntr_eas_1 = 0; cntr_eas_1 < r->num_eas; cntr_eas_1++) { >+ for (cntr_eas_1 = 0; cntr_eas_1 < size_eas_1; cntr_eas_1++) { > NDR_CHECK(ndr_pull_xattr_EA(ndr, NDR_SCALARS, &r->eas[cntr_eas_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eas_1, 0); >@@ -538,15 +540,17 @@ _PUBLIC_ enum ndr_err_code ndr_push_tdb_xattrs(struct ndr_push *ndr, int ndr_fla > > _PUBLIC_ enum ndr_err_code ndr_pull_tdb_xattrs(struct ndr_pull *ndr, int ndr_flags, struct tdb_xattrs *r) > { >+ uint32_t size_eas_0 = 0; > uint32_t cntr_eas_0; > TALLOC_CTX *_mem_save_eas_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_eas)); >- NDR_PULL_ALLOC_N(ndr, r->eas, r->num_eas); >+ size_eas_0 = r->num_eas; >+ NDR_PULL_ALLOC_N(ndr, r->eas, size_eas_0); > _mem_save_eas_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->eas, 0); >- for (cntr_eas_0 = 0; cntr_eas_0 < r->num_eas; cntr_eas_0++) { >+ for (cntr_eas_0 = 0; cntr_eas_0 < size_eas_0; cntr_eas_0++) { > NDR_CHECK(ndr_pull_xattr_EA(ndr, NDR_SCALARS, &r->eas[cntr_eas_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eas_0, 0); >@@ -650,6 +654,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_xattr_DosStreams(struct ndr_push *ndr, int n > _PUBLIC_ enum ndr_err_code ndr_pull_xattr_DosStreams(struct ndr_pull *ndr, int ndr_flags, struct xattr_DosStreams *r) > { > uint32_t _ptr_streams; >+ uint32_t size_streams_1 = 0; > uint32_t cntr_streams_1; > TALLOC_CTX *_mem_save_streams_0; > TALLOC_CTX *_mem_save_streams_1; >@@ -669,10 +674,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_xattr_DosStreams(struct ndr_pull *ndr, int n > _mem_save_streams_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->streams, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->streams)); >- NDR_PULL_ALLOC_N(ndr, r->streams, ndr_get_array_size(ndr, &r->streams)); >+ size_streams_1 = ndr_get_array_size(ndr, &r->streams); >+ NDR_PULL_ALLOC_N(ndr, r->streams, size_streams_1); > _mem_save_streams_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->streams, 0); >- for (cntr_streams_1 = 0; cntr_streams_1 < r->num_streams; cntr_streams_1++) { >+ for (cntr_streams_1 = 0; cntr_streams_1 < size_streams_1; cntr_streams_1++) { > NDR_CHECK(ndr_pull_xattr_DosStream(ndr, NDR_SCALARS, &r->streams[cntr_streams_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_streams_1, 0); >@@ -729,6 +735,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_hash_v2(struct ndr_pull > { > uint32_t _ptr_sd; > TALLOC_CTX *_mem_save_sd_0; >+ uint32_t size_hash_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd)); >@@ -737,7 +744,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_hash_v2(struct ndr_pull > } else { > r->sd = NULL; > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); >+ size_hash_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -786,6 +794,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_hash_v3(struct ndr_pull > { > uint32_t _ptr_sd; > TALLOC_CTX *_mem_save_sd_0; >+ uint32_t size_hash_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd)); >@@ -795,7 +804,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_hash_v3(struct ndr_pull > r->sd = NULL; > } > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->hash_type)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 64)); >+ size_hash_0 = 64; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -880,8 +890,11 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_sd_0; >+ uint32_t _ptr_sd; > TALLOC_CTX *_mem_save_sd_hs2_0; >+ uint32_t _ptr_sd_hs2; > TALLOC_CTX *_mem_save_sd_hs3_0; >+ uint32_t _ptr_sd_hs3; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); >@@ -891,7 +904,6 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr > NDR_CHECK(ndr_pull_union_align(ndr, 5)); > switch (level) { > case 1: { >- uint32_t _ptr_sd; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd)); > if (_ptr_sd) { > NDR_PULL_ALLOC(ndr, r->sd); >@@ -901,7 +913,6 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr > break; } > > case 2: { >- uint32_t _ptr_sd_hs2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_hs2)); > if (_ptr_sd_hs2) { > NDR_PULL_ALLOC(ndr, r->sd_hs2); >@@ -911,7 +922,6 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr > break; } > > case 3: { >- uint32_t _ptr_sd_hs3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_hs3)); > if (_ptr_sd_hs3) { > NDR_PULL_ALLOC(ndr, r->sd_hs3); >diff --git a/source3/librpc/gen_ndr/ndr_libnetapi.c b/source3/librpc/gen_ndr/ndr_libnetapi.c >index 2dfca23..6320117 100644 >--- a/source3/librpc/gen_ndr/ndr_libnetapi.c >+++ b/source3/librpc/gen_ndr/ndr_libnetapi.c >@@ -47,17 +47,21 @@ _PUBLIC_ enum ndr_err_code ndr_push_domsid(struct ndr_push *ndr, int ndr_flags, > > _PUBLIC_ enum ndr_err_code ndr_pull_domsid(struct ndr_pull *ndr, int ndr_flags, struct domsid *r) > { >+ uint32_t size_id_auth_0 = 0; >+ uint32_t size_sub_auths_0 = 0; > uint32_t cntr_sub_auths_0; > TALLOC_CTX *_mem_save_sub_auths_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_auths)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6)); >- NDR_PULL_ALLOC_N(ndr, r->sub_auths, MAXSUBAUTHS); >+ size_id_auth_0 = 6; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, size_id_auth_0)); >+ size_sub_auths_0 = MAXSUBAUTHS; >+ NDR_PULL_ALLOC_N(ndr, r->sub_auths, size_sub_auths_0); > _mem_save_sub_auths_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sub_auths, 0); >- for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < MAXSUBAUTHS; cntr_sub_auths_0++) { >+ for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < size_sub_auths_0; cntr_sub_auths_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sub_auths[cntr_sub_auths_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sub_auths_0, 0); >@@ -4891,10 +4895,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_USER_INFO_21(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_USER_INFO_21(struct ndr_pull *ndr, int ndr_flags, struct USER_INFO_21 *r) > { >+ uint32_t size_usri21_password_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_PULL_ALLOC_N(ndr, r->usri21_password, ENCRYPTED_PWLEN); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri21_password, ENCRYPTED_PWLEN)); >+ size_usri21_password_0 = ENCRYPTED_PWLEN; >+ NDR_PULL_ALLOC_N(ndr, r->usri21_password, size_usri21_password_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri21_password, size_usri21_password_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -4950,13 +4956,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_USER_INFO_22(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_USER_INFO_22(struct ndr_pull *ndr, int ndr_flags, struct USER_INFO_22 *r) > { >+ uint32_t size_usri22_password_0 = 0; > uint32_t _ptr_usri22_logon_hours; > TALLOC_CTX *_mem_save_usri22_logon_hours_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->usri22_name)); >- NDR_PULL_ALLOC_N(ndr, r->usri22_password, ENCRYPTED_PWLEN); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri22_password, ENCRYPTED_PWLEN)); >+ size_usri22_password_0 = ENCRYPTED_PWLEN; >+ NDR_PULL_ALLOC_N(ndr, r->usri22_password, size_usri22_password_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri22_password, size_usri22_password_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->usri22_password_age)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->usri22_priv)); > NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->usri22_home_dir)); >diff --git a/source3/librpc/gen_ndr/ndr_messaging.c b/source3/librpc/gen_ndr/ndr_messaging.c >index 1452630..231cf5b 100644 >--- a/source3/librpc/gen_ndr/ndr_messaging.c >+++ b/source3/librpc/gen_ndr/ndr_messaging.c >@@ -148,24 +148,27 @@ _PUBLIC_ enum ndr_err_code ndr_push_messaging_array(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_messaging_array(struct ndr_pull *ndr, int ndr_flags, struct messaging_array *r) > { >+ uint32_t size_messages_0 = 0; > uint32_t cntr_messages_0; > TALLOC_CTX *_mem_save_messages_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_messages)); >- NDR_PULL_ALLOC_N(ndr, r->messages, r->num_messages); >+ size_messages_0 = r->num_messages; >+ NDR_PULL_ALLOC_N(ndr, r->messages, size_messages_0); > _mem_save_messages_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->messages, 0); >- for (cntr_messages_0 = 0; cntr_messages_0 < r->num_messages; cntr_messages_0++) { >+ for (cntr_messages_0 = 0; cntr_messages_0 < size_messages_0; cntr_messages_0++) { > NDR_CHECK(ndr_pull_messaging_rec(ndr, NDR_SCALARS, &r->messages[cntr_messages_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_messages_0, 0); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_messages_0 = r->num_messages; > _mem_save_messages_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->messages, 0); >- for (cntr_messages_0 = 0; cntr_messages_0 < r->num_messages; cntr_messages_0++) { >+ for (cntr_messages_0 = 0; cntr_messages_0 < size_messages_0; cntr_messages_0++) { > NDR_CHECK(ndr_pull_messaging_rec(ndr, NDR_BUFFERS, &r->messages[cntr_messages_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_messages_0, 0); >@@ -219,27 +222,35 @@ _PUBLIC_ enum ndr_err_code ndr_push_dbwrap_tdb2_changes(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_dbwrap_tdb2_changes(struct ndr_pull *ndr, int ndr_flags, struct dbwrap_tdb2_changes *r) > { >+ uint32_t size_magic_string_0 = 0; >+ uint32_t size_name_0 = 0; >+ uint32_t length_name_0 = 0; >+ uint32_t size_keys_0 = 0; > uint32_t cntr_keys_0; > TALLOC_CTX *_mem_save_keys_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic_string, 4, sizeof(uint8_t), CH_DOS)); >+ size_magic_string_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic_string, size_magic_string_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic_version)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_0 = ndr_get_array_size(ndr, &r->name); >+ length_name_0 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_0 > size_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_0, length_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_0, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_0, sizeof(uint8_t), CH_UTF8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->old_seqnum)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->new_seqnum)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_changes)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_keys)); >- NDR_PULL_ALLOC_N(ndr, r->keys, r->num_keys); >+ size_keys_0 = r->num_keys; >+ NDR_PULL_ALLOC_N(ndr, r->keys, size_keys_0); > _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); >- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { >+ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { > NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->keys[cntr_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); >diff --git a/source3/librpc/gen_ndr/ndr_notify.c b/source3/librpc/gen_ndr/ndr_notify.c >index 36f66d1..594cd7f 100644 >--- a/source3/librpc/gen_ndr/ndr_notify.c >+++ b/source3/librpc/gen_ndr/ndr_notify.c >@@ -91,24 +91,27 @@ _PUBLIC_ enum ndr_err_code ndr_push_notify_entry_array(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_notify_entry_array(struct ndr_pull *ndr, int ndr_flags, struct notify_entry_array *r) > { >+ uint32_t size_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_entries_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, r->num_entries); >+ size_entries_0 = r->num_entries; >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_SCALARS, &r->entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_entries_0 = r->num_entries; > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -158,6 +161,7 @@ static enum ndr_err_code ndr_push_notify_depth(struct ndr_push *ndr, int ndr_fla > > static enum ndr_err_code ndr_pull_notify_depth(struct ndr_pull *ndr, int ndr_flags, struct notify_depth *r) > { >+ uint32_t size_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_entries_0; > if (ndr_flags & NDR_SCALARS) { >@@ -165,19 +169,21 @@ static enum ndr_err_code ndr_pull_notify_depth(struct ndr_pull *ndr, int ndr_fla > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask_subdir)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, r->num_entries); >+ size_entries_0 = r->num_entries; >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_SCALARS, &r->entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_entries_0 = r->num_entries; > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -227,24 +233,27 @@ _PUBLIC_ enum ndr_err_code ndr_push_notify_array(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_notify_array(struct ndr_pull *ndr, int ndr_flags, struct notify_array *r) > { >+ uint32_t size_depth_0 = 0; > uint32_t cntr_depth_0; > TALLOC_CTX *_mem_save_depth_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_depths)); >- NDR_PULL_ALLOC_N(ndr, r->depth, r->num_depths); >+ size_depth_0 = r->num_depths; >+ NDR_PULL_ALLOC_N(ndr, r->depth, size_depth_0); > _mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0); >- for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) { >+ for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) { > NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_SCALARS, &r->depth[cntr_depth_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0); > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_depth_0 = r->num_depths; > _mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0); >- for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) { >+ for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) { > NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_BUFFERS, &r->depth[cntr_depth_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0); >diff --git a/source3/librpc/gen_ndr/ndr_perfcount.c b/source3/librpc/gen_ndr/ndr_perfcount.c >index cd0ca5a..7ac0d99 100644 >--- a/source3/librpc/gen_ndr/ndr_perfcount.c >+++ b/source3/librpc/gen_ndr/ndr_perfcount.c >@@ -130,11 +130,13 @@ _PUBLIC_ enum ndr_err_code ndr_push_PERF_COUNTER_BLOCK(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_PERF_COUNTER_BLOCK(struct ndr_pull *ndr, int ndr_flags, struct PERF_COUNTER_BLOCK *r) > { >+ uint32_t size_data_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ByteLength)); >- NDR_PULL_ALLOC_N(ndr, r->data, r->ByteLength); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, r->ByteLength)); >+ size_data_0 = r->ByteLength; >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -264,8 +266,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_PERF_OBJECT_TYPE(struct ndr_push *ndr, int n > > _PUBLIC_ enum ndr_err_code ndr_pull_PERF_OBJECT_TYPE(struct ndr_pull *ndr, int ndr_flags, struct PERF_OBJECT_TYPE *r) > { >+ uint32_t size_counters_0 = 0; > uint32_t cntr_counters_0; > TALLOC_CTX *_mem_save_counters_0; >+ uint32_t size_instances_0 = 0; > uint32_t cntr_instances_0; > TALLOC_CTX *_mem_save_instances_0; > if (ndr_flags & NDR_SCALARS) { >@@ -284,17 +288,19 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PERF_OBJECT_TYPE(struct ndr_pull *ndr, int n > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->CodePage)); > NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->PerfTime)); > NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->PerfFreq)); >- NDR_PULL_ALLOC_N(ndr, r->counters, r->NumCounters); >+ size_counters_0 = r->NumCounters; >+ NDR_PULL_ALLOC_N(ndr, r->counters, size_counters_0); > _mem_save_counters_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->counters, 0); >- for (cntr_counters_0 = 0; cntr_counters_0 < r->NumCounters; cntr_counters_0++) { >+ for (cntr_counters_0 = 0; cntr_counters_0 < size_counters_0; cntr_counters_0++) { > NDR_CHECK(ndr_pull_PERF_COUNTER_DEFINITION(ndr, NDR_SCALARS, &r->counters[cntr_counters_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_counters_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->instances, r->NumInstances); >+ size_instances_0 = r->NumInstances; >+ NDR_PULL_ALLOC_N(ndr, r->instances, size_instances_0); > _mem_save_instances_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->instances, 0); >- for (cntr_instances_0 = 0; cntr_instances_0 < r->NumInstances; cntr_instances_0++) { >+ for (cntr_instances_0 = 0; cntr_instances_0 < size_instances_0; cntr_instances_0++) { > NDR_CHECK(ndr_pull_PERF_INSTANCE_DEFINITION(ndr, NDR_SCALARS, &r->instances[cntr_instances_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_instances_0, 0); >@@ -302,9 +308,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PERF_OBJECT_TYPE(struct ndr_pull *ndr, int n > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_instances_0 = r->NumInstances; > _mem_save_instances_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->instances, 0); >- for (cntr_instances_0 = 0; cntr_instances_0 < r->NumInstances; cntr_instances_0++) { >+ for (cntr_instances_0 = 0; cntr_instances_0 < size_instances_0; cntr_instances_0++) { > NDR_CHECK(ndr_pull_PERF_INSTANCE_DEFINITION(ndr, NDR_BUFFERS, &r->instances[cntr_instances_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_instances_0, 0); >@@ -398,14 +405,17 @@ _PUBLIC_ enum ndr_err_code ndr_push_PERF_DATA_BLOCK(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_PERF_DATA_BLOCK(struct ndr_pull *ndr, int ndr_flags, struct PERF_DATA_BLOCK *r) > { >+ uint32_t size_Signature_0 = 0; > uint32_t cntr_Signature_0; > uint32_t _ptr_data; > TALLOC_CTX *_mem_save_data_0; >+ uint32_t size_objects_0 = 0; > uint32_t cntr_objects_0; > TALLOC_CTX *_mem_save_objects_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >- for (cntr_Signature_0 = 0; cntr_Signature_0 < 4; cntr_Signature_0++) { >+ size_Signature_0 = 4; >+ for (cntr_Signature_0 = 0; cntr_Signature_0 < size_Signature_0; cntr_Signature_0++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Signature[cntr_Signature_0])); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->LittleEndian)); >@@ -428,10 +438,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PERF_DATA_BLOCK(struct ndr_pull *ndr, int nd > } else { > r->data = NULL; > } >- NDR_PULL_ALLOC_N(ndr, r->objects, r->NumObjectTypes); >+ size_objects_0 = r->NumObjectTypes; >+ NDR_PULL_ALLOC_N(ndr, r->objects, size_objects_0); > _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); >- for (cntr_objects_0 = 0; cntr_objects_0 < r->NumObjectTypes; cntr_objects_0++) { >+ for (cntr_objects_0 = 0; cntr_objects_0 < size_objects_0; cntr_objects_0++) { > NDR_CHECK(ndr_pull_PERF_OBJECT_TYPE(ndr, NDR_SCALARS, &r->objects[cntr_objects_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_0, 0); >@@ -444,9 +455,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PERF_DATA_BLOCK(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, r->data)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } >+ size_objects_0 = r->NumObjectTypes; > _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); >- for (cntr_objects_0 = 0; cntr_objects_0 < r->NumObjectTypes; cntr_objects_0++) { >+ for (cntr_objects_0 = 0; cntr_objects_0 < size_objects_0; cntr_objects_0++) { > NDR_CHECK(ndr_pull_PERF_OBJECT_TYPE(ndr, NDR_BUFFERS, &r->objects[cntr_objects_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_0, 0); >diff --git a/source3/librpc/gen_ndr/ndr_printcap.c b/source3/librpc/gen_ndr/ndr_printcap.c >index b6c7ba6..f234913 100644 >--- a/source3/librpc/gen_ndr/ndr_printcap.c >+++ b/source3/librpc/gen_ndr/ndr_printcap.c >@@ -6,21 +6,22 @@ > static enum ndr_err_code ndr_push_pcap_printer(struct ndr_push *ndr, int ndr_flags, const struct pcap_printer *r) > { > if (ndr_flags & NDR_SCALARS) { >- NDR_CHECK(ndr_push_align(ndr, 4)); >+ NDR_CHECK(ndr_push_align(ndr, 5)); > NDR_CHECK(ndr_push_unique_ptr(ndr, r->name)); > NDR_CHECK(ndr_push_unique_ptr(ndr, r->info)); >+ NDR_CHECK(ndr_push_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { > if (r->name) { >- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->name, CH_UTF8))); >- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0)); >- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->name, CH_UTF8))); >+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->name, CH_UTF8))); >+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0)); >+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->name, CH_UTF8))); > NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->name, ndr_charset_length(r->name, CH_UTF8), sizeof(uint8_t), CH_UTF8)); > } > if (r->info) { >- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->info, CH_UTF8))); >- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0)); >- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->info, CH_UTF8))); >+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->info, CH_UTF8))); >+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0)); >+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->info, CH_UTF8))); > NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->info, ndr_charset_length(r->info, CH_UTF8), sizeof(uint8_t), CH_UTF8)); > } > } >@@ -30,11 +31,15 @@ static enum ndr_err_code ndr_push_pcap_printer(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_flags, struct pcap_printer *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_info; >+ uint32_t size_info_1 = 0; >+ uint32_t length_info_1 = 0; > TALLOC_CTX *_mem_save_info_0; > if (ndr_flags & NDR_SCALARS) { >- NDR_CHECK(ndr_pull_align(ndr, 4)); >+ NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_name)); > if (_ptr_name) { > NDR_PULL_ALLOC(ndr, r->name); >@@ -47,6 +52,7 @@ static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_fla > } else { > r->info = NULL; > } >+ NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { > if (r->name) { >@@ -54,11 +60,13 @@ static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->info) { >@@ -66,11 +74,13 @@ static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->info, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->info)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->info)); >- if (ndr_get_array_length(ndr, &r->info) > ndr_get_array_size(ndr, &r->info)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->info), ndr_get_array_length(ndr, &r->info)); >+ size_info_1 = ndr_get_array_size(ndr, &r->info); >+ length_info_1 = ndr_get_array_length(ndr, &r->info); >+ if (length_info_1 > size_info_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_info_1, length_info_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->info), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->info, ndr_get_array_length(ndr, &r->info), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_info_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->info, length_info_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); > } > } >@@ -100,13 +110,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_pcap_data(struct ndr_push *ndr, int ndr_flag > { > uint32_t cntr_printers_0; > if (ndr_flags & NDR_SCALARS) { >- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->count)); >- NDR_CHECK(ndr_push_align(ndr, 4)); >+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, r->count)); >+ NDR_CHECK(ndr_push_align(ndr, 5)); > NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->status)); > NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->count)); > for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) { > NDR_CHECK(ndr_push_pcap_printer(ndr, NDR_SCALARS, &r->printers[cntr_printers_0])); > } >+ NDR_CHECK(ndr_push_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { > for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) { >@@ -118,28 +129,32 @@ _PUBLIC_ enum ndr_err_code ndr_push_pcap_data(struct ndr_push *ndr, int ndr_flag > > _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flags, struct pcap_data *r) > { >+ uint32_t size_printers_0 = 0; > uint32_t cntr_printers_0; > TALLOC_CTX *_mem_save_printers_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->printers)); >- NDR_CHECK(ndr_pull_align(ndr, 4)); >+ NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->status)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); >- NDR_PULL_ALLOC_N(ndr, r->printers, ndr_get_array_size(ndr, &r->printers)); >+ size_printers_0 = ndr_get_array_size(ndr, &r->printers); >+ NDR_PULL_ALLOC_N(ndr, r->printers, size_printers_0); > _mem_save_printers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->printers, 0); >- for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) { >+ for (cntr_printers_0 = 0; cntr_printers_0 < size_printers_0; cntr_printers_0++) { > NDR_CHECK(ndr_pull_pcap_printer(ndr, NDR_SCALARS, &r->printers[cntr_printers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printers_0, 0); > if (r->printers) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->printers, r->count)); > } >+ NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_printers_0 = ndr_get_array_size(ndr, &r->printers); > _mem_save_printers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->printers, 0); >- for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) { >+ for (cntr_printers_0 = 0; cntr_printers_0 < size_printers_0; cntr_printers_0++) { > NDR_CHECK(ndr_pull_pcap_printer(ndr, NDR_BUFFERS, &r->printers[cntr_printers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printers_0, 0); >@@ -166,3 +181,4 @@ _PUBLIC_ void ndr_print_pcap_data(struct ndr_print *ndr, const char *name, const > ndr->depth--; > ndr->depth--; > } >+ >diff --git a/source3/librpc/gen_ndr/ndr_secrets.c b/source3/librpc/gen_ndr/ndr_secrets.c >index 2b182db..0c6ceae 100644 >--- a/source3/librpc/gen_ndr/ndr_secrets.c >+++ b/source3/librpc/gen_ndr/ndr_secrets.c >@@ -32,13 +32,15 @@ _PUBLIC_ enum ndr_err_code ndr_push_TRUSTED_DOM_PASS(struct ndr_push *ndr, int n > > _PUBLIC_ enum ndr_err_code ndr_pull_TRUSTED_DOM_PASS(struct ndr_pull *ndr, int ndr_flags, struct TRUSTED_DOM_PASS *r) > { >+ uint32_t size_uni_name_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->uni_name_len)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->uni_name, 32, sizeof(uint16_t), CH_UTF16)); >+ size_uni_name_0 = 32; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->uni_name, size_uni_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->pass_len)); > { > uint32_t _flags_save_string = ndr->flags; >diff --git a/source3/librpc/gen_ndr/ndr_wbint.c b/source3/librpc/gen_ndr/ndr_wbint.c >index 27c668e..59d0904 100644 >--- a/source3/librpc/gen_ndr/ndr_wbint.c >+++ b/source3/librpc/gen_ndr/ndr_wbint.c >@@ -50,12 +50,20 @@ _PUBLIC_ enum ndr_err_code ndr_push_wbint_userinfo(struct ndr_push *ndr, int ndr > _PUBLIC_ enum ndr_err_code ndr_pull_wbint_userinfo(struct ndr_pull *ndr, int ndr_flags, struct wbint_userinfo *r) > { > uint32_t _ptr_acct_name; >+ uint32_t size_acct_name_1 = 0; >+ uint32_t length_acct_name_1 = 0; > TALLOC_CTX *_mem_save_acct_name_0; > uint32_t _ptr_full_name; >+ uint32_t size_full_name_1 = 0; >+ uint32_t length_full_name_1 = 0; > TALLOC_CTX *_mem_save_full_name_0; > uint32_t _ptr_homedir; >+ uint32_t size_homedir_1 = 0; >+ uint32_t length_homedir_1 = 0; > TALLOC_CTX *_mem_save_homedir_0; > uint32_t _ptr_shell; >+ uint32_t size_shell_1 = 0; >+ uint32_t length_shell_1 = 0; > TALLOC_CTX *_mem_save_shell_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -94,11 +102,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_wbint_userinfo(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->acct_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->acct_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->acct_name)); >- if (ndr_get_array_length(ndr, &r->acct_name) > ndr_get_array_size(ndr, &r->acct_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->acct_name), ndr_get_array_length(ndr, &r->acct_name)); >+ size_acct_name_1 = ndr_get_array_size(ndr, &r->acct_name); >+ length_acct_name_1 = ndr_get_array_length(ndr, &r->acct_name); >+ if (length_acct_name_1 > size_acct_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_acct_name_1, length_acct_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->acct_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->acct_name, ndr_get_array_length(ndr, &r->acct_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_acct_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->acct_name, length_acct_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_acct_name_0, 0); > } > if (r->full_name) { >@@ -106,11 +116,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_wbint_userinfo(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->full_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->full_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->full_name)); >- if (ndr_get_array_length(ndr, &r->full_name) > ndr_get_array_size(ndr, &r->full_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->full_name), ndr_get_array_length(ndr, &r->full_name)); >+ size_full_name_1 = ndr_get_array_size(ndr, &r->full_name); >+ length_full_name_1 = ndr_get_array_length(ndr, &r->full_name); >+ if (length_full_name_1 > size_full_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_full_name_1, length_full_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->full_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->full_name, ndr_get_array_length(ndr, &r->full_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_full_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->full_name, length_full_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_full_name_0, 0); > } > if (r->homedir) { >@@ -118,11 +130,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_wbint_userinfo(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->homedir, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->homedir)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->homedir)); >- if (ndr_get_array_length(ndr, &r->homedir) > ndr_get_array_size(ndr, &r->homedir)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->homedir), ndr_get_array_length(ndr, &r->homedir)); >+ size_homedir_1 = ndr_get_array_size(ndr, &r->homedir); >+ length_homedir_1 = ndr_get_array_length(ndr, &r->homedir); >+ if (length_homedir_1 > size_homedir_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_homedir_1, length_homedir_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->homedir), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->homedir, ndr_get_array_length(ndr, &r->homedir), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_homedir_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->homedir, length_homedir_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_homedir_0, 