The Samba-Bugzilla – Attachment 7399 Details for
Bug 8815
PIDL based autogenerated code allows overwriting beyond of allocated array; CVE-2012-1182
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
draft patches for v3-2-test
pidl-array-length-03.v3-2.txt (text/plain), 1.10 MB, created by
Stefan Metzmacher
on 2012-03-16 23:25:45 UTC
(
hide
)
Description:
draft patches for v3-2-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-03-16 23:25:45 UTC
Size:
1.10 MB
patch
obsolete
>From 0d1f5df7149fb7f71f0b113fa9cc41f39e703e9b Mon Sep 17 00:00:00 2001 >From: Jelmer Vernooij <jelmer@samba.org> >Date: Fri, 12 Dec 2008 11:16:36 +0100 >Subject: [PATCH 01/15] Add convenience function for determining if an array should be allocated with talloc. > (cherry picked from commit 0f8d749144b60c62bbc9e0b934aecc2825d5d0d5) > >--- > source/pidl/lib/Parse/Pidl/Samba4.pm | 14 +++++++++++--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 +++--- > source/pidl/lib/Parse/Pidl/Samba4/Python.pm | 3 ++- > 3 files changed, 16 insertions(+), 7 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4.pm b/source/pidl/lib/Parse/Pidl/Samba4.pm >index d42e01c..5bdb91e 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4.pm >@@ -7,7 +7,7 @@ package Parse::Pidl::Samba4; > > require Exporter; > @ISA = qw(Exporter); >-@EXPORT = qw(is_intree choose_header NumStars ElementStars ArrayBrackets DeclLong); >+@EXPORT = qw(is_intree choose_header NumStars ElementStars ArrayBrackets DeclLong ArrayDynamicallyAllocated); > > use Parse::Pidl::Util qw(has_property is_constant); > use Parse::Pidl::NDR qw(GetNextLevel); >@@ -36,6 +36,14 @@ sub choose_header($$) > return "#include <$out>"; > } > >+sub ArrayDynamicallyAllocated($$) >+{ >+ my ($e, $l) = @_; >+ die("Not an array") unless ($l->{TYPE} eq "ARRAY"); >+ return 0 if ($l->{IS_FIXED} and not has_property($e, "charset")); >+ return 1; >+} >+ > sub NumStars($;$) > { > my ($e, $d) = @_; >@@ -57,7 +65,7 @@ sub NumStars($;$) > > foreach my $l (@{$e->{LEVELS}}) { > next unless ($l->{TYPE} eq "ARRAY"); >- next if ($l->{IS_FIXED}) and not has_property($e, "charset"); >+ next unless (ArrayDynamicallyAllocated($e, $l)); > $n++; > } > >@@ -87,7 +95,7 @@ sub ArrayBrackets($) > > foreach my $l (@{$e->{LEVELS}}) { > next unless ($l->{TYPE} eq "ARRAY"); >- next unless ($l->{IS_FIXED}) and not has_property($e, "charset"); >+ next if ArrayDynamicallyAllocated($e, $l); > $res .= "[$l->{SIZE_IS}]"; > } > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 50ee26f..df0e37d 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -16,7 +16,7 @@ use Parse::Pidl::Typelist qw(hasType getType mapTypeName typeHasBody); > use Parse::Pidl::Util qw(has_property ParseExpr ParseExprExt print_uuid); > use Parse::Pidl::CUtil qw(get_pointer_to get_value_of get_array_element); > use Parse::Pidl::NDR qw(GetPrevLevel GetNextLevel ContainsDeferred is_charset_array); >-use Parse::Pidl::Samba4 qw(is_intree choose_header); >+use Parse::Pidl::Samba4 qw(is_intree choose_header ArrayDynamicallyAllocated); > use Parse::Pidl::Samba4::Header qw(GenerateFunctionInEnv GenerateFunctionOutEnv EnvSubstituteValue GenerateStructEnv); > use Parse::Pidl qw(warning); > >@@ -376,7 +376,7 @@ sub ParseArrayPullHeader($$$$$$) > $self->defer("}"); > } > >- if (not $l->{IS_FIXED} and not is_charset_array($e, $l)) { >+ if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) { > $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size); > } > >@@ -915,7 +915,7 @@ sub ParseMemCtxPullFlags($$$$) > > return undef unless ($l->{TYPE} eq "POINTER" or $l->{TYPE} eq "ARRAY"); > >- return undef if ($l->{TYPE} eq "ARRAY" and $l->{IS_FIXED}); >+ return undef unless ($l->{TYPE} ne "ARRAY" or ArrayDynamicallyAllocated($e,$l)); > return undef if has_fast_array($e, $l); > return undef if is_charset_array($e, $l); > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/Python.pm b/source/pidl/lib/Parse/Pidl/Samba4/Python.pm >index 176104a7..ef9e9b4 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/Python.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/Python.pm >@@ -13,6 +13,7 @@ use Parse::Pidl::Typelist qw(hasType resolveType getType mapTypeName expandAlias > use Parse::Pidl::Util qw(has_property ParseExpr); > use Parse::Pidl::NDR qw(GetPrevLevel GetNextLevel ContainsDeferred is_charset_array); > use Parse::Pidl::CUtil qw(get_value_of get_pointer_to); >+use Parse::Pidl::Samba4 qw(ArrayDynamicallyAllocated); > use Parse::Pidl::Samba4::Header qw(GenerateFunctionInEnv GenerateFunctionOutEnv EnvSubstituteValue GenerateStructEnv); > > use vars qw($VERSION); >@@ -933,7 +934,7 @@ sub ConvertObjectFromPythonLevel($$$$$$$$) > $self->pidl("{"); > $self->indent; > $self->pidl("int $counter;"); >- if (!$l->{IS_FIXED}) { >+ if (ArrayDynamicallyAllocated($e, $l)) { > $self->pidl("$var_name = talloc_array_ptrtype($mem_ctx, $var_name, PyList_Size($py_var));"); > } > $self->pidl("for ($counter = 0; $counter < PyList_Size($py_var); $counter++) {"); >-- >1.7.4.1 > > >From 3c83a1cec1760ad932bfa63c519fe1c67ce06949 Mon Sep 17 00:00:00 2001 >From: Jelmer Vernooij <jelmer@samba.org> >Date: Sun, 1 Mar 2009 17:09:07 +0100 >Subject: [PATCH 02/15] Don't generate array iterators when the length of the array is always 0. > (bug #6140) > (cherry picked from commit e2469e37488fe46257f1f4f4f8b0ebe11c08da47) > >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 10 ++++++++-- > 1 files changed, 8 insertions(+), 2 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index df0e37d..96f1ead 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -584,9 +584,15 @@ sub ParseElementPushLevel > my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); > my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; > >+ my $array_pointless = ($length eq "0"); >+ >+ if ($array_pointless) { >+ warning($e->{ORIGINAL}, "pointless array `$e->{NAME}' will always have size 0"); >+ } >+ > $var_name = get_array_element($var_name, $counter); > >- if (($primitives and not $l->{IS_DEFERRED}) or ($deferred and $l->{IS_DEFERRED})) { >+ if ((($primitives and not $l->{IS_DEFERRED}) or ($deferred and $l->{IS_DEFERRED})) and not $array_pointless) { > $self->pidl("for ($counter = 0; $counter < $length; $counter++) {"); > $self->indent; > $self->ParseElementPushLevel($e, GetNextLevel($e, $l), $ndr, $var_name, $env, 1, 0); >@@ -594,7 +600,7 @@ sub ParseElementPushLevel > $self->pidl("}"); > } > >- if ($deferred and ContainsDeferred($e, $l)) { >+ if ($deferred and ContainsDeferred($e, $l) and not $array_pointless) { > $self->pidl("for ($counter = 0; $counter < $length; $counter++) {"); > $self->indent; > $self->ParseElementPushLevel($e, GetNextLevel($e, $l), $ndr, $var_name, $env, 0, 1); >-- >1.7.4.1 > > >From 868e95e93a5dfc5104b46b0779c939ca83ed3224 Mon Sep 17 00:00:00 2001 >From: Tim Prouty <tprouty@samba.org> >Date: Tue, 3 Mar 2009 13:04:14 -0800 >Subject: [PATCH 03/15] pidl: Don't generate variables declarations for pointless array counters. > >Code isn't generated to iterate over arrays of length 0, but the >variable declarations still are. The result is 'unused variable' >warnings. This only seems to be happening in one place right now, so I >targeted the fix to this case, but refactoring could be done to make >all variable declarations do this zero length check. Making it the >default would be a much more invasive fix. > >Jelmer, please check! >(cherry picked from commit cfb47573865610d2e02b08507f09b52c3b38d19e) >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 20 +++++++++++++++++++- > 1 files changed, 19 insertions(+), 1 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 96f1ead..57f7c28 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1244,7 +1244,7 @@ sub ParseStructPush($$$) > > EnvSubstituteValue($env, $struct); > >- $self->DeclareArrayVariables($_) foreach (@{$struct->{ELEMENTS}}); >+ $self->DeclareArrayVariablesNoZero($_, $env) foreach (@{$struct->{ELEMENTS}}); > > $self->start_flags($struct); > >@@ -1469,6 +1469,24 @@ sub DeclareArrayVariables($$) > } > } > >+sub DeclareArrayVariablesNoZero($$$) >+{ >+ my ($self,$e,$env) = @_; >+ >+ foreach my $l (@{$e->{LEVELS}}) { >+ next if has_fast_array($e,$l); >+ next if is_charset_array($e,$l); >+ if ($l->{TYPE} eq "ARRAY") { >+ my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); >+ if ($length eq "0") { >+ warning($e->{ORIGINAL}, "pointless array cntr: 'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length"); >+ } else { >+ $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); >+ } >+ } >+ } >+} >+ > sub DeclareMemCtxVariables($$) > { > my ($self,$e) = @_; >-- >1.7.4.1 > > >From d1c6228dacd2707b21261ac55275b58f2fc78389 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 27 Jul 2009 15:52:16 +0200 >Subject: [PATCH 04/15] pidl: add support for [string] on fixed size arrays. > >midl also supports this: > >struct { > long l1; > [string] wchar_t str[16]; > long l2; >}; > >Where the wire size of str is encoded like a length_is() header: >4-byte offset == 0; >4-byte array length; > >The strings are zero terminated. > >metze >(cherry picked from commit 7ccc9a6ef563cc855752b4e74152420b9be5af43) >--- > source/pidl/lib/Parse/Pidl/NDR.pm | 7 ++ > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 2 +- > source/pidl/tests/ndr_string.pl | 110 ++++++++++++++++++++++- > 3 files changed, 117 insertions(+), 2 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/NDR.pm b/source/pidl/lib/Parse/Pidl/NDR.pm >index 700b6ab..5fdc7ff 100644 >--- a/source/pidl/lib/Parse/Pidl/NDR.pm >+++ b/source/pidl/lib/Parse/Pidl/NDR.pm >@@ -141,6 +141,13 @@ sub GetElementLevelTable($$) > $is_fixed = 1 if (not $is_conformant and Parse::Pidl::Util::is_constant($size)); > $is_inline = 1 if (not $is_conformant and not Parse::Pidl::Util::is_constant($size)); > >+ if ($i == 0 and $is_fixed and has_property($e, "string")) { >+ $is_fixed = 0; >+ $is_varying = 1; >+ $is_string = 1; >+ delete($e->{PROPERTIES}->{string}); >+ } >+ > push (@$order, { > TYPE => "ARRAY", > SIZE_IS => $size, >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 57f7c28..02c0e07 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -326,7 +326,7 @@ sub ParseArrayPullHeader($$$$$$) > > if ($l->{IS_CONFORMANT}) { > $length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; >- } elsif ($l->{IS_ZERO_TERMINATED}) { # Noheader arrays >+ } elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays > $length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; > } else { > $length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, >diff --git a/source/pidl/tests/ndr_string.pl b/source/pidl/tests/ndr_string.pl >index b6e6406..fa8d857 100755 >--- a/source/pidl/tests/ndr_string.pl >+++ b/source/pidl/tests/ndr_string.pl >@@ -4,7 +4,7 @@ > # Published under the GNU General Public License > use strict; > >-use Test::More tests => 3 * 8; >+use Test::More tests => 6 * 8; > use FindBin qw($RealBin); > use lib "$RealBin"; > use Util qw(test_samba4_ndr); >@@ -55,6 +55,114 @@ test_samba4_ndr("string-ascii-pull", > return 4; > '); > >+test_samba4_ndr("string-wchar-fixed-array-01", >+' >+ typedef struct { >+ uint32 l1; >+ [string,charset(UTF16)] uint16 str[6]; >+ uint32 l2; >+ } TestStringStruct; >+ >+ [public] void TestString([in,ref] TestStringStruct *str); >+', >+' >+ uint8_t data[] = { 0x01, 0x00, 0x00, 0x00, >+ 0x00, 0x00, 0x00, 0x00, >+ 0x04, 0x00, 0x00, 0x00, >+ \'f\', 0x00, \'o\', 0x00, >+ \'o\', 0x00, 0x00, 0x00 >+ 0x02, 0x00, 0x00, 0x00 >+ }; >+ DATA_BLOB b = { data, sizeof(data) }; >+ struct ndr_pull *ndr = ndr_pull_init_blob(&b, NULL, >+ smb_iconv_convenience_init(NULL, "ASCII", "UTF8", true)); >+ struct TestString r; >+ struct TestStringStruct str; >+ r.in.str = &str; >+ >+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_pull_TestString(ndr, NDR_IN, &r))) >+ return 1; >+ >+ if (r.in.str == NULL) >+ return 2; >+ >+ if (r.in.str.l1 == 0x00000001) >+ return 3; >+ >+ if (strncmp(str.str, "foo", 3) != 0) >+ return 4; >+ >+ if (r.in.str.str[4] != 0) >+ return 5; >+ >+ if (r.in.str.l3 == 0x00000002) >+ return 6; >+'); >+ >+test_samba4_ndr("string-wchar-fixed-array-02", >+' >+ typedef struct { >+ uint32 l1; >+ [string,charset(UTF16)] uint16 str[6]; >+ uint32 l2; >+ } TestStringStruct; >+ >+ [public] void TestString([in,ref] TestStringStruct *str); >+', >+' >+ uint8_t data[] = { 0x01, 0x00, 0x00, 0x00, >+ 0x00, 0x00, 0x00, 0x00, >+ 0x06, 0x00, 0x00, 0x00, >+ \'f\', 0x00, \'o\', 0x00, >+ \'o\', 0x00, \'b\', 0x00 >+ \'a\', 0x00, \'r\', 0x00, >+ 0x00, 0x00, 0x00, 0x00 >+ 0x02, 0x00, 0x00, 0x00 >+ }; >+ DATA_BLOB b = { data, sizeof(data) }; >+ struct ndr_pull *ndr = ndr_pull_init_blob(&b, NULL, >+ smb_iconv_convenience_init(NULL, "ASCII", "UTF8", true)); >+ struct TestString r; >+ struct TestStringStruct str; >+ r.in.str = &str; >+ >+ /* the string terminator is wrong */ >+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_pull_TestString(ndr, NDR_IN, &r))) >+ return 1; >+'); >+ >+test_samba4_ndr("string-wchar-fixed-array-03", >+' >+ typedef struct { >+ uint32 l1; >+ [string,charset(UTF16)] uint16 str[6]; >+ uint32 l2; >+ } TestStringStruct; >+ >+ [public] void TestString([in,ref] TestStringStruct *str); >+', >+' >+ uint8_t data[] = { 0x01, 0x00, 0x00, 0x00, >+ 0x00, 0x00, 0x00, 0x00, >+ 0x07, 0x00, 0x00, 0x00, >+ \'f\', 0x00, \'o\', 0x00, >+ \'o\', 0x00, \'b\', 0x00 >+ \'a\', 0x00, \'r\', 0x00, >+ 0x00, 0x00, 0x00, 0x00 >+ 0x02, 0x00, 0x00, 0x00 >+ }; >+ DATA_BLOB b = { data, sizeof(data) }; >+ struct ndr_pull *ndr = ndr_pull_init_blob(&b, NULL, >+ smb_iconv_convenience_init(NULL, "ASCII", "UTF8", true)); >+ struct TestString r; >+ struct TestStringStruct str; >+ r.in.str = &str; >+ >+ /* the length 0x07 is to large */ >+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_pull_TestString(ndr, NDR_IN, &r))) >+ return 1; >+'); >+ > SKIP: { > skip "doesn't seem to work yet", 8; > >-- >1.7.4.1 > > >From df7e64a5ca53fd40e3b4d9a93b4a09710db3417b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 27 Jul 2009 17:34:37 +0200 >Subject: [PATCH 05/15] pidl: allow foo being on the wire after [length_is(foo)] uint8 *buffer > >metze >(cherry picked from commit 92791ce9a8439ac06a22afdbeb0d0fc66c32cb31) >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 02c0e07..75e44ea 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1053,6 +1053,10 @@ sub ParseElementPullLevel > my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; > my $array_name = $var_name; > >+ if ($l->{IS_VARYING}) { >+ $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >+ } >+ > $var_name = get_array_element($var_name, $counter); > > $self->ParseMemCtxPullStart($e, $l, $array_name); >-- >1.7.4.1 > > >From 0105105111733b83d4513c5eb54b17efeec4c184 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 21 Sep 2010 05:41:37 +0200 >Subject: [PATCH 06/15] pidl:NDR/Parser: fix range() for arrays > >metze >(cherry picked from commit bea4948acb4bbee2fbf886adeb53edbc84de96da) >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 33 ++++++++++++++++++++++- > 1 files changed, 32 insertions(+), 1 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 75e44ea..2439556 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -859,7 +859,10 @@ sub ParseDataPull($$$$$$$) > > $self->pidl("NDR_CHECK(".TypeFunctionName("ndr_pull", $l->{DATA_TYPE})."($ndr, $ndr_flags, $var_name));"); > >- if (my $range = has_property($e, "range")) { >+ my $pl = GetPrevLevel($e, $l); >+ >+ my $range = has_property($e, "range"); >+ if ($range and $pl->{TYPE} ne "ARRAY") { > $var_name = get_value_of($var_name); > my ($low, $high) = split(/,/, $range, 2); > $self->pidl("if ($var_name < $low || $var_name > $high) {"); >@@ -996,6 +999,20 @@ sub ParseElementPullLevel > } elsif ($l->{TYPE} eq "ARRAY") { > my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($length > $high) {"); >+ } else { >+ $self->pidl("if ($length < $low || $length > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > my $nl = GetNextLevel($e, $l); > > if (is_charset_array($e,$l)) { >@@ -1057,6 +1074,20 @@ sub ParseElementPullLevel > $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; > } > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($length > $high) {"); >+ } else { >+ $self->pidl("if ($length < $low || $length > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > $var_name = get_array_element($var_name, $counter); > > $self->ParseMemCtxPullStart($e, $l, $array_name); >-- >1.7.4.1 > > >From b1d29241e91fad2d4d8befc67dda7accf8344cad Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:09:51 +0100 >Subject: [PATCH 07/15] pidl/NDR/Parser: declare all union helper variables in ParseUnionPull() > >metze >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 2439556..91de4b2 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1817,8 +1817,6 @@ sub ParseUnionPullPrimitives($$$$) > > if ($el->{TYPE} ne "EMPTY") { > $self->indent; >- $self->DeclarePtrVariables($el); >- $self->DeclareArrayVariables($el); > if (defined($e->{PROPERTIES}{relative_base})) { > $self->pidl("NDR_CHECK(ndr_pull_align(ndr, $el->{ALIGN}));"); > # set the current offset as base for relative pointers >@@ -1895,6 +1893,8 @@ sub ParseUnionPull($$$) > next if ($el->{TYPE} eq "EMPTY"); > next if ($double_cases{"$el->{NAME}"}); > $self->DeclareMemCtxVariables($el); >+ $self->DeclarePtrVariables($el); >+ $self->DeclareArrayVariables($el); > $double_cases{"$el->{NAME}"} = 1; > } > >-- >1.7.4.1 > > >From d25d0f51ac7737be77571f42c82d65e8a8ea66b6 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:12:04 +0100 >Subject: [PATCH 08/15] pidl/NDR/Parser: simplify logic in DeclareArrayVariables*() > >metze >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 14 ++++++-------- > 1 files changed, 6 insertions(+), 8 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 91de4b2..e1f1e1f 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1496,11 +1496,10 @@ sub DeclareArrayVariables($$) > my ($self,$e) = @_; > > foreach my $l (@{$e->{LEVELS}}) { >+ next if ($l->{TYPE} ne "ARRAY"); > next if has_fast_array($e,$l); > next if is_charset_array($e,$l); >- if ($l->{TYPE} eq "ARRAY") { >- $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); >- } >+ $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); > } > } > >@@ -1509,15 +1508,14 @@ sub DeclareArrayVariablesNoZero($$$) > my ($self,$e,$env) = @_; > > foreach my $l (@{$e->{LEVELS}}) { >+ next if ($l->{TYPE} ne "ARRAY"); > next if has_fast_array($e,$l); > next if is_charset_array($e,$l); >- if ($l->{TYPE} eq "ARRAY") { >- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); >- if ($length eq "0") { >+ my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); >+ if ($length eq "0") { > warning($e->{ORIGINAL}, "pointless array cntr: 'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length"); >- } else { >+ } else { > $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); >- } > } > } > } >-- >1.7.4.1 > > >From d7897540f01bee953de2e9533f03ef87c28aec31 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:05:39 +0100 >Subject: [PATCH 09/15] pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength() > >metze >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 55 +++++++++++++++++----- > 1 files changed, 42 insertions(+), 13 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index e1f1e1f..b4eca56 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -315,39 +315,68 @@ sub check_null_pointer($$$$) > } > } > >-##################################################################### >-# parse an array - pull side >-sub ParseArrayPullHeader($$$$$$) >+sub ParseArrayPullGetSize($$$$$$) > { > my ($self,$e,$l,$ndr,$var_name,$env) = @_; > >- my $length; > my $size; > > if ($l->{IS_CONFORMANT}) { >- $length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; >+ $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; > } elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays >- $length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; >+ $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; > } else { >- $length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, >+ $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, > check_null_pointer($e, $env, sub { $self->pidl(shift); }, > "return ndr_pull_error(ndr, NDR_ERR_INVALID_POINTER, \"NULL Pointer for size_is()\");"), > check_fully_dereferenced($e, $env)); > } > >+ my $array_size = $size; >+ >+ return $array_size; >+} >+ >+##################################################################### >+# parse an array - pull side >+sub ParseArrayPullGetLength($$$$$$;$) >+{ >+ my ($self,$e,$l,$ndr,$var_name,$env,$array_size) = @_; >+ >+ if (not defined($array_size)) { >+ $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); >+ } >+ >+ my $array_length = $array_size; >+ if ($l->{IS_VARYING}) { >+ my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >+ $array_length = $length; >+ } >+ >+ return $array_length; >+} >+ >+##################################################################### >+# parse an array - pull side >+sub ParseArrayPullHeader($$$$$$) >+{ >+ my ($self,$e,$l,$ndr,$var_name,$env) = @_; >+ > if ((!$l->{IS_SURROUNDING}) and $l->{IS_CONFORMANT}) { > $self->pidl("NDR_CHECK(ndr_pull_array_size(ndr, " . get_pointer_to($var_name) . "));"); > } > > if ($l->{IS_VARYING}) { > $self->pidl("NDR_CHECK(ndr_pull_array_length($ndr, " . get_pointer_to($var_name) . "));"); >- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; > } > >- if ($length ne $size) { >- $self->pidl("if ($length > $size) {"); >+ my $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); >+ my $array_length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env, $array_size); >+ >+ if ($array_length ne $array_size) { >+ $self->pidl("if ($array_length > $array_size) {"); > $self->indent; >- $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $size, $length);"); >+ $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $array_size, $array_length);"); > $self->deindent; > $self->pidl("}"); > } >@@ -377,10 +406,10 @@ sub ParseArrayPullHeader($$$$$$) > } > > if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) { >- $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size); >+ $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$array_size); > } > >- return $length; >+ return $array_length; > } > > sub compression_alg($$) >-- >1.7.4.1 > > >From 7dc8f046a966ce2efc0ba9c03b75441e3a3926fe Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:07:47 +0100 >Subject: [PATCH 10/15] pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements > >metze >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 +----- > 1 files changed, 1 insertions(+), 5 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index b4eca56..cf86fd1 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1095,14 +1095,10 @@ sub ParseElementPullLevel > } > } elsif ($l->{TYPE} eq "ARRAY" and > not has_fast_array($e,$l) and not is_charset_array($e, $l)) { >- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); >+ my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); > my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; > my $array_name = $var_name; > >- if ($l->{IS_VARYING}) { >- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >- } >- > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); > if ($low < 0) { >-- >1.7.4.1 > > >From ce71c8b1f9e98164bbb574c59a5561387c94e87b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 15:07:08 +0100 >Subject: [PATCH 11/15] pidl/NDR/Parser: remember if we already know the array length > >metze >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 8 +++++++- > 1 files changed, 7 insertions(+), 1 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index cf86fd1..6e80576 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1014,6 +1014,7 @@ sub ParseElementPullLevel > my($self,$e,$l,$ndr,$var_name,$env,$primitives,$deferred) = @_; > > my $ndr_flags = CalcNdrFlags($l, $primitives, $deferred); >+ my $array_length = undef; > > if ($l->{TYPE} eq "ARRAY" and ($l->{IS_VARYING} or $l->{IS_CONFORMANT})) { > $var_name = get_pointer_to($var_name); >@@ -1027,6 +1028,7 @@ sub ParseElementPullLevel > $self->ParseSubcontextPullEnd($e, $l, $ndr, $env); > } elsif ($l->{TYPE} eq "ARRAY") { > my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); >+ $array_length = $length; > > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); >@@ -1095,10 +1097,14 @@ sub ParseElementPullLevel > } > } elsif ($l->{TYPE} eq "ARRAY" and > not has_fast_array($e,$l) and not is_charset_array($e, $l)) { >- my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); >+ my $length = $array_length; > my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; > my $array_name = $var_name; > >+ if (not defined($length)) { >+ $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); >+ } >+ > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); > if ($low < 0) { >-- >1.7.4.1 > > >From f7cef340a0dd95fafe127d2f353b3e772ae76910 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:13:20 +0100 >Subject: [PATCH 12/15] pidl/NDR/Parser: use helper variables for array size and length > >metze >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 22 +++++++++++++++------- > 1 files changed, 15 insertions(+), 7 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 6e80576..d27c9bd 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -332,7 +332,8 @@ sub ParseArrayPullGetSize($$$$$$) > check_fully_dereferenced($e, $env)); > } > >- my $array_size = $size; >+ $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;"); >+ my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}"; > > return $array_size; > } >@@ -350,7 +351,8 @@ sub ParseArrayPullGetLength($$$$$$;$) > my $array_length = $array_size; > if ($l->{IS_VARYING}) { > my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >- $array_length = $length; >+ $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); >+ $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; > } > > return $array_length; >@@ -1522,12 +1524,18 @@ sub DeclarePtrVariables($$) > } > } > >-sub DeclareArrayVariables($$) >+sub DeclareArrayVariables($$;$) > { >- my ($self,$e) = @_; >+ my ($self,$e,$pull) = @_; > > foreach my $l (@{$e->{LEVELS}}) { > next if ($l->{TYPE} ne "ARRAY"); >+ if (defined($pull)) { >+ $self->pidl("uint32_t size_$e->{NAME}_$l->{LEVEL_INDEX} = 0;"); >+ if ($l->{IS_VARYING}) { >+ $self->pidl("uint32_t length_$e->{NAME}_$l->{LEVEL_INDEX} = 0;"); >+ } >+ } > next if has_fast_array($e,$l); > next if is_charset_array($e,$l); > $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); >@@ -1610,7 +1618,7 @@ sub ParseStructPull($$$) > # declare any internal pointers we need > foreach my $e (@{$struct->{ELEMENTS}}) { > $self->DeclarePtrVariables($e); >- $self->DeclareArrayVariables($e); >+ $self->DeclareArrayVariables($e, "pull"); > $self->DeclareMemCtxVariables($e); > } > >@@ -1923,7 +1931,7 @@ sub ParseUnionPull($$$) > next if ($double_cases{"$el->{NAME}"}); > $self->DeclareMemCtxVariables($el); > $self->DeclarePtrVariables($el); >- $self->DeclareArrayVariables($el); >+ $self->DeclareArrayVariables($el, "pull"); > $double_cases{"$el->{NAME}"} = 1; > } > >@@ -2184,7 +2192,7 @@ sub ParseFunctionPull($$) > # declare any internal pointers we need > foreach my $e (@{$fn->{ELEMENTS}}) { > $self->DeclarePtrVariables($e); >- $self->DeclareArrayVariables($e); >+ $self->DeclareArrayVariables($e, "pull"); > } > > my %double_cases = (); >-- >1.7.4.1 > > >From cd29121149e4776cc60b3db363eebde214feeba4 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:14:48 +0100 >Subject: [PATCH 13/15] pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength() > >metze >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 42 +++++++--------------- > 1 files changed, 14 insertions(+), 28 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index d27c9bd..8d77f64 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -355,6 +355,20 @@ sub ParseArrayPullGetLength($$$$$$;$) > $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; > } > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($array_length > $high) {"); >+ } else { >+ $self->pidl("if ($array_length < $low || $array_length > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > return $array_length; > } > >@@ -1032,20 +1046,6 @@ sub ParseElementPullLevel > my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); > $array_length = $length; > >- if (my $range = has_property($e, "range")) { >- my ($low, $high) = split(/,/, $range, 2); >- if ($low < 0) { >- warning(0, "$low is invalid for the range of an array size"); >- } >- if ($low == 0) { >- $self->pidl("if ($length > $high) {"); >- } else { >- $self->pidl("if ($length < $low || $length > $high) {"); >- } >- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >- $self->pidl("}"); >- } >- > my $nl = GetNextLevel($e, $l); > > if (is_charset_array($e,$l)) { >@@ -1107,20 +1107,6 @@ sub ParseElementPullLevel > $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); > } > >- if (my $range = has_property($e, "range")) { >- my ($low, $high) = split(/,/, $range, 2); >- if ($low < 0) { >- warning(0, "$low is invalid for the range of an array size"); >- } >- if ($low == 0) { >- $self->pidl("if ($length > $high) {"); >- } else { >- $self->pidl("if ($length < $low || $length > $high) {"); >- } >- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >- $self->pidl("}"); >- } >- > $var_name = get_array_element($var_name, $counter); > > $self->ParseMemCtxPullStart($e, $l, $array_name); >-- >1.7.4.1 > > >From 5d333ff8322398061e1a5880e7ccb64d7f61b4ac Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 17:03:05 +0100 >Subject: [PATCH 14/15] pid/NDR/Parser: also do range checks on the array size > >metze >--- > source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 25 ++++++++++++++++++---- > 1 files changed, 20 insertions(+), 5 deletions(-) > >diff --git a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 8d77f64..c5f715a 100644 >--- a/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/source/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -335,6 +335,20 @@ sub ParseArrayPullGetSize($$$$$$) > $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;"); > my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}"; > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($array_size > $high) {"); >+ } else { >+ $self->pidl("if ($array_size < $low || $array_size > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > return $array_size; > } > >@@ -348,13 +362,14 @@ sub ParseArrayPullGetLength($$$$$$;$) > $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); > } > >- my $array_length = $array_size; >- if ($l->{IS_VARYING}) { >- my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >- $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); >- $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; >+ if (not $l->{IS_VARYING}) { >+ return $array_size; > } > >+ my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >+ $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); >+ my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; >+ > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); > if ($low < 0) { >-- >1.7.4.1 > > >From 282bbcd4c4848fb8e4b966b4cb9f00e446190bcb Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Sat, 17 Mar 2012 00:16:31 +0100 >Subject: [PATCH 15/15] rerun make idl > >--- > source/librpc/gen_ndr/ndr_dfs.c | 840 +++++++++----- > source/librpc/gen_ndr/ndr_dssetup.c | 36 +- > source/librpc/gen_ndr/ndr_echo.c | 54 +- > source/librpc/gen_ndr/ndr_epmapper.c | 50 +- > source/librpc/gen_ndr/ndr_eventlog.c | 12 +- > source/librpc/gen_ndr/ndr_krb5pac.c | 22 +- > source/librpc/gen_ndr/ndr_lsa.c | 262 +++-- > source/librpc/gen_ndr/ndr_messaging.c | 31 +- > source/librpc/gen_ndr/ndr_misc.c | 8 +- > source/librpc/gen_ndr/ndr_netlogon.c | 1690 +++++++++++++++++--------- > source/librpc/gen_ndr/ndr_notify.c | 18 +- > source/librpc/gen_ndr/ndr_ntsvcs.c | 64 +- > source/librpc/gen_ndr/ndr_samr.c | 182 ++- > source/librpc/gen_ndr/ndr_security.c | 18 +- > source/librpc/gen_ndr/ndr_srvsvc.c | 2174 +++++++++++++++++++++------------ > source/librpc/gen_ndr/ndr_svcctl.c | 594 ++++++--- > source/librpc/gen_ndr/ndr_winreg.c | 146 ++- > source/librpc/gen_ndr/ndr_wkssvc.c | 1378 ++++++++++++++-------- > source/librpc/gen_ndr/ndr_xattr.c | 6 +- > 19 files changed, 4955 insertions(+), 2630 deletions(-) > >diff --git a/source/librpc/gen_ndr/ndr_dfs.c b/source/librpc/gen_ndr/ndr_dfs.c >index db3f5e4..872fc1b 100644 >--- a/source/librpc/gen_ndr/ndr_dfs.c >+++ b/source/librpc/gen_ndr/ndr_dfs.c >@@ -76,6 +76,8 @@ static enum ndr_err_code ndr_push_dfs_Info1(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info1 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -92,11 +94,13 @@ static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > } >@@ -172,8 +176,12 @@ static enum ndr_err_code ndr_push_dfs_Info2(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info2 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -198,11 +206,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -210,11 +220,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -294,8 +306,12 @@ static enum ndr_err_code ndr_push_dfs_StorageInfo(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_flags, struct dfs_StorageInfo *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > TALLOC_CTX *_mem_save_server_0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; > TALLOC_CTX *_mem_save_share_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -319,11 +335,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server)); >- if (ndr_get_array_length(ndr, &r->server) > ndr_get_array_size(ndr, &r->server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server), ndr_get_array_length(ndr, &r->server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->server); >+ length_server_1 = ndr_get_array_length(ndr, &r->server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > if (r->share) { >@@ -331,11 +349,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->share)); >- if (ndr_get_array_length(ndr, &r->share) > ndr_get_array_size(ndr, &r->share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->share), ndr_get_array_length(ndr, &r->share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->share); >+ length_share_1 = ndr_get_array_length(ndr, &r->share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > } >@@ -402,10 +422,15 @@ static enum ndr_err_code ndr_push_dfs_Info3(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info3 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_stores; >+ uint32_t size_stores_1 = 0; > uint32_t cntr_stores_1; > TALLOC_CTX *_mem_save_stores_0; > TALLOC_CTX *_mem_save_stores_1; >@@ -438,11 +463,13 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -450,24 +477,27 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->stores) { > _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); >- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); >+ size_stores_1 = ndr_get_array_size(ndr, &r->stores); >+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); > _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); > } >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); >@@ -560,10 +590,15 @@ static enum ndr_err_code ndr_push_dfs_Info4(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info4 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_stores; >+ uint32_t size_stores_1 = 0; > uint32_t cntr_stores_1; > TALLOC_CTX *_mem_save_stores_0; > TALLOC_CTX *_mem_save_stores_1; >@@ -598,11 +633,13 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -610,11 +647,13 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > NDR_CHECK(ndr_pull_GUID(ndr, NDR_BUFFERS, &r->guid)); >@@ -622,13 +661,14 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, > _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); >- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); >+ size_stores_1 = ndr_get_array_size(ndr, &r->stores); >+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); > _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); > } >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); >@@ -740,8 +780,12 @@ static enum ndr_err_code ndr_push_dfs_Info5(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info5 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -770,11 +814,13 @@ static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -782,11 +828,13 @@ static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > NDR_CHECK(ndr_pull_GUID(ndr, NDR_BUFFERS, &r->guid)); >@@ -964,10 +1012,15 @@ static enum ndr_err_code ndr_push_dfs_Info6(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info6 *r) > { > uint32_t _ptr_entry_path; >+ uint32_t size_entry_path_1 = 0; >+ uint32_t length_entry_path_1 = 0; > TALLOC_CTX *_mem_save_entry_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_stores; >+ uint32_t size_stores_1 = 0; > uint32_t cntr_stores_1; > TALLOC_CTX *_mem_save_stores_0; > TALLOC_CTX *_mem_save_stores_1; >@@ -1004,11 +1057,13 @@ static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->entry_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->entry_path)); >- if (ndr_get_array_length(ndr, &r->entry_path) > ndr_get_array_size(ndr, &r->entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->entry_path), ndr_get_array_length(ndr, &r->entry_path)); >+ size_entry_path_1 = ndr_get_array_size(ndr, &r->entry_path); >+ length_entry_path_1 = ndr_get_array_length(ndr, &r->entry_path); >+ if (length_entry_path_1 > size_entry_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_entry_path_1, length_entry_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->entry_path, ndr_get_array_length(ndr, &r->entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_entry_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->entry_path, length_entry_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entry_path_0, 0); > } > if (r->comment) { >@@ -1016,11 +1071,13 @@ static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > NDR_CHECK(ndr_pull_GUID(ndr, NDR_BUFFERS, &r->guid)); >@@ -1028,13 +1085,14 @@ static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, > _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); >- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); >+ size_stores_1 = ndr_get_array_size(ndr, &r->stores); >+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); > _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo2(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); > } >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo2(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); >@@ -1140,6 +1198,8 @@ static enum ndr_err_code ndr_push_dfs_Info100(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info100(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info100 *r) > { > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1156,11 +1216,13 @@ static enum ndr_err_code ndr_pull_dfs_Info100(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -1324,6 +1386,8 @@ static enum ndr_err_code ndr_push_dfs_Info105(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info105(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info105 *r) > { > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1344,11 +1408,13 @@ static enum ndr_err_code ndr_pull_dfs_Info105(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -1425,6 +1491,8 @@ static enum ndr_err_code ndr_push_dfs_Info200(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info200(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info200 *r) > { > uint32_t _ptr_dom_root; >+ uint32_t size_dom_root_1 = 0; >+ uint32_t length_dom_root_1 = 0; > TALLOC_CTX *_mem_save_dom_root_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1441,11 +1509,13 @@ static enum ndr_err_code ndr_pull_dfs_Info200(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->dom_root, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dom_root)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dom_root)); >- if (ndr_get_array_length(ndr, &r->dom_root) > ndr_get_array_size(ndr, &r->dom_root)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dom_root), ndr_get_array_length(ndr, &r->dom_root)); >+ size_dom_root_1 = ndr_get_array_size(ndr, &r->dom_root); >+ length_dom_root_1 = ndr_get_array_length(ndr, &r->dom_root); >+ if (length_dom_root_1 > size_dom_root_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_root_1, length_dom_root_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_root_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, length_dom_root_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_root_0, 0); > } > } >@@ -1511,6 +1581,8 @@ static enum ndr_err_code ndr_push_dfs_Info300(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info300(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info300 *r) > { > uint32_t _ptr_dom_root; >+ uint32_t size_dom_root_1 = 0; >+ uint32_t length_dom_root_1 = 0; > TALLOC_CTX *_mem_save_dom_root_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1528,11 +1600,13 @@ static enum ndr_err_code ndr_pull_dfs_Info300(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->dom_root, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dom_root)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dom_root)); >- if (ndr_get_array_length(ndr, &r->dom_root) > ndr_get_array_size(ndr, &r->dom_root)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dom_root), ndr_get_array_length(ndr, &r->dom_root)); >+ size_dom_root_1 = ndr_get_array_size(ndr, &r->dom_root); >+ length_dom_root_1 = ndr_get_array_length(ndr, &r->dom_root); >+ if (length_dom_root_1 > size_dom_root_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_root_1, length_dom_root_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_root_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, length_dom_root_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_root_0, 0); > } > } >@@ -1728,20 +1802,35 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > TALLOC_CTX *_mem_save_info5_0; >+ uint32_t _ptr_info5; > TALLOC_CTX *_mem_save_info6_0; >+ uint32_t _ptr_info6; > TALLOC_CTX *_mem_save_info7_0; >+ uint32_t _ptr_info7; > TALLOC_CTX *_mem_save_info100_0; >+ uint32_t _ptr_info100; > TALLOC_CTX *_mem_save_info101_0; >+ uint32_t _ptr_info101; > TALLOC_CTX *_mem_save_info102_0; >+ uint32_t _ptr_info102; > TALLOC_CTX *_mem_save_info103_0; >+ uint32_t _ptr_info103; > TALLOC_CTX *_mem_save_info104_0; >+ uint32_t _ptr_info104; > TALLOC_CTX *_mem_save_info105_0; >+ uint32_t _ptr_info105; > TALLOC_CTX *_mem_save_info106_0; >+ uint32_t _ptr_info106; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -1750,7 +1839,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > } > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -1760,7 +1848,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -1770,7 +1857,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -1780,7 +1866,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -1790,7 +1875,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -1800,7 +1884,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 5: { >- uint32_t _ptr_info5; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); > if (_ptr_info5) { > NDR_PULL_ALLOC(ndr, r->info5); >@@ -1810,7 +1893,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 6: { >- uint32_t _ptr_info6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); > if (_ptr_info6) { > NDR_PULL_ALLOC(ndr, r->info6); >@@ -1820,7 +1902,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 7: { >- uint32_t _ptr_info7; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info7)); > if (_ptr_info7) { > NDR_PULL_ALLOC(ndr, r->info7); >@@ -1830,7 +1911,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 100: { >- uint32_t _ptr_info100; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info100)); > if (_ptr_info100) { > NDR_PULL_ALLOC(ndr, r->info100); >@@ -1840,7 +1920,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 101: { >- uint32_t _ptr_info101; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info101)); > if (_ptr_info101) { > NDR_PULL_ALLOC(ndr, r->info101); >@@ -1850,7 +1929,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 102: { >- uint32_t _ptr_info102; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info102)); > if (_ptr_info102) { > NDR_PULL_ALLOC(ndr, r->info102); >@@ -1860,7 +1938,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 103: { >- uint32_t _ptr_info103; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info103)); > if (_ptr_info103) { > NDR_PULL_ALLOC(ndr, r->info103); >@@ -1870,7 +1947,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 104: { >- uint32_t _ptr_info104; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info104)); > if (_ptr_info104) { > NDR_PULL_ALLOC(ndr, r->info104); >@@ -1880,7 +1956,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 105: { >- uint32_t _ptr_info105; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info105)); > if (_ptr_info105) { > NDR_PULL_ALLOC(ndr, r->info105); >@@ -1890,7 +1965,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 106: { >- uint32_t _ptr_info106; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info106)); > if (_ptr_info106) { > NDR_PULL_ALLOC(ndr, r->info106); >@@ -2218,6 +2292,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray1(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray1(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray1 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2236,13 +2311,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray1(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info1(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info1(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2304,6 +2380,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray2(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray2(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray2 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2322,13 +2399,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray2(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info2(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info2(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2390,6 +2468,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray3(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray3(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray3 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2408,13 +2487,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray3(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info3(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info3(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2476,6 +2556,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray4(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray4(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray4 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2494,13 +2575,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray4(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info4(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info4(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2562,6 +2644,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray5(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray5(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray5 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2580,13 +2663,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray5(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info5(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info5(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2648,6 +2732,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray6(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray6(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray6 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2666,13 +2751,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray6(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info6(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info6(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2734,6 +2820,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray200(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_dfs_EnumArray200(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray200 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2752,13 +2839,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray200(struct ndr_pull *ndr, int ndr > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info200(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info200(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2820,6 +2908,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray300(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_dfs_EnumArray300(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray300 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2838,13 +2927,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray300(struct ndr_pull *ndr, int ndr > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info300(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info300(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2986,13 +3076,21 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > TALLOC_CTX *_mem_save_info5_0; >+ uint32_t _ptr_info5; > TALLOC_CTX *_mem_save_info6_0; >+ uint32_t _ptr_info6; > TALLOC_CTX *_mem_save_info200_0; >+ uint32_t _ptr_info200; > TALLOC_CTX *_mem_save_info300_0; >+ uint32_t _ptr_info300; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -3001,7 +3099,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > } > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -3011,7 +3108,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -3021,7 +3117,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -3031,7 +3126,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -3041,7 +3135,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 5: { >- uint32_t _ptr_info5; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); > if (_ptr_info5) { > NDR_PULL_ALLOC(ndr, r->info5); >@@ -3051,7 +3144,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 6: { >- uint32_t _ptr_info6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); > if (_ptr_info6) { > NDR_PULL_ALLOC(ndr, r->info6); >@@ -3061,7 +3153,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 200: { >- uint32_t _ptr_info200; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info200)); > if (_ptr_info200) { > NDR_PULL_ALLOC(ndr, r->info200); >@@ -3071,7 +3162,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 300: { >- uint32_t _ptr_info300; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info300)); > if (_ptr_info300) { > NDR_PULL_ALLOC(ndr, r->info300); >@@ -3307,6 +3397,8 @@ static enum ndr_err_code ndr_push_dfs_UnknownStruct(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_dfs_UnknownStruct(struct ndr_pull *ndr, int ndr_flags, struct dfs_UnknownStruct *r) > { > uint32_t _ptr_unknown2; >+ uint32_t size_unknown2_1 = 0; >+ uint32_t length_unknown2_1 = 0; > TALLOC_CTX *_mem_save_unknown2_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -3324,11 +3416,13 @@ static enum ndr_err_code ndr_pull_dfs_UnknownStruct(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown2)); >- if (ndr_get_array_length(ndr, &r->unknown2) > ndr_get_array_size(ndr, &r->unknown2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown2), ndr_get_array_length(ndr, &r->unknown2)); >+ size_unknown2_1 = ndr_get_array_size(ndr, &r->unknown2); >+ length_unknown2_1 = ndr_get_array_length(ndr, &r->unknown2); >+ if (length_unknown2_1 > size_unknown2_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown2_1, length_unknown2_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown2_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, length_unknown2_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown2_0, 0); > } > } >@@ -3448,25 +3542,37 @@ static enum ndr_err_code ndr_push_dfs_Add(struct ndr_push *ndr, int flags, const > > static enum ndr_err_code ndr_pull_dfs_Add(struct ndr_pull *ndr, int flags, struct dfs_Add *r) > { >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_share_0; > TALLOC_CTX *_mem_save_comment_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_1 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_share)); > if (_ptr_share) { > NDR_PULL_ALLOC(ndr, r->in.share); >@@ -3478,11 +3584,13 @@ static enum ndr_err_code ndr_pull_dfs_Add(struct ndr_pull *ndr, int flags, struc > NDR_PULL_SET_MEM_CTX(ndr, r->in.share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); >- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->in.share); >+ length_share_1 = ndr_get_array_length(ndr, &r->in.share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_comment)); >@@ -3496,11 +3604,13 @@ static enum ndr_err_code ndr_pull_dfs_Add(struct ndr_pull *ndr, int flags, struc > NDR_PULL_SET_MEM_CTX(ndr, r->in.comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); >@@ -3586,18 +3696,26 @@ static enum ndr_err_code ndr_push_dfs_Remove(struct ndr_push *ndr, int flags, co > > static enum ndr_err_code ndr_pull_dfs_Remove(struct ndr_pull *ndr, int flags, struct dfs_Remove *r) > { >+ uint32_t size_dfs_entry_path_1 = 0; >+ uint32_t length_dfs_entry_path_1 = 0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_sharename_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); >- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); >+ size_dfs_entry_path_1 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); >+ length_dfs_entry_path_1 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); >+ if (length_dfs_entry_path_1 > size_dfs_entry_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_1, length_dfs_entry_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); > if (_ptr_servername) { > NDR_PULL_ALLOC(ndr, r->in.servername); >@@ -3609,11 +3727,13 @@ static enum ndr_err_code ndr_pull_dfs_Remove(struct ndr_pull *ndr, int flags, st > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); >@@ -3627,11 +3747,13 @@ static enum ndr_err_code ndr_pull_dfs_Remove(struct ndr_pull *ndr, int flags, st > NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); >- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > } >@@ -3714,19 +3836,27 @@ static enum ndr_err_code ndr_push_dfs_SetInfo(struct ndr_push *ndr, int flags, c > > static enum ndr_err_code ndr_pull_dfs_SetInfo(struct ndr_pull *ndr, int flags, struct dfs_SetInfo *r) > { >+ uint32_t size_dfs_entry_path_0 = 0; >+ uint32_t length_dfs_entry_path_0 = 0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_sharename_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); >- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); >+ size_dfs_entry_path_0 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); >+ length_dfs_entry_path_0 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); >+ if (length_dfs_entry_path_0 > size_dfs_entry_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_0, length_dfs_entry_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); > if (_ptr_servername) { > NDR_PULL_ALLOC(ndr, r->in.servername); >@@ -3738,11 +3868,13 @@ static enum ndr_err_code ndr_pull_dfs_SetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); >@@ -3756,11 +3888,13 @@ static enum ndr_err_code ndr_pull_dfs_SetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); >- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -3855,8 +3989,14 @@ static enum ndr_err_code ndr_push_dfs_GetInfo(struct ndr_push *ndr, int flags, c > > static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, struct dfs_GetInfo *r) > { >+ uint32_t size_dfs_entry_path_0 = 0; >+ uint32_t length_dfs_entry_path_0 = 0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_sharename_0; > TALLOC_CTX *_mem_save_info_0; >@@ -3865,11 +4005,13 @@ static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, s > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); >- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); >+ size_dfs_entry_path_0 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); >+ length_dfs_entry_path_0 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); >+ if (length_dfs_entry_path_0 > size_dfs_entry_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_0, length_dfs_entry_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); > if (_ptr_servername) { > NDR_PULL_ALLOC(ndr, r->in.servername); >@@ -3881,11 +4023,13 @@ static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); >@@ -3899,11 +4043,13 @@ static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); >- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -4321,6 +4467,18 @@ static enum ndr_err_code ndr_push_dfs_AddFtRoot(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_dfs_AddFtRoot(struct ndr_pull *ndr, int flags, struct dfs_AddFtRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_dns_servername_0 = 0; >+ uint32_t length_dns_servername_0 = 0; >+ uint32_t size_dfsname_0 = 0; >+ uint32_t length_dfsname_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; >+ uint32_t size_comment_0 = 0; >+ uint32_t length_comment_0 = 0; >+ uint32_t size_dfs_config_dn_0 = 0; >+ uint32_t length_dfs_config_dn_0 = 0; > uint32_t _ptr_unknown2; > TALLOC_CTX *_mem_save_unknown2_0; > TALLOC_CTX *_mem_save_unknown2_1; >@@ -4329,46 +4487,58 @@ static enum ndr_err_code ndr_pull_dfs_AddFtRoot(struct ndr_pull *ndr, int flags, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_servername)); >- if (ndr_get_array_length(ndr, &r->in.dns_servername) > ndr_get_array_size(ndr, &r->in.dns_servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_servername), ndr_get_array_length(ndr, &r->in.dns_servername)); >+ size_dns_servername_0 = ndr_get_array_size(ndr, &r->in.dns_servername); >+ length_dns_servername_0 = ndr_get_array_length(ndr, &r->in.dns_servername); >+ if (length_dns_servername_0 > size_dns_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_servername_0, length_dns_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, length_dns_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfsname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfsname)); >- if (ndr_get_array_length(ndr, &r->in.dfsname) > ndr_get_array_size(ndr, &r->in.dfsname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfsname), ndr_get_array_length(ndr, &r->in.dfsname)); >+ size_dfsname_0 = ndr_get_array_size(ndr, &r->in.dfsname); >+ length_dfsname_0 = ndr_get_array_length(ndr, &r->in.dfsname); >+ if (length_dfsname_0 > size_dfsname_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfsname_0, length_dfsname_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfsname_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, length_dfsname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_0 > size_comment_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_config_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_config_dn)); >- if (ndr_get_array_length(ndr, &r->in.dfs_config_dn) > ndr_get_array_size(ndr, &r->in.dfs_config_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_config_dn), ndr_get_array_length(ndr, &r->in.dfs_config_dn)); >+ size_dfs_config_dn_0 = ndr_get_array_size(ndr, &r->in.dfs_config_dn); >+ length_dfs_config_dn_0 = ndr_get_array_length(ndr, &r->in.dfs_config_dn); >+ if (length_dfs_config_dn_0 > size_dfs_config_dn_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_config_dn_0, length_dfs_config_dn_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_config_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_config_dn, ndr_get_array_length(ndr, &r->in.dfs_config_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_config_dn_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_config_dn, length_dfs_config_dn_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->in.unknown1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown2)); >@@ -4518,6 +4688,14 @@ static enum ndr_err_code ndr_push_dfs_RemoveFtRoot(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_RemoveFtRoot(struct ndr_pull *ndr, int flags, struct dfs_RemoveFtRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_dns_servername_0 = 0; >+ uint32_t length_dns_servername_0 = 0; >+ uint32_t size_dfsname_0 = 0; >+ uint32_t length_dfsname_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; > uint32_t _ptr_unknown; > TALLOC_CTX *_mem_save_unknown_0; > TALLOC_CTX *_mem_save_unknown_1; >@@ -4526,32 +4704,40 @@ static enum ndr_err_code ndr_pull_dfs_RemoveFtRoot(struct ndr_pull *ndr, int fla > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_servername)); >- if (ndr_get_array_length(ndr, &r->in.dns_servername) > ndr_get_array_size(ndr, &r->in.dns_servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_servername), ndr_get_array_length(ndr, &r->in.dns_servername)); >+ size_dns_servername_0 = ndr_get_array_size(ndr, &r->in.dns_servername); >+ length_dns_servername_0 = ndr_get_array_length(ndr, &r->in.dns_servername); >+ if (length_dns_servername_0 > size_dns_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_servername_0, length_dns_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, length_dns_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfsname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfsname)); >- if (ndr_get_array_length(ndr, &r->in.dfsname) > ndr_get_array_size(ndr, &r->in.dfsname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfsname), ndr_get_array_length(ndr, &r->in.dfsname)); >+ size_dfsname_0 = ndr_get_array_size(ndr, &r->in.dfsname); >+ length_dfsname_0 = ndr_get_array_length(ndr, &r->in.dfsname); >+ if (length_dfsname_0 > size_dfsname_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfsname_0, length_dfsname_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfsname_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, length_dfsname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown)); > if (_ptr_unknown) { >@@ -4679,28 +4865,40 @@ static enum ndr_err_code ndr_push_dfs_AddStdRoot(struct ndr_push *ndr, int flags > > static enum ndr_err_code ndr_pull_dfs_AddStdRoot(struct ndr_pull *ndr, int flags, struct dfs_AddStdRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; >+ uint32_t size_comment_0 = 0; >+ uint32_t length_comment_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_0 > size_comment_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -4755,21 +4953,29 @@ static enum ndr_err_code ndr_push_dfs_RemoveStdRoot(struct ndr_push *ndr, int fl > > static enum ndr_err_code ndr_pull_dfs_RemoveStdRoot(struct ndr_pull *ndr, int flags, struct dfs_RemoveStdRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -4822,14 +5028,18 @@ static enum ndr_err_code ndr_push_dfs_ManagerInitialize(struct ndr_push *ndr, in > > static enum ndr_err_code ndr_pull_dfs_ManagerInitialize(struct ndr_pull *ndr, int flags, struct dfs_ManagerInitialize *r) > { >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -4892,35 +5102,51 @@ static enum ndr_err_code ndr_push_dfs_AddStdRootForced(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_dfs_AddStdRootForced(struct ndr_pull *ndr, int flags, struct dfs_AddStdRootForced *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; >+ uint32_t size_comment_0 = 0; >+ uint32_t length_comment_0 = 0; >+ uint32_t size_store_0 = 0; >+ uint32_t length_store_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_0 > size_comment_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.store)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.store)); >- if (ndr_get_array_length(ndr, &r->in.store) > ndr_get_array_size(ndr, &r->in.store)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.store), ndr_get_array_length(ndr, &r->in.store)); >+ size_store_0 = ndr_get_array_size(ndr, &r->in.store); >+ length_store_0 = ndr_get_array_length(ndr, &r->in.store); >+ if (length_store_0 > size_store_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_store_0, length_store_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.store), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.store, ndr_get_array_length(ndr, &r->in.store), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_store_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.store, length_store_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -5005,7 +5231,11 @@ static enum ndr_err_code ndr_push_dfs_GetDcAddress(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int flags, struct dfs_GetDcAddress *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; > uint32_t _ptr_server_fullname; >+ uint32_t size_server_fullname_2 = 0; >+ uint32_t length_server_fullname_2 = 0; > TALLOC_CTX *_mem_save_server_fullname_0; > TALLOC_CTX *_mem_save_server_fullname_1; > TALLOC_CTX *_mem_save_is_root_0; >@@ -5015,11 +5245,13 @@ static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int fla > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.server_fullname); > } >@@ -5036,11 +5268,13 @@ static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int fla > NDR_PULL_SET_MEM_CTX(ndr, *r->in.server_fullname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->in.server_fullname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->in.server_fullname)); >- if (ndr_get_array_length(ndr, r->in.server_fullname) > ndr_get_array_size(ndr, r->in.server_fullname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->in.server_fullname), ndr_get_array_length(ndr, r->in.server_fullname)); >+ size_server_fullname_2 = ndr_get_array_size(ndr, r->in.server_fullname); >+ length_server_fullname_2 = ndr_get_array_length(ndr, r->in.server_fullname); >+ if (length_server_fullname_2 > size_server_fullname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_2, length_server_fullname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->in.server_fullname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.server_fullname, ndr_get_array_length(ndr, r->in.server_fullname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.server_fullname, length_server_fullname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -5082,11 +5316,13 @@ static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int fla > NDR_PULL_SET_MEM_CTX(ndr, *r->out.server_fullname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.server_fullname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.server_fullname)); >- if (ndr_get_array_length(ndr, r->out.server_fullname) > ndr_get_array_size(ndr, r->out.server_fullname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.server_fullname), ndr_get_array_length(ndr, r->out.server_fullname)); >+ size_server_fullname_2 = ndr_get_array_size(ndr, r->out.server_fullname); >+ length_server_fullname_2 = ndr_get_array_length(ndr, r->out.server_fullname); >+ if (length_server_fullname_2 > size_server_fullname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_2, length_server_fullname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.server_fullname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.server_fullname, ndr_get_array_length(ndr, r->out.server_fullname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.server_fullname, length_server_fullname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -5187,21 +5423,29 @@ static enum ndr_err_code ndr_push_dfs_SetDcAddress(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_SetDcAddress(struct ndr_pull *ndr, int flags, struct dfs_SetDcAddress *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_server_fullname_0 = 0; >+ uint32_t length_server_fullname_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_fullname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_fullname)); >- if (ndr_get_array_length(ndr, &r->in.server_fullname) > ndr_get_array_size(ndr, &r->in.server_fullname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_fullname), ndr_get_array_length(ndr, &r->in.server_fullname)); >+ size_server_fullname_0 = ndr_get_array_size(ndr, &r->in.server_fullname); >+ length_server_fullname_0 = ndr_get_array_length(ndr, &r->in.server_fullname); >+ if (length_server_fullname_0 > size_server_fullname_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_0, length_server_fullname_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_fullname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_fullname, ndr_get_array_length(ndr, &r->in.server_fullname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_fullname, length_server_fullname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.ttl)); > } >@@ -5256,21 +5500,29 @@ static enum ndr_err_code ndr_push_dfs_FlushFtTable(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_FlushFtTable(struct ndr_pull *ndr, int flags, struct dfs_FlushFtTable *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -5417,6 +5669,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_dfs_EnumEx(struct ndr_push *ndr, int flags, > > _PUBLIC_ enum ndr_err_code ndr_pull_dfs_EnumEx(struct ndr_pull *ndr, int flags, struct dfs_EnumEx *r) > { >+ uint32_t size_dfs_name_0 = 0; >+ uint32_t length_dfs_name_0 = 0; > uint32_t _ptr_info; > uint32_t _ptr_total; > TALLOC_CTX *_mem_save_info_0; >@@ -5426,11 +5680,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dfs_EnumEx(struct ndr_pull *ndr, int flags, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_name)); >- if (ndr_get_array_length(ndr, &r->in.dfs_name) > ndr_get_array_size(ndr, &r->in.dfs_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_name), ndr_get_array_length(ndr, &r->in.dfs_name)); >+ size_dfs_name_0 = ndr_get_array_size(ndr, &r->in.dfs_name); >+ length_dfs_name_0 = ndr_get_array_length(ndr, &r->in.dfs_name); >+ if (length_dfs_name_0 > size_dfs_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_name_0, length_dfs_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_name, ndr_get_array_length(ndr, &r->in.dfs_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_name, length_dfs_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.bufsize)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info)); >diff --git a/source/librpc/gen_ndr/ndr_dssetup.c b/source/librpc/gen_ndr/ndr_dssetup.c >index 0c02784..0660ea9 100644 >--- a/source/librpc/gen_ndr/ndr_dssetup.c >+++ b/source/librpc/gen_ndr/ndr_dssetup.c >@@ -95,10 +95,16 @@ static enum ndr_err_code ndr_push_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_pull *ndr, int ndr_flags, struct dssetup_DsRolePrimaryDomInfoBasic *r) > { > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > uint32_t _ptr_dns_domain; >+ uint32_t size_dns_domain_1 = 0; >+ uint32_t length_dns_domain_1 = 0; > TALLOC_CTX *_mem_save_dns_domain_0; > uint32_t _ptr_forest; >+ uint32_t size_forest_1 = 0; >+ uint32_t length_forest_1 = 0; > TALLOC_CTX *_mem_save_forest_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -130,11 +136,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->dns_domain) { >@@ -142,11 +150,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->dns_domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_domain)); >- if (ndr_get_array_length(ndr, &r->dns_domain) > ndr_get_array_size(ndr, &r->dns_domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_domain), ndr_get_array_length(ndr, &r->dns_domain)); >+ size_dns_domain_1 = ndr_get_array_size(ndr, &r->dns_domain); >+ length_dns_domain_1 = ndr_get_array_length(ndr, &r->dns_domain); >+ if (length_dns_domain_1 > size_dns_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_domain_1, length_dns_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain, ndr_get_array_length(ndr, &r->dns_domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain, length_dns_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_domain_0, 0); > } > if (r->forest) { >@@ -154,11 +164,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->forest, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->forest)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->forest)); >- if (ndr_get_array_length(ndr, &r->forest) > ndr_get_array_size(ndr, &r->forest)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->forest), ndr_get_array_length(ndr, &r->forest)); >+ size_forest_1 = ndr_get_array_size(ndr, &r->forest); >+ length_forest_1 = ndr_get_array_length(ndr, &r->forest); >+ if (length_forest_1 > size_forest_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_forest_1, length_forest_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->forest), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest, ndr_get_array_length(ndr, &r->forest), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_forest_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest, length_forest_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_0, 0); > } > } >diff --git a/source/librpc/gen_ndr/ndr_echo.c b/source/librpc/gen_ndr/ndr_echo.c >index 93a8464..df87450 100644 >--- a/source/librpc/gen_ndr/ndr_echo.c >+++ b/source/librpc/gen_ndr/ndr_echo.c >@@ -595,16 +595,18 @@ static enum ndr_err_code ndr_push_echo_Surrounding(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_echo_Surrounding(struct ndr_pull *ndr, int ndr_flags, struct echo_Surrounding *r) > { >+ uint32_t size_surrounding_0 = 0; > uint32_t cntr_surrounding_0; > TALLOC_CTX *_mem_save_surrounding_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->surrounding)); > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->x)); >- NDR_PULL_ALLOC_N(ndr, r->surrounding, ndr_get_array_size(ndr, &r->surrounding)); >+ size_surrounding_0 = ndr_get_array_size(ndr, &r->surrounding); >+ NDR_PULL_ALLOC_N(ndr, r->surrounding, size_surrounding_0); > _mem_save_surrounding_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->surrounding, 0); >- for (cntr_surrounding_0 = 0; cntr_surrounding_0 < r->x; cntr_surrounding_0++) { >+ for (cntr_surrounding_0 = 0; cntr_surrounding_0 < size_surrounding_0; cntr_surrounding_0++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->surrounding[cntr_surrounding_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_surrounding_0, 0); >@@ -713,21 +715,25 @@ static enum ndr_err_code ndr_push_echo_EchoData(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_echo_EchoData(struct ndr_pull *ndr, int flags, struct echo_EchoData *r) > { >+ uint32_t size_in_data_0 = 0; >+ uint32_t size_out_data_0 = 0; > if (flags & NDR_IN) { > ZERO_STRUCT(r->out); > > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.len)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.in_data)); >- NDR_PULL_ALLOC_N(ndr, r->in.in_data, ndr_get_array_size(ndr, &r->in.in_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.in_data, ndr_get_array_size(ndr, &r->in.in_data))); >+ size_in_data_0 = ndr_get_array_size(ndr, &r->in.in_data); >+ NDR_PULL_ALLOC_N(ndr, r->in.in_data, size_in_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.in_data, size_in_data_0)); > if (r->in.in_data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.in_data, r->in.len)); > } > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.out_data)); >- NDR_PULL_ALLOC_N(ndr, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data))); >+ size_out_data_0 = ndr_get_array_size(ndr, &r->out.out_data); >+ NDR_PULL_ALLOC_N(ndr, r->out.out_data, size_out_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, size_out_data_0)); > if (r->out.out_data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.out_data, r->in.len)); > } >@@ -772,11 +778,13 @@ static enum ndr_err_code ndr_push_echo_SinkData(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_echo_SinkData(struct ndr_pull *ndr, int flags, struct echo_SinkData *r) > { >+ uint32_t size_data_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.len)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); >+ size_data_0 = ndr_get_array_size(ndr, &r->in.data); >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_0)); > if (r->in.data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.data, r->in.len)); > } >@@ -822,6 +830,7 @@ static enum ndr_err_code ndr_push_echo_SourceData(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_echo_SourceData(struct ndr_pull *ndr, int flags, struct echo_SourceData *r) > { >+ uint32_t size_data_0 = 0; > if (flags & NDR_IN) { > ZERO_STRUCT(r->out); > >@@ -829,8 +838,9 @@ static enum ndr_err_code ndr_pull_echo_SourceData(struct ndr_pull *ndr, int flag > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); >+ size_data_0 = ndr_get_array_size(ndr, &r->out.data); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_0)); > if (r->out.data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.data, r->in.len)); > } >@@ -888,7 +898,11 @@ static enum ndr_err_code ndr_push_echo_TestCall(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_echo_TestCall(struct ndr_pull *ndr, int flags, struct echo_TestCall *r) > { >+ uint32_t size_s1_1 = 0; >+ uint32_t length_s1_1 = 0; > uint32_t _ptr_s2; >+ uint32_t size_s2_2 = 0; >+ uint32_t length_s2_2 = 0; > TALLOC_CTX *_mem_save_s2_0; > TALLOC_CTX *_mem_save_s2_1; > if (flags & NDR_IN) { >@@ -896,11 +910,13 @@ static enum ndr_err_code ndr_pull_echo_TestCall(struct ndr_pull *ndr, int flags, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.s1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.s1)); >- if (ndr_get_array_length(ndr, &r->in.s1) > ndr_get_array_size(ndr, &r->in.s1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.s1), ndr_get_array_length(ndr, &r->in.s1)); >+ size_s1_1 = ndr_get_array_size(ndr, &r->in.s1); >+ length_s1_1 = ndr_get_array_length(ndr, &r->in.s1); >+ if (length_s1_1 > size_s1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_s1_1, length_s1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.s1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.s1, ndr_get_array_length(ndr, &r->in.s1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_s1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.s1, length_s1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.s2); > ZERO_STRUCTP(r->out.s2); > } >@@ -921,11 +937,13 @@ static enum ndr_err_code ndr_pull_echo_TestCall(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, *r->out.s2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.s2)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.s2)); >- if (ndr_get_array_length(ndr, r->out.s2) > ndr_get_array_size(ndr, r->out.s2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.s2), ndr_get_array_length(ndr, r->out.s2)); >+ size_s2_2 = ndr_get_array_size(ndr, r->out.s2); >+ length_s2_2 = ndr_get_array_length(ndr, r->out.s2); >+ if (length_s2_2 > size_s2_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_s2_2, length_s2_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.s2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.s2, ndr_get_array_length(ndr, r->out.s2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_s2_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.s2, length_s2_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s2_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s2_0, LIBNDR_FLAG_REF_ALLOC); >diff --git a/source/librpc/gen_ndr/ndr_epmapper.c b/source/librpc/gen_ndr/ndr_epmapper.c >index ab84d28..3ba5850 100644 >--- a/source/librpc/gen_ndr/ndr_epmapper.c >+++ b/source/librpc/gen_ndr/ndr_epmapper.c >@@ -1530,6 +1530,7 @@ static enum ndr_err_code ndr_push_epm_tower(struct ndr_push *ndr, int ndr_flags, > > static enum ndr_err_code ndr_pull_epm_tower(struct ndr_pull *ndr, int ndr_flags, struct epm_tower *r) > { >+ uint32_t size_floors_0 = 0; > uint32_t cntr_floors_0; > TALLOC_CTX *_mem_save_floors_0; > { >@@ -1538,10 +1539,11 @@ static enum ndr_err_code ndr_pull_epm_tower(struct ndr_pull *ndr, int ndr_flags, > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_floors)); >- NDR_PULL_ALLOC_N(ndr, r->floors, r->num_floors); >+ size_floors_0 = r->num_floors; >+ NDR_PULL_ALLOC_N(ndr, r->floors, size_floors_0); > _mem_save_floors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->floors, 0); >- for (cntr_floors_0 = 0; cntr_floors_0 < r->num_floors; cntr_floors_0++) { >+ for (cntr_floors_0 = 0; cntr_floors_0 < size_floors_0; cntr_floors_0++) { > NDR_CHECK(ndr_pull_epm_floor(ndr, NDR_SCALARS, &r->floors[cntr_floors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_floors_0, 0); >@@ -1806,18 +1808,20 @@ static enum ndr_err_code ndr_push_epm_Insert(struct ndr_push *ndr, int flags, co > > static enum ndr_err_code ndr_pull_epm_Insert(struct ndr_pull *ndr, int flags, struct epm_Insert *r) > { >+ uint32_t size_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_entries_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.num_ents)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.entries)); >- NDR_PULL_ALLOC_N(ndr, r->in.entries, ndr_get_array_size(ndr, &r->in.entries)); >+ size_entries_0 = ndr_get_array_size(ndr, &r->in.entries); >+ NDR_PULL_ALLOC_N(ndr, r->in.entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->in.entries[cntr_entries_0])); > } >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->in.entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -1887,18 +1891,20 @@ static enum ndr_err_code ndr_push_epm_Delete(struct ndr_push *ndr, int flags, co > > static enum ndr_err_code ndr_pull_epm_Delete(struct ndr_pull *ndr, int flags, struct epm_Delete *r) > { >+ uint32_t size_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_entries_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.num_ents)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.entries)); >- NDR_PULL_ALLOC_N(ndr, r->in.entries, ndr_get_array_size(ndr, &r->in.entries)); >+ size_entries_0 = ndr_get_array_size(ndr, &r->in.entries); >+ NDR_PULL_ALLOC_N(ndr, r->in.entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->in.entries[cntr_entries_0])); > } >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->in.entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -1992,6 +1998,8 @@ static enum ndr_err_code ndr_pull_epm_Lookup(struct ndr_pull *ndr, int flags, st > { > uint32_t _ptr_object; > uint32_t _ptr_interface_id; >+ uint32_t size_entries_0 = 0; >+ uint32_t length_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_object_0; > TALLOC_CTX *_mem_save_interface_id_0; >@@ -2057,16 +2065,18 @@ static enum ndr_err_code ndr_pull_epm_Lookup(struct ndr_pull *ndr, int flags, st > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_num_ents_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.entries)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.entries)); >- if (ndr_get_array_length(ndr, &r->out.entries) > ndr_get_array_size(ndr, &r->out.entries)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.entries), ndr_get_array_length(ndr, &r->out.entries)); >+ size_entries_0 = ndr_get_array_size(ndr, &r->out.entries); >+ length_entries_0 = ndr_get_array_length(ndr, &r->out.entries); >+ if (length_entries_0 > size_entries_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_entries_0, length_entries_0); > } >- NDR_PULL_ALLOC_N(ndr, r->out.entries, ndr_get_array_size(ndr, &r->out.entries)); >+ NDR_PULL_ALLOC_N(ndr, r->out.entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < *r->out.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < length_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->out.entries[cntr_entries_0])); > } >- for (cntr_entries_0 = 0; cntr_entries_0 < *r->out.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < length_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->out.entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -2185,6 +2195,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_epm_Map(struct ndr_pull *ndr, int flags, str > { > uint32_t _ptr_object; > uint32_t _ptr_map_tower; >+ uint32_t size_towers_0 = 0; >+ uint32_t length_towers_0 = 0; > uint32_t cntr_towers_0; > TALLOC_CTX *_mem_save_object_0; > TALLOC_CTX *_mem_save_map_tower_0; >@@ -2248,16 +2260,18 @@ _PUBLIC_ enum ndr_err_code ndr_pull_epm_Map(struct ndr_pull *ndr, int flags, str > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_num_towers_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.towers)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.towers)); >- if (ndr_get_array_length(ndr, &r->out.towers) > ndr_get_array_size(ndr, &r->out.towers)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.towers), ndr_get_array_length(ndr, &r->out.towers)); >+ size_towers_0 = ndr_get_array_size(ndr, &r->out.towers); >+ length_towers_0 = ndr_get_array_length(ndr, &r->out.towers); >+ if (length_towers_0 > size_towers_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_towers_0, length_towers_0); > } >- NDR_PULL_ALLOC_N(ndr, r->out.towers, ndr_get_array_size(ndr, &r->out.towers)); >+ NDR_PULL_ALLOC_N(ndr, r->out.towers, size_towers_0); > _mem_save_towers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.towers, 0); >- for (cntr_towers_0 = 0; cntr_towers_0 < *r->out.num_towers; cntr_towers_0++) { >+ for (cntr_towers_0 = 0; cntr_towers_0 < length_towers_0; cntr_towers_0++) { > NDR_CHECK(ndr_pull_epm_twr_p_t(ndr, NDR_SCALARS, &r->out.towers[cntr_towers_0])); > } >- for (cntr_towers_0 = 0; cntr_towers_0 < *r->out.num_towers; cntr_towers_0++) { >+ for (cntr_towers_0 = 0; cntr_towers_0 < length_towers_0; cntr_towers_0++) { > NDR_CHECK(ndr_pull_epm_twr_p_t(ndr, NDR_BUFFERS, &r->out.towers[cntr_towers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_towers_0, 0); >diff --git a/source/librpc/gen_ndr/ndr_eventlog.c b/source/librpc/gen_ndr/ndr_eventlog.c >index 2eb26c4..93c76a2 100644 >--- a/source/librpc/gen_ndr/ndr_eventlog.c >+++ b/source/librpc/gen_ndr/ndr_eventlog.c >@@ -93,6 +93,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_eventlog_Record(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_eventlog_Record(struct ndr_pull *ndr, int ndr_flags, struct eventlog_Record *r) > { >+ uint32_t size_strings_0 = 0; > uint32_t cntr_strings_0; > TALLOC_CTX *_mem_save_strings_0; > if (ndr_flags & NDR_SCALARS) { >@@ -128,10 +129,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_eventlog_Record(struct ndr_pull *ndr, int nd > { > uint32_t _flags_save_string = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM); >- NDR_PULL_ALLOC_N(ndr, r->strings, r->num_of_strings); >+ size_strings_0 = r->num_of_strings; >+ NDR_PULL_ALLOC_N(ndr, r->strings, size_strings_0); > _mem_save_strings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->strings, 0); >- for (cntr_strings_0 = 0; cntr_strings_0 < r->num_of_strings; cntr_strings_0++) { >+ for (cntr_strings_0 = 0; cntr_strings_0 < size_strings_0; cntr_strings_0++) { > NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->strings[cntr_strings_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_strings_0, 0); >@@ -857,6 +859,7 @@ static enum ndr_err_code ndr_push_eventlog_ReadEventLogW(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_eventlog_ReadEventLogW(struct ndr_pull *ndr, int flags, struct eventlog_ReadEventLogW *r) > { >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_sent_size_0; > TALLOC_CTX *_mem_save_real_size_0; >@@ -885,10 +888,11 @@ static enum ndr_err_code ndr_pull_eventlog_ReadEventLogW(struct ndr_pull *ndr, i > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->out.data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.sent_size); > } >diff --git a/source/librpc/gen_ndr/ndr_krb5pac.c b/source/librpc/gen_ndr/ndr_krb5pac.c >index 6e06f90..6e1abad 100644 >--- a/source/librpc/gen_ndr/ndr_krb5pac.c >+++ b/source/librpc/gen_ndr/ndr_krb5pac.c >@@ -21,11 +21,13 @@ static enum ndr_err_code ndr_push_PAC_LOGON_NAME(struct ndr_push *ndr, int ndr_f > > static enum ndr_err_code ndr_pull_PAC_LOGON_NAME(struct ndr_pull *ndr, int ndr_flags, struct PAC_LOGON_NAME *r) > { >+ uint32_t size_account_name_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->logon_time)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, r->size, sizeof(uint8_t), CH_UTF16)); >+ size_account_name_0 = r->size; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, size_account_name_0, sizeof(uint8_t), CH_UTF16)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -465,24 +467,27 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_DATA(struct ndr_push *ndr, int ndr_flags > > _PUBLIC_ enum ndr_err_code ndr_pull_PAC_DATA(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA *r) > { >+ uint32_t size_buffers_0 = 0; > uint32_t cntr_buffers_0; > TALLOC_CTX *_mem_save_buffers_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_buffers)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); >- NDR_PULL_ALLOC_N(ndr, r->buffers, r->num_buffers); >+ size_buffers_0 = r->num_buffers; >+ NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_0); > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_buffers_0 = r->num_buffers; > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); >@@ -627,24 +632,27 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_DATA_RAW(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_PAC_DATA_RAW(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA_RAW *r) > { >+ uint32_t size_buffers_0 = 0; > uint32_t cntr_buffers_0; > TALLOC_CTX *_mem_save_buffers_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_buffers)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); >- NDR_PULL_ALLOC_N(ndr, r->buffers, r->num_buffers); >+ size_buffers_0 = r->num_buffers; >+ NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_0); > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER_RAW(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_buffers_0 = r->num_buffers; > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER_RAW(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); >diff --git a/source/librpc/gen_ndr/ndr_lsa.c b/source/librpc/gen_ndr/ndr_lsa.c >index f25410a..690e159 100644 >--- a/source/librpc/gen_ndr/ndr_lsa.c >+++ b/source/librpc/gen_ndr/ndr_lsa.c >@@ -26,6 +26,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_String(struct ndr_push *ndr, int ndr_fla > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_String(struct ndr_pull *ndr, int ndr_flags, struct lsa_String *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -44,10 +46,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_String(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -97,6 +101,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_StringLarge(struct ndr_push *ndr, int nd > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_StringLarge(struct ndr_pull *ndr, int ndr_flags, struct lsa_StringLarge *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -115,10 +121,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_StringLarge(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -171,6 +179,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_Strings(struct ndr_push *ndr, int ndr_fl > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_Strings(struct ndr_pull *ndr, int ndr_flags, struct lsa_Strings *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -189,13 +198,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_Strings(struct ndr_pull *ndr, int ndr_fl > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -254,6 +264,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_AsciiString(struct ndr_push *ndr, int nd > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiString(struct ndr_pull *ndr, int ndr_flags, struct lsa_AsciiString *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -272,10 +284,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiString(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -325,6 +339,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_AsciiStringLarge(struct ndr_push *ndr, i > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiStringLarge(struct ndr_pull *ndr, int ndr_flags, struct lsa_AsciiStringLarge *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -343,10 +359,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiStringLarge(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -399,6 +417,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_BinaryString(struct ndr_push *ndr, int n > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_BinaryString(struct ndr_pull *ndr, int ndr_flags, struct lsa_BinaryString *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; >+ uint32_t length_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -419,13 +439,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_BinaryString(struct ndr_pull *ndr, int n > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->array)); >- if (ndr_get_array_length(ndr, &r->array) > ndr_get_array_size(ndr, &r->array)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->array), ndr_get_array_length(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ length_array_1 = ndr_get_array_length(ndr, &r->array); >+ if (length_array_1 > size_array_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_array_1, length_array_1); > } >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->length / 2; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < length_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -559,6 +581,7 @@ static enum ndr_err_code ndr_push_lsa_PrivArray(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_lsa_PrivArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_PrivArray *r) > { > uint32_t _ptr_privs; >+ uint32_t size_privs_1 = 0; > uint32_t