0); > } > if (r->shell) { >@@ -130,11 +144,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_wbint_userinfo(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->shell, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->shell)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->shell)); >- if (ndr_get_array_length(ndr, &r->shell) > ndr_get_array_size(ndr, &r->shell)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->shell), ndr_get_array_length(ndr, &r->shell)); >+ size_shell_1 = ndr_get_array_size(ndr, &r->shell); >+ length_shell_1 = ndr_get_array_length(ndr, &r->shell); >+ if (length_shell_1 > size_shell_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_shell_1, length_shell_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->shell), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->shell, ndr_get_array_length(ndr, &r->shell), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_shell_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->shell, length_shell_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_shell_0, 0); > } > } >@@ -194,16 +210,18 @@ _PUBLIC_ enum ndr_err_code ndr_push_wbint_SidArray(struct ndr_push *ndr, int ndr > > _PUBLIC_ enum ndr_err_code ndr_pull_wbint_SidArray(struct ndr_pull *ndr, int ndr_flags, struct wbint_SidArray *r) > { >+ uint32_t size_sids_0 = 0; > uint32_t cntr_sids_0; > TALLOC_CTX *_mem_save_sids_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_0 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_0); > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_0 = 0; cntr_sids_0 < r->num_sids; cntr_sids_0++) { >+ for (cntr_sids_0 = 0; cntr_sids_0 < size_sids_0; cntr_sids_0++) { > NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->sids[cntr_sids_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_0, 0); >@@ -255,16 +273,18 @@ _PUBLIC_ enum ndr_err_code ndr_push_wbint_RidArray(struct ndr_push *ndr, int ndr > > _PUBLIC_ enum ndr_err_code ndr_pull_wbint_RidArray(struct ndr_pull *ndr, int ndr_flags, struct wbint_RidArray *r) > { >+ uint32_t size_rids_0 = 0; > uint32_t cntr_rids_0; > TALLOC_CTX *_mem_save_rids_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_rids)); >- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); >+ size_rids_0 = ndr_get_array_size(ndr, &r->rids); >+ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_0); > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); >- for (cntr_rids_0 = 0; cntr_rids_0 < r->num_rids; cntr_rids_0++) { >+ for (cntr_rids_0 = 0; cntr_rids_0 < size_rids_0; cntr_rids_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->rids[cntr_rids_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_0, 0); >@@ -320,6 +340,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_wbint_Principal(struct ndr_push *ndr, int nd > _PUBLIC_ enum ndr_err_code ndr_pull_wbint_Principal(struct ndr_pull *ndr, int ndr_flags, struct wbint_Principal *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 5)); >@@ -339,11 +361,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_wbint_Principal(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > } >@@ -387,16 +411,18 @@ _PUBLIC_ enum ndr_err_code ndr_push_wbint_Principals(struct ndr_push *ndr, int n > > _PUBLIC_ enum ndr_err_code ndr_pull_wbint_Principals(struct ndr_pull *ndr, int ndr_flags, struct wbint_Principals *r) > { >+ uint32_t size_principals_0 = 0; > uint32_t cntr_principals_0; > TALLOC_CTX *_mem_save_principals_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->principals)); > NDR_CHECK(ndr_pull_align(ndr, 5)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->num_principals)); >- NDR_PULL_ALLOC_N(ndr, r->principals, ndr_get_array_size(ndr, &r->principals)); >+ size_principals_0 = ndr_get_array_size(ndr, &r->principals); >+ NDR_PULL_ALLOC_N(ndr, r->principals, size_principals_0); > _mem_save_principals_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->principals, 0); >- for (cntr_principals_0 = 0; cntr_principals_0 < r->num_principals; cntr_principals_0++) { >+ for (cntr_principals_0 = 0; cntr_principals_0 < size_principals_0; cntr_principals_0++) { > NDR_CHECK(ndr_pull_wbint_Principal(ndr, NDR_SCALARS, &r->principals[cntr_principals_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_principals_0, 0); >@@ -406,9 +432,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_wbint_Principals(struct ndr_pull *ndr, int n > NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_principals_0 = ndr_get_array_size(ndr, &r->principals); > _mem_save_principals_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->principals, 0); >- for (cntr_principals_0 = 0; cntr_principals_0 < r->num_principals; cntr_principals_0++) { >+ for (cntr_principals_0 = 0; cntr_principals_0 < size_principals_0; cntr_principals_0++) { > NDR_CHECK(ndr_pull_wbint_Principal(ndr, NDR_BUFFERS, &r->principals[cntr_principals_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_principals_0, 0); >@@ -457,16 +484,18 @@ _PUBLIC_ enum ndr_err_code ndr_push_wbint_userinfos(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_wbint_userinfos(struct ndr_pull *ndr, int ndr_flags, struct wbint_userinfos *r) > { >+ uint32_t size_userinfos_0 = 0; > uint32_t cntr_userinfos_0; > TALLOC_CTX *_mem_save_userinfos_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->userinfos)); > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_userinfos)); >- NDR_PULL_ALLOC_N(ndr, r->userinfos, ndr_get_array_size(ndr, &r->userinfos)); >+ size_userinfos_0 = ndr_get_array_size(ndr, &r->userinfos); >+ NDR_PULL_ALLOC_N(ndr, r->userinfos, size_userinfos_0); > _mem_save_userinfos_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->userinfos, 0); >- for (cntr_userinfos_0 = 0; cntr_userinfos_0 < r->num_userinfos; cntr_userinfos_0++) { >+ for (cntr_userinfos_0 = 0; cntr_userinfos_0 < size_userinfos_0; cntr_userinfos_0++) { > NDR_CHECK(ndr_pull_wbint_userinfo(ndr, NDR_SCALARS, &r->userinfos[cntr_userinfos_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_userinfos_0, 0); >@@ -476,9 +505,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_wbint_userinfos(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_userinfos_0 = ndr_get_array_size(ndr, &r->userinfos); > _mem_save_userinfos_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->userinfos, 0); >- for (cntr_userinfos_0 = 0; cntr_userinfos_0 < r->num_userinfos; cntr_userinfos_0++) { >+ for (cntr_userinfos_0 = 0; cntr_userinfos_0 < size_userinfos_0; cntr_userinfos_0++) { > NDR_CHECK(ndr_pull_wbint_userinfo(ndr, NDR_BUFFERS, &r->userinfos[cntr_userinfos_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_userinfos_0, 0); >@@ -633,7 +663,11 @@ static enum ndr_err_code ndr_push_wbint_LookupSid(struct ndr_push *ndr, int flag > static enum ndr_err_code ndr_pull_wbint_LookupSid(struct ndr_pull *ndr, int flags, struct wbint_LookupSid *r) > { > uint32_t _ptr_domain; >+ uint32_t size_domain_2 = 0; >+ uint32_t length_domain_2 = 0; > uint32_t _ptr_name; >+ uint32_t size_name_2 = 0; >+ uint32_t length_name_2 = 0; > TALLOC_CTX *_mem_save_sid_0; > TALLOC_CTX *_mem_save_type_0; > TALLOC_CTX *_mem_save_domain_0; >@@ -681,11 +715,13 @@ static enum ndr_err_code ndr_pull_wbint_LookupSid(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, *r->out.domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.domain)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.domain)); >- if (ndr_get_array_length(ndr, r->out.domain) > ndr_get_array_size(ndr, r->out.domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.domain), ndr_get_array_length(ndr, r->out.domain)); >+ size_domain_2 = ndr_get_array_size(ndr, r->out.domain); >+ length_domain_2 = ndr_get_array_length(ndr, r->out.domain); >+ if (length_domain_2 > size_domain_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_2, length_domain_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.domain), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.domain, ndr_get_array_length(ndr, r->out.domain), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_2, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.domain, length_domain_2, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, LIBNDR_FLAG_REF_ALLOC); >@@ -705,11 +741,13 @@ static enum ndr_err_code ndr_pull_wbint_LookupSid(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, *r->out.name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.name)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.name)); >- if (ndr_get_array_length(ndr, r->out.name) > ndr_get_array_size(ndr, r->out.name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.name), ndr_get_array_length(ndr, r->out.name)); >+ size_name_2 = ndr_get_array_size(ndr, r->out.name); >+ length_name_2 = ndr_get_array_length(ndr, r->out.name); >+ if (length_name_2 > size_name_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_2, length_name_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.name, ndr_get_array_length(ndr, r->out.name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_2, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.name, length_name_2, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, LIBNDR_FLAG_REF_ALLOC); >@@ -800,6 +838,10 @@ static enum ndr_err_code ndr_push_wbint_LookupName(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_wbint_LookupName(struct ndr_pull *ndr, int flags, struct wbint_LookupName *r) > { >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_type_0; > TALLOC_CTX *_mem_save_sid_0; > if (flags & NDR_IN) { >@@ -807,18 +849,22 @@ static enum ndr_err_code ndr_pull_wbint_LookupName(struct ndr_pull *ndr, int fla > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain)); >- if (ndr_get_array_length(ndr, &r->in.domain) > ndr_get_array_size(ndr, &r->in.domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain), ndr_get_array_length(ndr, &r->in.domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->in.domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->in.domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, length_domain_1, sizeof(uint8_t), CH_UTF8)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name)); >- if (ndr_get_array_length(ndr, &r->in.name) > ndr_get_array_size(ndr, &r->in.name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name), ndr_get_array_length(ndr, &r->in.name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->in.name); >+ length_name_1 = ndr_get_array_length(ndr, &r->in.name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, ndr_get_array_length(ndr, &r->in.name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, length_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > NDR_PULL_ALLOC(ndr, r->out.type); > ZERO_STRUCTP(r->out.type); >@@ -911,6 +957,8 @@ static enum ndr_err_code ndr_push_wbint_Sid2Uid(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_wbint_Sid2Uid(struct ndr_pull *ndr, int flags, struct wbint_Sid2Uid *r) > { > uint32_t _ptr_dom_name; >+ uint32_t size_dom_name_1 = 0; >+ uint32_t length_dom_name_1 = 0; > TALLOC_CTX *_mem_save_dom_name_0; > TALLOC_CTX *_mem_save_sid_0; > TALLOC_CTX *_mem_save_uid_0; >@@ -928,11 +976,13 @@ static enum ndr_err_code ndr_pull_wbint_Sid2Uid(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.dom_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dom_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dom_name)); >- if (ndr_get_array_length(ndr, &r->in.dom_name) > ndr_get_array_size(ndr, &r->in.dom_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dom_name), ndr_get_array_length(ndr, &r->in.dom_name)); >+ size_dom_name_1 = ndr_get_array_size(ndr, &r->in.dom_name); >+ length_dom_name_1 = ndr_get_array_length(ndr, &r->in.dom_name); >+ if (length_dom_name_1 > size_dom_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_name_1, length_dom_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, length_dom_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -1021,6 +1071,8 @@ static enum ndr_err_code ndr_push_wbint_Sid2Gid(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_wbint_Sid2Gid(struct ndr_pull *ndr, int flags, struct wbint_Sid2Gid *r) > { > uint32_t _ptr_dom_name; >+ uint32_t size_dom_name_1 = 0; >+ uint32_t length_dom_name_1 = 0; > TALLOC_CTX *_mem_save_dom_name_0; > TALLOC_CTX *_mem_save_sid_0; > TALLOC_CTX *_mem_save_gid_0; >@@ -1038,11 +1090,13 @@ static enum ndr_err_code ndr_pull_wbint_Sid2Gid(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.dom_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dom_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dom_name)); >- if (ndr_get_array_length(ndr, &r->in.dom_name) > ndr_get_array_size(ndr, &r->in.dom_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dom_name), ndr_get_array_length(ndr, &r->in.dom_name)); >+ size_dom_name_1 = ndr_get_array_size(ndr, &r->in.dom_name); >+ length_dom_name_1 = ndr_get_array_length(ndr, &r->in.dom_name); >+ if (length_dom_name_1 > size_dom_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_name_1, length_dom_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, length_dom_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -1128,6 +1182,8 @@ static enum ndr_err_code ndr_push_wbint_Uid2Sid(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_wbint_Uid2Sid(struct ndr_pull *ndr, int flags, struct wbint_Uid2Sid *r) > { > uint32_t _ptr_dom_name; >+ uint32_t size_dom_name_1 = 0; >+ uint32_t length_dom_name_1 = 0; > TALLOC_CTX *_mem_save_dom_name_0; > TALLOC_CTX *_mem_save_sid_0; > if (flags & NDR_IN) { >@@ -1144,11 +1200,13 @@ static enum ndr_err_code ndr_pull_wbint_Uid2Sid(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.dom_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dom_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dom_name)); >- if (ndr_get_array_length(ndr, &r->in.dom_name) > ndr_get_array_size(ndr, &r->in.dom_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dom_name), ndr_get_array_length(ndr, &r->in.dom_name)); >+ size_dom_name_1 = ndr_get_array_size(ndr, &r->in.dom_name); >+ length_dom_name_1 = ndr_get_array_length(ndr, &r->in.dom_name); >+ if (length_dom_name_1 > size_dom_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_name_1, length_dom_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, length_dom_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_name_0, 0); > } > NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->in.uid)); >@@ -1225,6 +1283,8 @@ static enum ndr_err_code ndr_push_wbint_Gid2Sid(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_wbint_Gid2Sid(struct ndr_pull *ndr, int flags, struct wbint_Gid2Sid *r) > { > uint32_t _ptr_dom_name; >+ uint32_t size_dom_name_1 = 0; >+ uint32_t length_dom_name_1 = 0; > TALLOC_CTX *_mem_save_dom_name_0; > TALLOC_CTX *_mem_save_sid_0; > if (flags & NDR_IN) { >@@ -1241,11 +1301,13 @@ static enum ndr_err_code ndr_pull_wbint_Gid2Sid(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.dom_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dom_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dom_name)); >- if (ndr_get_array_length(ndr, &r->in.dom_name) > ndr_get_array_size(ndr, &r->in.dom_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dom_name), ndr_get_array_length(ndr, &r->in.dom_name)); >+ size_dom_name_1 = ndr_get_array_size(ndr, &r->in.dom_name); >+ length_dom_name_1 = ndr_get_array_length(ndr, &r->in.dom_name); >+ if (length_dom_name_1 > size_dom_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_name_1, length_dom_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, length_dom_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_name_0, 0); > } > NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->in.gid)); >@@ -1951,8 +2013,12 @@ static enum ndr_err_code ndr_push_wbint_DsGetDcName(struct ndr_push *ndr, int fl > > static enum ndr_err_code ndr_pull_wbint_DsGetDcName(struct ndr_pull *ndr, int flags, struct wbint_DsGetDcName *r) > { >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > uint32_t _ptr_dc_info; > TALLOC_CTX *_mem_save_domain_guid_0; > TALLOC_CTX *_mem_save_site_name_0; >@@ -1963,11 +2029,13 @@ static enum ndr_err_code ndr_pull_wbint_DsGetDcName(struct ndr_pull *ndr, int fl > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); > if (_ptr_domain_guid) { > NDR_PULL_ALLOC(ndr, r->in.domain_guid); >@@ -1991,11 +2059,13 @@ static enum ndr_err_code ndr_pull_wbint_DsGetDcName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); >- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); >@@ -2108,6 +2178,8 @@ static enum ndr_err_code ndr_push_wbint_LookupRids(struct ndr_push *ndr, int fla > static enum ndr_err_code ndr_pull_wbint_LookupRids(struct ndr_pull *ndr, int flags, struct wbint_LookupRids *r) > { > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_2 = 0; >+ uint32_t length_domain_name_2 = 0; > TALLOC_CTX *_mem_save_domain_sid_0; > TALLOC_CTX *_mem_save_rids_0; > TALLOC_CTX *_mem_save_domain_name_0; >@@ -2152,11 +2224,13 @@ static enum ndr_err_code ndr_pull_wbint_LookupRids(struct ndr_pull *ndr, int fla > NDR_PULL_SET_MEM_CTX(ndr, *r->out.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.domain_name)); >- if (ndr_get_array_length(ndr, r->out.domain_name) > ndr_get_array_size(ndr, r->out.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.domain_name), ndr_get_array_length(ndr, r->out.domain_name)); >+ size_domain_name_2 = ndr_get_array_size(ndr, r->out.domain_name); >+ length_domain_name_2 = ndr_get_array_length(ndr, r->out.domain_name); >+ if (length_domain_name_2 > size_domain_name_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_2, length_domain_name_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.domain_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.domain_name, ndr_get_array_length(ndr, r->out.domain_name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_2, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.domain_name, length_domain_name_2, sizeof(uint8_t), CH_UTF8)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, LIBNDR_FLAG_REF_ALLOC); >-- >1.7.4.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 8815
:
7389
|
7390
|
7391
|
7392
|
7393
|
7398
|
7399
|
7400
|
7418
|
7419
|
7420
|
7421
|
7426
|
7427
|
7428
|
7429
|
7430
|
7431
|
7432
|
7433
|
7436
|
7437