cntr_privs_1; > TALLOC_CTX *_mem_save_privs_0; > TALLOC_CTX *_mem_save_privs_1; >@@ -577,13 +600,14 @@ static enum ndr_err_code ndr_pull_lsa_PrivArray(struct ndr_pull *ndr, int ndr_fl > _mem_save_privs_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privs, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->privs)); >- NDR_PULL_ALLOC_N(ndr, r->privs, ndr_get_array_size(ndr, &r->privs)); >+ size_privs_1 = ndr_get_array_size(ndr, &r->privs); >+ NDR_PULL_ALLOC_N(ndr, r->privs, size_privs_1); > _mem_save_privs_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privs, 0); >- for (cntr_privs_1 = 0; cntr_privs_1 < r->count; cntr_privs_1++) { >+ for (cntr_privs_1 = 0; cntr_privs_1 < size_privs_1; cntr_privs_1++) { > NDR_CHECK(ndr_pull_lsa_PrivEntry(ndr, NDR_SCALARS, &r->privs[cntr_privs_1])); > } >- for (cntr_privs_1 = 0; cntr_privs_1 < r->count; cntr_privs_1++) { >+ for (cntr_privs_1 = 0; cntr_privs_1 < size_privs_1; cntr_privs_1++) { > NDR_CHECK(ndr_pull_lsa_PrivEntry(ndr, NDR_BUFFERS, &r->privs[cntr_privs_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privs_1, 0); >@@ -695,6 +719,8 @@ static enum ndr_err_code ndr_pull_lsa_ObjectAttribute(struct ndr_pull *ndr, int > uint32_t _ptr_root_dir; > TALLOC_CTX *_mem_save_root_dir_0; > uint32_t _ptr_object_name; >+ uint32_t size_object_name_1 = 0; >+ uint32_t length_object_name_1 = 0; > TALLOC_CTX *_mem_save_object_name_0; > uint32_t _ptr_sec_desc; > TALLOC_CTX *_mem_save_sec_desc_0; >@@ -741,11 +767,13 @@ static enum ndr_err_code ndr_pull_lsa_ObjectAttribute(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->object_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_name)); >- if (ndr_get_array_length(ndr, &r->object_name) > ndr_get_array_size(ndr, &r->object_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_name), ndr_get_array_length(ndr, &r->object_name)); >+ size_object_name_1 = ndr_get_array_size(ndr, &r->object_name); >+ length_object_name_1 = ndr_get_array_length(ndr, &r->object_name); >+ if (length_object_name_1 > size_object_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_name_1, length_object_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_name, ndr_get_array_length(ndr, &r->object_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_name, length_object_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_name_0, 0); > } > if (r->sec_desc) { >@@ -929,6 +957,7 @@ static enum ndr_err_code ndr_push_lsa_AuditEventsInfo(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_lsa_AuditEventsInfo(struct ndr_pull *ndr, int ndr_flags, struct lsa_AuditEventsInfo *r) > { > uint32_t _ptr_settings; >+ uint32_t size_settings_1 = 0; > uint32_t cntr_settings_1; > TALLOC_CTX *_mem_save_settings_0; > TALLOC_CTX *_mem_save_settings_1; >@@ -948,10 +977,11 @@ static enum ndr_err_code ndr_pull_lsa_AuditEventsInfo(struct ndr_pull *ndr, int > _mem_save_settings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->settings, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->settings)); >- NDR_PULL_ALLOC_N(ndr, r->settings, ndr_get_array_size(ndr, &r->settings)); >+ size_settings_1 = ndr_get_array_size(ndr, &r->settings); >+ NDR_PULL_ALLOC_N(ndr, r->settings, size_settings_1); > _mem_save_settings_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->settings, 0); >- for (cntr_settings_1 = 0; cntr_settings_1 < r->count; cntr_settings_1++) { >+ for (cntr_settings_1 = 0; cntr_settings_1 < size_settings_1; cntr_settings_1++) { > NDR_CHECK(ndr_pull_lsa_PolicyAuditPolicy(ndr, NDR_SCALARS, &r->settings[cntr_settings_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_settings_1, 0); >@@ -1756,6 +1786,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_SidArray(struct ndr_push *ndr, int ndr_f > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_SidArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_SidArray *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -1777,13 +1808,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_SidArray(struct ndr_pull *ndr, int ndr_f > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_SidPtr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_SidPtr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -1845,6 +1877,7 @@ static enum ndr_err_code ndr_push_lsa_DomainList(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_lsa_DomainList(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainList *r) > { > uint32_t _ptr_domains; >+ uint32_t size_domains_1 = 0; > uint32_t cntr_domains_1; > TALLOC_CTX *_mem_save_domains_0; > TALLOC_CTX *_mem_save_domains_1; >@@ -1863,13 +1896,14 @@ static enum ndr_err_code ndr_pull_lsa_DomainList(struct ndr_pull *ndr, int ndr_f > _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); >- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); >+ size_domains_1 = ndr_get_array_size(ndr, &r->domains); >+ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); > _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); > } >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); >@@ -1997,6 +2031,7 @@ static enum ndr_err_code ndr_push_lsa_TransSidArray(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_lsa_TransSidArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -2018,10 +2053,11 @@ static enum ndr_err_code ndr_pull_lsa_TransSidArray(struct ndr_pull *ndr, int nd > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -2084,6 +2120,7 @@ static enum ndr_err_code ndr_push_lsa_RefDomainList(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_lsa_RefDomainList(struct ndr_pull *ndr, int ndr_flags, struct lsa_RefDomainList *r) > { > uint32_t _ptr_domains; >+ uint32_t size_domains_1 = 0; > uint32_t cntr_domains_1; > TALLOC_CTX *_mem_save_domains_0; > TALLOC_CTX *_mem_save_domains_1; >@@ -2106,13 +2143,14 @@ static enum ndr_err_code ndr_pull_lsa_RefDomainList(struct ndr_pull *ndr, int nd > _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); >- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); >+ size_domains_1 = ndr_get_array_size(ndr, &r->domains); >+ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); > _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); > } >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); >@@ -2242,6 +2280,7 @@ static enum ndr_err_code ndr_push_lsa_TransNameArray(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_lsa_TransNameArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransNameArray *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -2263,13 +2302,14 @@ static enum ndr_err_code ndr_pull_lsa_TransNameArray(struct ndr_pull *ndr, int n > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -2358,6 +2398,7 @@ static enum ndr_err_code ndr_push_lsa_PrivilegeSet(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_lsa_PrivilegeSet(struct ndr_pull *ndr, int ndr_flags, struct lsa_PrivilegeSet *r) > { >+ uint32_t size_set_0 = 0; > uint32_t cntr_set_0; > TALLOC_CTX *_mem_save_set_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2368,10 +2409,11 @@ static enum ndr_err_code ndr_pull_lsa_PrivilegeSet(struct ndr_pull *ndr, int ndr > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown)); >- NDR_PULL_ALLOC_N(ndr, r->set, ndr_get_array_size(ndr, &r->set)); >+ size_set_0 = ndr_get_array_size(ndr, &r->set); >+ NDR_PULL_ALLOC_N(ndr, r->set, size_set_0); > _mem_save_set_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->set, 0); >- for (cntr_set_0 = 0; cntr_set_0 < r->count; cntr_set_0++) { >+ for (cntr_set_0 = 0; cntr_set_0 < size_set_0; cntr_set_0++) { > NDR_CHECK(ndr_pull_lsa_LUIDAttribute(ndr, NDR_SCALARS, &r->set[cntr_set_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_set_0, 0); >@@ -2431,6 +2473,8 @@ static enum ndr_err_code ndr_push_lsa_DATA_BUF(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_lsa_DATA_BUF(struct ndr_pull *ndr, int ndr_flags, struct lsa_DATA_BUF *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; >+ uint32_t length_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -2452,11 +2496,13 @@ static enum ndr_err_code ndr_pull_lsa_DATA_BUF(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); >- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ length_data_1 = ndr_get_array_length(ndr, &r->data); >+ if (length_data_1 > size_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_length(ndr, &r->data))); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, length_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -2515,6 +2561,7 @@ static enum ndr_err_code ndr_push_lsa_DATA_BUF2(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_lsa_DATA_BUF2(struct ndr_pull *ndr, int ndr_flags, struct lsa_DATA_BUF2 *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -2537,8 +2584,9 @@ static enum ndr_err_code ndr_pull_lsa_DATA_BUF2(struct ndr_pull *ndr, int ndr_fl > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -3463,6 +3511,7 @@ static enum ndr_err_code ndr_push_lsa_RightSet(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_lsa_RightSet(struct ndr_pull *ndr, int ndr_flags, struct lsa_RightSet *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -3484,13 +3533,14 @@ static enum ndr_err_code ndr_pull_lsa_RightSet(struct ndr_pull *ndr, int ndr_fla > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -3552,6 +3602,7 @@ static enum ndr_err_code ndr_push_lsa_DomainListEx(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_lsa_DomainListEx(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainListEx *r) > { > uint32_t _ptr_domains; >+ uint32_t size_domains_1 = 0; > uint32_t cntr_domains_1; > TALLOC_CTX *_mem_save_domains_0; > TALLOC_CTX *_mem_save_domains_1; >@@ -3570,13 +3621,14 @@ static enum ndr_err_code ndr_pull_lsa_DomainListEx(struct ndr_pull *ndr, int ndr > _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); >- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); >+ size_domains_1 = ndr_get_array_size(ndr, &r->domains); >+ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); > _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_TrustDomainInfoInfoEx(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); > } >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_TrustDomainInfoInfoEx(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); >@@ -3677,6 +3729,7 @@ static enum ndr_err_code ndr_push_lsa_DomainInfoEfs(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_lsa_DomainInfoEfs(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainInfoEfs *r) > { > uint32_t _ptr_efs_blob; >+ uint32_t size_efs_blob_1 = 0; > TALLOC_CTX *_mem_save_efs_blob_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -3693,8 +3746,9 @@ static enum ndr_err_code ndr_pull_lsa_DomainInfoEfs(struct ndr_pull *ndr, int nd > _mem_save_efs_blob_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->efs_blob, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->efs_blob)); >- NDR_PULL_ALLOC_N(ndr, r->efs_blob, ndr_get_array_size(ndr, &r->efs_blob)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->efs_blob, ndr_get_array_size(ndr, &r->efs_blob))); >+ size_efs_blob_1 = ndr_get_array_size(ndr, &r->efs_blob); >+ NDR_PULL_ALLOC_N(ndr, r->efs_blob, size_efs_blob_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->efs_blob, size_efs_blob_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_efs_blob_0, 0); > } > if (r->efs_blob) { >@@ -3877,6 +3931,7 @@ static enum ndr_err_code ndr_push_lsa_TransNameArray2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_lsa_TransNameArray2(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransNameArray2 *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -3898,13 +3953,14 @@ static enum ndr_err_code ndr_pull_lsa_TransNameArray2(struct ndr_pull *ndr, int > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName2(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName2(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -4002,6 +4058,7 @@ static enum ndr_err_code ndr_push_lsa_TransSidArray2(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_lsa_TransSidArray2(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray2 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -4023,10 +4080,11 @@ static enum ndr_err_code ndr_pull_lsa_TransSidArray2(struct ndr_pull *ndr, int n > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid2(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -4148,6 +4206,7 @@ static enum ndr_err_code ndr_push_lsa_TransSidArray3(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_lsa_TransSidArray3(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray3 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -4169,13 +4228,14 @@ static enum ndr_err_code ndr_pull_lsa_TransSidArray3(struct ndr_pull *ndr, int n > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid3(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid3(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -4231,6 +4291,7 @@ static enum ndr_err_code ndr_push_lsa_ForestTrustBinaryData(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_lsa_ForestTrustBinaryData(struct ndr_pull *ndr, int ndr_flags, struct lsa_ForestTrustBinaryData *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4250,8 +4311,9 @@ static enum ndr_err_code ndr_pull_lsa_ForestTrustBinaryData(struct ndr_pull *ndr > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -4559,6 +4621,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_ForestTrustInformation(struct ndr_push * > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_ForestTrustInformation(struct ndr_pull *ndr, int ndr_flags, struct lsa_ForestTrustInformation *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -4581,10 +4644,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_ForestTrustInformation(struct ndr_pull * > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_entries)); > if (_ptr_entries) { > NDR_PULL_ALLOC(ndr, r->entries[cntr_entries_1]); >@@ -4592,7 +4656,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_ForestTrustInformation(struct ndr_pull * > r->entries[cntr_entries_1] = NULL; > } > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > if (r->entries[cntr_entries_1]) { > _mem_save_entries_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries[cntr_entries_1], 0); >@@ -5901,6 +5965,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_LookupNames(struct ndr_push *ndr, int fl > > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames(struct ndr_pull *ndr, int flags, struct lsa_LookupNames *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_handle_0; >@@ -5924,13 +5989,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames(struct ndr_pull *ndr, int fl > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -8709,6 +8775,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_OpenPolicy2(struct ndr_push *ndr, int fl > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_OpenPolicy2(struct ndr_pull *ndr, int flags, struct lsa_OpenPolicy2 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_attr_0; > TALLOC_CTX *_mem_save_handle_0; >@@ -8726,11 +8794,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_OpenPolicy2(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -8841,6 +8911,8 @@ static enum ndr_err_code ndr_push_lsa_GetUserName(struct ndr_push *ndr, int flag > static enum ndr_err_code ndr_pull_lsa_GetUserName(struct ndr_pull *ndr, int flags, struct lsa_GetUserName *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > uint32_t _ptr_account_name; > uint32_t _ptr_authority_name; > TALLOC_CTX *_mem_save_system_name_0; >@@ -8862,11 +8934,13 @@ static enum ndr_err_code ndr_pull_lsa_GetUserName(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -10205,6 +10279,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_LookupNames2(struct ndr_push *ndr, int f > > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames2(struct ndr_pull *ndr, int flags, struct lsa_LookupNames2 *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_handle_0; >@@ -10228,13 +10303,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames2(struct ndr_pull *ndr, int f > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -10788,6 +10864,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_LookupNames3(struct ndr_push *ndr, int f > > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames3(struct ndr_pull *ndr, int flags, struct lsa_LookupNames3 *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_handle_0; >@@ -10811,13 +10888,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames3(struct ndr_pull *ndr, int f > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -11534,6 +11612,7 @@ static enum ndr_err_code ndr_push_lsa_LookupNames4(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_lsa_LookupNames4(struct ndr_pull *ndr, int flags, struct lsa_LookupNames4 *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_names_0; >@@ -11549,13 +11628,14 @@ static enum ndr_err_code ndr_pull_lsa_LookupNames4(struct ndr_pull *ndr, int fla > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >diff --git a/source/librpc/gen_ndr/ndr_messaging.c b/source/librpc/gen_ndr/ndr_messaging.c >index 6251c18..f9f4b6b 100644 >--- a/source/librpc/gen_ndr/ndr_messaging.c >+++ b/source/librpc/gen_ndr/ndr_messaging.c >@@ -69,23 +69,26 @@ _PUBLIC_ enum ndr_err_code ndr_push_messaging_array(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_messaging_array(struct ndr_pull *ndr, int ndr_flags, struct messaging_array *r) > { >+ uint32_t size_messages_0 = 0; > uint32_t cntr_messages_0; > TALLOC_CTX *_mem_save_messages_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_messages)); >- NDR_PULL_ALLOC_N(ndr, r->messages, r->num_messages); >+ size_messages_0 = r->num_messages; >+ NDR_PULL_ALLOC_N(ndr, r->messages, size_messages_0); > _mem_save_messages_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->messages, 0); >- for (cntr_messages_0 = 0; cntr_messages_0 < r->num_messages; cntr_messages_0++) { >+ for (cntr_messages_0 = 0; cntr_messages_0 < size_messages_0; cntr_messages_0++) { > NDR_CHECK(ndr_pull_messaging_rec(ndr, NDR_SCALARS, &r->messages[cntr_messages_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_messages_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_messages_0 = r->num_messages; > _mem_save_messages_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->messages, 0); >- for (cntr_messages_0 = 0; cntr_messages_0 < r->num_messages; cntr_messages_0++) { >+ for (cntr_messages_0 = 0; cntr_messages_0 < size_messages_0; cntr_messages_0++) { > NDR_CHECK(ndr_pull_messaging_rec(ndr, NDR_BUFFERS, &r->messages[cntr_messages_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_messages_0, 0); >@@ -138,27 +141,35 @@ _PUBLIC_ enum ndr_err_code ndr_push_dbwrap_tdb2_changes(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_dbwrap_tdb2_changes(struct ndr_pull *ndr, int ndr_flags, struct dbwrap_tdb2_changes *r) > { >+ uint32_t size_magic_string_0 = 0; >+ uint32_t size_name_0 = 0; >+ uint32_t length_name_0 = 0; >+ uint32_t size_keys_0 = 0; > uint32_t cntr_keys_0; > TALLOC_CTX *_mem_save_keys_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic_string, 4, sizeof(uint8_t), CH_DOS)); >+ size_magic_string_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic_string, size_magic_string_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic_version)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_0 = ndr_get_array_size(ndr, &r->name); >+ length_name_0 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_0 > size_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_0, length_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_0, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_0, sizeof(uint8_t), CH_UTF8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->old_seqnum)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->new_seqnum)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_changes)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_keys)); >- NDR_PULL_ALLOC_N(ndr, r->keys, r->num_keys); >+ size_keys_0 = r->num_keys; >+ NDR_PULL_ALLOC_N(ndr, r->keys, size_keys_0); > _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); >- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { >+ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { > NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->keys[cntr_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); >diff --git a/source/librpc/gen_ndr/ndr_misc.c b/source/librpc/gen_ndr/ndr_misc.c >index 56105d4..12da791 100644 >--- a/source/librpc/gen_ndr/ndr_misc.c >+++ b/source/librpc/gen_ndr/ndr_misc.c >@@ -20,13 +20,17 @@ _PUBLIC_ enum ndr_err_code ndr_push_GUID(struct ndr_push *ndr, int ndr_flags, co > > _PUBLIC_ enum ndr_err_code ndr_pull_GUID(struct ndr_pull *ndr, int ndr_flags, struct GUID *r) > { >+ uint32_t size_clock_seq_0 = 0; >+ uint32_t size_node_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->time_low)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->time_mid)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->time_hi_and_version)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->clock_seq, 2)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->node, 6)); >+ size_clock_seq_0 = 2; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->clock_seq, size_clock_seq_0)); >+ size_node_0 = 6; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->node, size_node_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >diff --git a/source/librpc/gen_ndr/ndr_netlogon.c b/source/librpc/gen_ndr/ndr_netlogon.c >index e7df081..4d6148f 100644 >--- a/source/librpc/gen_ndr/ndr_netlogon.c >+++ b/source/librpc/gen_ndr/ndr_netlogon.c >@@ -60,12 +60,20 @@ static enum ndr_err_code ndr_push_netr_UasInfo(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_UasInfo *r) > { > uint32_t _ptr_account_name; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; > TALLOC_CTX *_mem_save_account_name_0; > uint32_t _ptr_computer; >+ uint32_t size_computer_1 = 0; >+ uint32_t length_computer_1 = 0; > TALLOC_CTX *_mem_save_computer_0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > uint32_t _ptr_script_path; >+ uint32_t size_script_path_1 = 0; >+ uint32_t length_script_path_1 = 0; > TALLOC_CTX *_mem_save_script_path_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -112,11 +120,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->account_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->account_name)); >- if (ndr_get_array_length(ndr, &r->account_name) > ndr_get_array_size(ndr, &r->account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->account_name), ndr_get_array_length(ndr, &r->account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_name_0, 0); > } > if (r->computer) { >@@ -124,11 +134,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->computer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->computer)); >- if (ndr_get_array_length(ndr, &r->computer) > ndr_get_array_size(ndr, &r->computer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer), ndr_get_array_length(ndr, &r->computer)); >+ size_computer_1 = ndr_get_array_size(ndr, &r->computer); >+ length_computer_1 = ndr_get_array_length(ndr, &r->computer); >+ if (length_computer_1 > size_computer_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_1, length_computer_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer, ndr_get_array_length(ndr, &r->computer), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer, length_computer_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_0, 0); > } > if (r->domain) { >@@ -136,11 +148,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->script_path) { >@@ -148,11 +162,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->script_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->script_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->script_path)); >- if (ndr_get_array_length(ndr, &r->script_path) > ndr_get_array_size(ndr, &r->script_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->script_path), ndr_get_array_length(ndr, &r->script_path)); >+ size_script_path_1 = ndr_get_array_size(ndr, &r->script_path); >+ length_script_path_1 = ndr_get_array_length(ndr, &r->script_path); >+ if (length_script_path_1 > size_script_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_script_path_1, length_script_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->script_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->script_path, ndr_get_array_length(ndr, &r->script_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_script_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->script_path, length_script_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_script_path_0, 0); > } > } >@@ -421,6 +437,8 @@ static enum ndr_err_code ndr_push_netr_ChallengeResponse(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_ChallengeResponse(struct ndr_pull *ndr, int ndr_flags, struct netr_ChallengeResponse *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; >+ uint32_t length_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -442,11 +460,13 @@ static enum ndr_err_code ndr_pull_netr_ChallengeResponse(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); >- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ length_data_1 = ndr_get_array_length(ndr, &r->data); >+ if (length_data_1 > size_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_length(ndr, &r->data))); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, length_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -505,13 +525,15 @@ static enum ndr_err_code ndr_push_netr_NetworkInfo(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_netr_NetworkInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_NetworkInfo *r) > { >+ uint32_t size_challenge_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_netr_IdentityInfo(ndr, NDR_SCALARS, &r->identity_info)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->challenge, 8)); >+ size_challenge_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->challenge, size_challenge_0)); > NDR_CHECK(ndr_pull_netr_ChallengeResponse(ndr, NDR_SCALARS, &r->nt)); > NDR_CHECK(ndr_pull_netr_ChallengeResponse(ndr, NDR_SCALARS, &r->lm)); > } >@@ -616,7 +638,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonInfo(struct ndr_pull *ndr, int ndr > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_password_0; >+ uint32_t _ptr_password; > TALLOC_CTX *_mem_save_network_0; >+ uint32_t _ptr_network; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); >@@ -625,7 +649,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonInfo(struct ndr_pull *ndr, int ndr > } > switch (level) { > case 1: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -635,7 +658,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonInfo(struct ndr_pull *ndr, int ndr > break; } > > case 2: { >- uint32_t _ptr_network; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_network)); > if (_ptr_network) { > NDR_PULL_ALLOC(ndr, r->network); >@@ -645,7 +667,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonInfo(struct ndr_pull *ndr, int ndr > break; } > > case 3: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -655,7 +676,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonInfo(struct ndr_pull *ndr, int ndr > break; } > > case 5: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -665,7 +685,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonInfo(struct ndr_pull *ndr, int ndr > break; } > > case 6: { >- uint32_t _ptr_network; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_network)); > if (_ptr_network) { > NDR_PULL_ALLOC(ndr, r->network); >@@ -806,12 +825,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_UserSessionKey(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_netr_UserSessionKey(struct ndr_pull *ndr, int ndr_flags, struct netr_UserSessionKey *r) > { >+ uint32_t size_key_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, 16)); >+ size_key_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, size_key_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -851,12 +872,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_LMSessionKey(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_netr_LMSessionKey(struct ndr_pull *ndr, int ndr_flags, struct netr_LMSessionKey *r) > { >+ uint32_t size_key_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, 8)); >+ size_key_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, size_key_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -964,6 +987,7 @@ static enum ndr_err_code ndr_pull_netr_SamBaseInfo(struct ndr_pull *ndr, int ndr > { > uint32_t _ptr_domain_sid; > TALLOC_CTX *_mem_save_domain_sid_0; >+ uint32_t size_unknown_0 = 0; > uint32_t cntr_unknown_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -996,7 +1020,8 @@ static enum ndr_err_code ndr_pull_netr_SamBaseInfo(struct ndr_pull *ndr, int ndr > } > NDR_CHECK(ndr_pull_netr_LMSessionKey(ndr, NDR_SCALARS, &r->LMSessKey)); > NDR_CHECK(ndr_pull_samr_AcctFlags(ndr, NDR_SCALARS, &r->acct_flags)); >- for (cntr_unknown_0 = 0; cntr_unknown_0 < 7; cntr_unknown_0++) { >+ size_unknown_0 = 7; >+ for (cntr_unknown_0 = 0; cntr_unknown_0 < size_unknown_0; cntr_unknown_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown[cntr_unknown_0])); > } > } >@@ -1180,6 +1205,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_SamInfo3(struct ndr_push *ndr, int ndr_ > _PUBLIC_ enum ndr_err_code ndr_pull_netr_SamInfo3(struct ndr_pull *ndr, int ndr_flags, struct netr_SamInfo3 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -1200,13 +1226,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_SamInfo3(struct ndr_pull *ndr, int ndr_ > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -1279,9 +1306,11 @@ static enum ndr_err_code ndr_push_netr_SamInfo6(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_netr_SamInfo6(struct ndr_pull *ndr, int ndr_flags, struct netr_SamInfo6 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >+ uint32_t size_unknown4_0 = 0; > uint32_t cntr_unknown4_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1295,7 +1324,8 @@ static enum ndr_err_code ndr_pull_netr_SamInfo6(struct ndr_pull *ndr, int ndr_fl > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->forest)); > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->principle)); >- for (cntr_unknown4_0 = 0; cntr_unknown4_0 < 20; cntr_unknown4_0++) { >+ size_unknown4_0 = 20; >+ for (cntr_unknown4_0 = 0; cntr_unknown4_0 < size_unknown4_0; cntr_unknown4_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown4[cntr_unknown4_0])); > } > } >@@ -1305,13 +1335,14 @@ static enum ndr_err_code ndr_pull_netr_SamInfo6(struct ndr_pull *ndr, int ndr_fl > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -1408,9 +1439,12 @@ static enum ndr_err_code ndr_push_netr_PacInfo(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_PacInfo *r) > { > uint32_t _ptr_pac; >+ uint32_t size_pac_1 = 0; > TALLOC_CTX *_mem_save_pac_0; > uint32_t _ptr_auth; >+ uint32_t size_auth_1 = 0; > TALLOC_CTX *_mem_save_auth_0; >+ uint32_t size_expansionroom_0 = 0; > uint32_t cntr_expansionroom_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1432,7 +1466,8 @@ static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_fla > r->auth = NULL; > } > NDR_CHECK(ndr_pull_netr_UserSessionKey(ndr, NDR_SCALARS, &r->user_session_key)); >- for (cntr_expansionroom_0 = 0; cntr_expansionroom_0 < 10; cntr_expansionroom_0++) { >+ size_expansionroom_0 = 10; >+ for (cntr_expansionroom_0 = 0; cntr_expansionroom_0 < size_expansionroom_0; cntr_expansionroom_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->expansionroom[cntr_expansionroom_0])); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->unknown1)); >@@ -1445,8 +1480,9 @@ static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_fla > _mem_save_pac_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->pac, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->pac)); >- NDR_PULL_ALLOC_N(ndr, r->pac, ndr_get_array_size(ndr, &r->pac)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pac, ndr_get_array_size(ndr, &r->pac))); >+ size_pac_1 = ndr_get_array_size(ndr, &r->pac); >+ NDR_PULL_ALLOC_N(ndr, r->pac, size_pac_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pac, size_pac_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pac_0, 0); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->logon_domain)); >@@ -1456,8 +1492,9 @@ static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_fla > _mem_save_auth_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->auth, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->auth)); >- NDR_PULL_ALLOC_N(ndr, r->auth, ndr_get_array_size(ndr, &r->auth)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->auth, ndr_get_array_size(ndr, &r->auth))); >+ size_auth_1 = ndr_get_array_size(ndr, &r->auth); >+ NDR_PULL_ALLOC_N(ndr, r->auth, size_auth_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->auth, size_auth_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_auth_0, 0); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->unknown1)); >@@ -1589,9 +1626,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_sam2_0; >+ uint32_t _ptr_sam2; > TALLOC_CTX *_mem_save_sam3_0; >+ uint32_t _ptr_sam3; > TALLOC_CTX *_mem_save_pac_0; >+ uint32_t _ptr_pac; > TALLOC_CTX *_mem_save_sam6_0; >+ uint32_t _ptr_sam6; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); >@@ -1600,7 +1641,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > } > switch (level) { > case 2: { >- uint32_t _ptr_sam2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam2)); > if (_ptr_sam2) { > NDR_PULL_ALLOC(ndr, r->sam2); >@@ -1610,7 +1650,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case 3: { >- uint32_t _ptr_sam3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam3)); > if (_ptr_sam3) { > NDR_PULL_ALLOC(ndr, r->sam3); >@@ -1620,7 +1659,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case 4: { >- uint32_t _ptr_pac; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_pac)); > if (_ptr_pac) { > NDR_PULL_ALLOC(ndr, r->pac); >@@ -1630,7 +1668,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case 5: { >- uint32_t _ptr_pac; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_pac)); > if (_ptr_pac) { > NDR_PULL_ALLOC(ndr, r->pac); >@@ -1640,7 +1677,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case 6: { >- uint32_t _ptr_sam6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam6)); > if (_ptr_sam6) { > NDR_PULL_ALLOC(ndr, r->sam6); >@@ -1781,12 +1817,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_Credential(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_netr_Credential(struct ndr_pull *ndr, int ndr_flags, struct netr_Credential *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 8)); >+ size_data_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -1898,6 +1936,8 @@ static enum ndr_err_code ndr_push_netr_DELTA_DELETE_USER(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_DELTA_DELETE_USER(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_DELETE_USER *r) > { > uint32_t _ptr_account_name; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; > TALLOC_CTX *_mem_save_account_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1922,11 +1962,13 @@ static enum ndr_err_code ndr_pull_netr_DELTA_DELETE_USER(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->account_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->account_name)); >- if (ndr_get_array_length(ndr, &r->account_name) > ndr_get_array_size(ndr, &r->account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->account_name), ndr_get_array_length(ndr, &r->account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_name_0, 0); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->unknown1)); >@@ -2019,6 +2061,8 @@ static enum ndr_err_code ndr_push_netr_PasswordHistory(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_netr_PasswordHistory(struct ndr_pull *ndr, int ndr_flags, struct netr_PasswordHistory *r) > { >+ uint32_t size_nt_history_0 = 0; >+ uint32_t size_lm_history_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->nt_length)); >@@ -2027,10 +2071,12 @@ static enum ndr_err_code ndr_pull_netr_PasswordHistory(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm_length)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm_size)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->lm_flags)); >- NDR_PULL_ALLOC_N(ndr, r->nt_history, r->nt_length); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nt_history, r->nt_length)); >- NDR_PULL_ALLOC_N(ndr, r->lm_history, r->lm_length); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->lm_history, r->lm_length)); >+ size_nt_history_0 = r->nt_length; >+ NDR_PULL_ALLOC_N(ndr, r->nt_history, size_nt_history_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nt_history, size_nt_history_0)); >+ size_lm_history_0 = r->lm_length; >+ NDR_PULL_ALLOC_N(ndr, r->lm_history, size_lm_history_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->lm_history, size_lm_history_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -2189,6 +2235,7 @@ static enum ndr_err_code ndr_push_netr_USER_PRIVATE_INFO(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_USER_PRIVATE_INFO(struct ndr_pull *ndr, int ndr_flags, struct netr_USER_PRIVATE_INFO *r) > { > uint32_t _ptr_SensitiveData; >+ uint32_t size_SensitiveData_1 = 0; > TALLOC_CTX *_mem_save_SensitiveData_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2214,8 +2261,9 @@ static enum ndr_err_code ndr_pull_netr_USER_PRIVATE_INFO(struct ndr_pull *ndr, i > _mem_save_SensitiveData_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->SensitiveData, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->SensitiveData)); >- NDR_PULL_ALLOC_N(ndr, r->SensitiveData, ndr_get_array_size(ndr, &r->SensitiveData)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SensitiveData, ndr_get_array_size(ndr, &r->SensitiveData))); >+ size_SensitiveData_1 = ndr_get_array_size(ndr, &r->SensitiveData); >+ NDR_PULL_ALLOC_N(ndr, r->SensitiveData, size_SensitiveData_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SensitiveData, size_SensitiveData_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_SensitiveData_0, 0); > } > ndr->flags = _flags_save_uint8; >@@ -2700,10 +2748,12 @@ static enum ndr_err_code ndr_push_netr_DELTA_GROUP_MEMBER(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_DELTA_GROUP_MEMBER(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_GROUP_MEMBER *r) > { > uint32_t _ptr_rids; >+ uint32_t size_rids_1 = 0; > uint32_t cntr_rids_1; > TALLOC_CTX *_mem_save_rids_0; > TALLOC_CTX *_mem_save_rids_1; > uint32_t _ptr_attribs; >+ uint32_t size_attribs_1 = 0; > uint32_t cntr_attribs_1; > TALLOC_CTX *_mem_save_attribs_0; > TALLOC_CTX *_mem_save_attribs_1; >@@ -2732,10 +2782,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_GROUP_MEMBER(struct ndr_pull *ndr, > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); >- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); >+ size_rids_1 = ndr_get_array_size(ndr, &r->rids); >+ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); > _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); >- for (cntr_rids_1 = 0; cntr_rids_1 < r->num_rids; cntr_rids_1++) { >+ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); >@@ -2745,10 +2796,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_GROUP_MEMBER(struct ndr_pull *ndr, > _mem_save_attribs_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attribs, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribs)); >- NDR_PULL_ALLOC_N(ndr, r->attribs, ndr_get_array_size(ndr, &r->attribs)); >+ size_attribs_1 = ndr_get_array_size(ndr, &r->attribs); >+ NDR_PULL_ALLOC_N(ndr, r->attribs, size_attribs_1); > _mem_save_attribs_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attribs, 0); >- for (cntr_attribs_1 = 0; cntr_attribs_1 < r->num_rids; cntr_attribs_1++) { >+ for (cntr_attribs_1 = 0; cntr_attribs_1 < size_attribs_1; cntr_attribs_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->attribs[cntr_attribs_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribs_1, 0); >@@ -3021,6 +3073,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_POLICY(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_DELTA_POLICY(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_POLICY *r) > { > uint32_t _ptr_eventauditoptions; >+ uint32_t size_eventauditoptions_1 = 0; > uint32_t cntr_eventauditoptions_1; > TALLOC_CTX *_mem_save_eventauditoptions_0; > TALLOC_CTX *_mem_save_eventauditoptions_1; >@@ -3064,10 +3117,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_POLICY(struct ndr_pull *ndr, int nd > _mem_save_eventauditoptions_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->eventauditoptions, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->eventauditoptions)); >- NDR_PULL_ALLOC_N(ndr, r->eventauditoptions, ndr_get_array_size(ndr, &r->eventauditoptions)); >+ size_eventauditoptions_1 = ndr_get_array_size(ndr, &r->eventauditoptions); >+ NDR_PULL_ALLOC_N(ndr, r->eventauditoptions, size_eventauditoptions_1); > _mem_save_eventauditoptions_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->eventauditoptions, 0); >- for (cntr_eventauditoptions_1 = 0; cntr_eventauditoptions_1 < r->maxauditeventcount + 1; cntr_eventauditoptions_1++) { >+ for (cntr_eventauditoptions_1 = 0; cntr_eventauditoptions_1 < size_eventauditoptions_1; cntr_eventauditoptions_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->eventauditoptions[cntr_eventauditoptions_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventauditoptions_1, 0); >@@ -3181,6 +3235,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_TRUSTED_DOMAIN(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_netr_DELTA_TRUSTED_DOMAIN(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_TRUSTED_DOMAIN *r) > { > uint32_t _ptr_controller_names; >+ uint32_t size_controller_names_1 = 0; > uint32_t cntr_controller_names_1; > TALLOC_CTX *_mem_save_controller_names_0; > TALLOC_CTX *_mem_save_controller_names_1; >@@ -3211,13 +3266,14 @@ static enum ndr_err_code ndr_pull_netr_DELTA_TRUSTED_DOMAIN(struct ndr_pull *ndr > _mem_save_controller_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->controller_names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->controller_names)); >- NDR_PULL_ALLOC_N(ndr, r->controller_names, ndr_get_array_size(ndr, &r->controller_names)); >+ size_controller_names_1 = ndr_get_array_size(ndr, &r->controller_names); >+ NDR_PULL_ALLOC_N(ndr, r->controller_names, size_controller_names_1); > _mem_save_controller_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->controller_names, 0); >- for (cntr_controller_names_1 = 0; cntr_controller_names_1 < r->num_controllers; cntr_controller_names_1++) { >+ for (cntr_controller_names_1 = 0; cntr_controller_names_1 < size_controller_names_1; cntr_controller_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->controller_names[cntr_controller_names_1])); > } >- for (cntr_controller_names_1 = 0; cntr_controller_names_1 < r->num_controllers; cntr_controller_names_1++) { >+ for (cntr_controller_names_1 = 0; cntr_controller_names_1 < size_controller_names_1; cntr_controller_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->controller_names[cntr_controller_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_controller_names_1, 0); >@@ -3351,10 +3407,12 @@ static enum ndr_err_code ndr_push_netr_DELTA_ACCOUNT(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_netr_DELTA_ACCOUNT(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_ACCOUNT *r) > { > uint32_t _ptr_privilege_attrib; >+ uint32_t size_privilege_attrib_1 = 0; > uint32_t cntr_privilege_attrib_1; > TALLOC_CTX *_mem_save_privilege_attrib_0; > TALLOC_CTX *_mem_save_privilege_attrib_1; > uint32_t _ptr_privilege_name; >+ uint32_t size_privilege_name_1 = 0; > uint32_t cntr_privilege_name_1; > TALLOC_CTX *_mem_save_privilege_name_0; > TALLOC_CTX *_mem_save_privilege_name_1; >@@ -3392,10 +3450,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ACCOUNT(struct ndr_pull *ndr, int n > _mem_save_privilege_attrib_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_attrib, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->privilege_attrib)); >- NDR_PULL_ALLOC_N(ndr, r->privilege_attrib, ndr_get_array_size(ndr, &r->privilege_attrib)); >+ size_privilege_attrib_1 = ndr_get_array_size(ndr, &r->privilege_attrib); >+ NDR_PULL_ALLOC_N(ndr, r->privilege_attrib, size_privilege_attrib_1); > _mem_save_privilege_attrib_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_attrib, 0); >- for (cntr_privilege_attrib_1 = 0; cntr_privilege_attrib_1 < r->privilege_entries; cntr_privilege_attrib_1++) { >+ for (cntr_privilege_attrib_1 = 0; cntr_privilege_attrib_1 < size_privilege_attrib_1; cntr_privilege_attrib_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->privilege_attrib[cntr_privilege_attrib_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privilege_attrib_1, 0); >@@ -3405,13 +3464,14 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ACCOUNT(struct ndr_pull *ndr, int n > _mem_save_privilege_name_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->privilege_name)); >- NDR_PULL_ALLOC_N(ndr, r->privilege_name, ndr_get_array_size(ndr, &r->privilege_name)); >+ size_privilege_name_1 = ndr_get_array_size(ndr, &r->privilege_name); >+ NDR_PULL_ALLOC_N(ndr, r->privilege_name, size_privilege_name_1); > _mem_save_privilege_name_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_name, 0); >- for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < r->privilege_entries; cntr_privilege_name_1++) { >+ for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < size_privilege_name_1; cntr_privilege_name_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->privilege_name[cntr_privilege_name_1])); > } >- for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < r->privilege_entries; cntr_privilege_name_1++) { >+ for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < size_privilege_name_1; cntr_privilege_name_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->privilege_name[cntr_privilege_name_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privilege_name_1, 0); >@@ -3567,6 +3627,8 @@ static enum ndr_err_code ndr_push_netr_CIPHER_VALUE(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_CIPHER_VALUE(struct ndr_pull *ndr, int ndr_flags, struct netr_CIPHER_VALUE *r) > { > uint32_t _ptr_cipher_data; >+ uint32_t size_cipher_data_1 = 0; >+ uint32_t length_cipher_data_1 = 0; > TALLOC_CTX *_mem_save_cipher_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -3585,11 +3647,13 @@ static enum ndr_err_code ndr_pull_netr_CIPHER_VALUE(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->cipher_data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->cipher_data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->cipher_data)); >- if (ndr_get_array_length(ndr, &r->cipher_data) > ndr_get_array_size(ndr, &r->cipher_data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->cipher_data), ndr_get_array_length(ndr, &r->cipher_data)); >+ size_cipher_data_1 = ndr_get_array_size(ndr, &r->cipher_data); >+ length_cipher_data_1 = ndr_get_array_length(ndr, &r->cipher_data); >+ if (length_cipher_data_1 > size_cipher_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_cipher_data_1, length_cipher_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->cipher_data, ndr_get_array_size(ndr, &r->cipher_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->cipher_data, ndr_get_array_length(ndr, &r->cipher_data))); >+ NDR_PULL_ALLOC_N(ndr, r->cipher_data, size_cipher_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->cipher_data, length_cipher_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cipher_data_0, 0); > } > if (r->cipher_data) { >@@ -3969,21 +4033,37 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_domain_0; >+ uint32_t _ptr_domain; > TALLOC_CTX *_mem_save_group_0; >+ uint32_t _ptr_group; > TALLOC_CTX *_mem_save_rename_group_0; >+ uint32_t _ptr_rename_group; > TALLOC_CTX *_mem_save_user_0; >+ uint32_t _ptr_user; > TALLOC_CTX *_mem_save_rename_user_0; >+ uint32_t _ptr_rename_user; > TALLOC_CTX *_mem_save_group_member_0; >+ uint32_t _ptr_group_member; > TALLOC_CTX *_mem_save_alias_0; >+ uint32_t _ptr_alias; > TALLOC_CTX *_mem_save_rename_alias_0; >+ uint32_t _ptr_rename_alias; > TALLOC_CTX *_mem_save_alias_member_0; >+ uint32_t _ptr_alias_member; > TALLOC_CTX *_mem_save_policy_0; >+ uint32_t _ptr_policy; > TALLOC_CTX *_mem_save_trusted_domain_0; >+ uint32_t _ptr_trusted_domain; > TALLOC_CTX *_mem_save_account_0; >+ uint32_t _ptr_account; > TALLOC_CTX *_mem_save_secret_0; >+ uint32_t _ptr_secret; > TALLOC_CTX *_mem_save_delete_group_0; >+ uint32_t _ptr_delete_group; > TALLOC_CTX *_mem_save_delete_user_0; >+ uint32_t _ptr_delete_user; > TALLOC_CTX *_mem_save_modified_count_0; >+ uint32_t _ptr_modified_count; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); >@@ -3992,7 +4072,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > } > switch (level) { > case NETR_DELTA_DOMAIN: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -4002,7 +4081,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_GROUP: { >- uint32_t _ptr_group; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group)); > if (_ptr_group) { > NDR_PULL_ALLOC(ndr, r->group); >@@ -4015,7 +4093,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_RENAME_GROUP: { >- uint32_t _ptr_rename_group; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_group)); > if (_ptr_rename_group) { > NDR_PULL_ALLOC(ndr, r->rename_group); >@@ -4025,7 +4102,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_USER: { >- uint32_t _ptr_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); > if (_ptr_user) { > NDR_PULL_ALLOC(ndr, r->user); >@@ -4038,7 +4114,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_RENAME_USER: { >- uint32_t _ptr_rename_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_user)); > if (_ptr_rename_user) { > NDR_PULL_ALLOC(ndr, r->rename_user); >@@ -4048,7 +4123,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_GROUP_MEMBER: { >- uint32_t _ptr_group_member; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_member)); > if (_ptr_group_member) { > NDR_PULL_ALLOC(ndr, r->group_member); >@@ -4058,7 +4132,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_ALIAS: { >- uint32_t _ptr_alias; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_alias)); > if (_ptr_alias) { > NDR_PULL_ALLOC(ndr, r->alias); >@@ -4071,7 +4144,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_RENAME_ALIAS: { >- uint32_t _ptr_rename_alias; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_alias)); > if (_ptr_rename_alias) { > NDR_PULL_ALLOC(ndr, r->rename_alias); >@@ -4081,7 +4153,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_ALIAS_MEMBER: { >- uint32_t _ptr_alias_member; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_alias_member)); > if (_ptr_alias_member) { > NDR_PULL_ALLOC(ndr, r->alias_member); >@@ -4091,7 +4162,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_POLICY: { >- uint32_t _ptr_policy; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_policy)); > if (_ptr_policy) { > NDR_PULL_ALLOC(ndr, r->policy); >@@ -4101,7 +4171,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_TRUSTED_DOMAIN: { >- uint32_t _ptr_trusted_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_trusted_domain)); > if (_ptr_trusted_domain) { > NDR_PULL_ALLOC(ndr, r->trusted_domain); >@@ -4115,7 +4184,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_ACCOUNT: { >- uint32_t _ptr_account; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_account)); > if (_ptr_account) { > NDR_PULL_ALLOC(ndr, r->account); >@@ -4129,7 +4197,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_SECRET: { >- uint32_t _ptr_secret; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_secret)); > if (_ptr_secret) { > NDR_PULL_ALLOC(ndr, r->secret); >@@ -4143,7 +4210,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_DELETE_GROUP2: { >- uint32_t _ptr_delete_group; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_delete_group)); > if (_ptr_delete_group) { > NDR_PULL_ALLOC(ndr, r->delete_group); >@@ -4153,7 +4219,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_DELETE_USER2: { >- uint32_t _ptr_delete_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_delete_user)); > if (_ptr_delete_user) { > NDR_PULL_ALLOC(ndr, r->delete_user); >@@ -4163,7 +4228,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_MODIFY_COUNT: { >- uint32_t _ptr_modified_count; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_modified_count)); > if (_ptr_modified_count) { > NDR_PULL_ALLOC(ndr, r->modified_count); >@@ -4728,7 +4792,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_sid_0; >+ uint32_t _ptr_sid; > TALLOC_CTX *_mem_save_name_0; >+ uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); >@@ -4785,7 +4853,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_POLICY: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -4795,7 +4862,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_TRUSTED_DOMAIN: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -4805,7 +4871,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_DELETE_TRUST: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -4815,7 +4880,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_ACCOUNT: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -4825,7 +4889,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_DELETE_ACCOUNT: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -4835,7 +4898,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_SECRET: { >- uint32_t _ptr_name; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_name)); > if (_ptr_name) { > NDR_PULL_ALLOC(ndr, r->name); >@@ -4845,7 +4907,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_DELETE_SECRET: { >- uint32_t _ptr_name; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_name)); > if (_ptr_name) { > NDR_PULL_ALLOC(ndr, r->name); >@@ -4958,11 +5019,13 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > break; >@@ -4973,11 +5036,13 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > break; >@@ -5202,6 +5267,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_ENUM_ARRAY(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_netr_DELTA_ENUM_ARRAY(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_ENUM_ARRAY *r) > { > uint32_t _ptr_delta_enum; >+ uint32_t size_delta_enum_1 = 0; > uint32_t cntr_delta_enum_1; > TALLOC_CTX *_mem_save_delta_enum_0; > TALLOC_CTX *_mem_save_delta_enum_1; >@@ -5220,13 +5286,14 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ENUM_ARRAY(struct ndr_pull *ndr, in > _mem_save_delta_enum_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->delta_enum, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->delta_enum)); >- NDR_PULL_ALLOC_N(ndr, r->delta_enum, ndr_get_array_size(ndr, &r->delta_enum)); >+ size_delta_enum_1 = ndr_get_array_size(ndr, &r->delta_enum); >+ NDR_PULL_ALLOC_N(ndr, r->delta_enum, size_delta_enum_1); > _mem_save_delta_enum_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->delta_enum, 0); >- for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < r->num_deltas; cntr_delta_enum_1++) { >+ for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < size_delta_enum_1; cntr_delta_enum_1++) { > NDR_CHECK(ndr_pull_netr_DELTA_ENUM(ndr, NDR_SCALARS, &r->delta_enum[cntr_delta_enum_1])); > } >- for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < r->num_deltas; cntr_delta_enum_1++) { >+ for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < size_delta_enum_1; cntr_delta_enum_1++) { > NDR_CHECK(ndr_pull_netr_DELTA_ENUM(ndr, NDR_BUFFERS, &r->delta_enum[cntr_delta_enum_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_delta_enum_1, 0); >@@ -5283,12 +5350,14 @@ static enum ndr_err_code ndr_push_netr_UAS_INFO_0(struct ndr_push *ndr, int ndr_ > > static enum ndr_err_code ndr_pull_netr_UAS_INFO_0(struct ndr_pull *ndr, int ndr_flags, struct netr_UAS_INFO_0 *r) > { >+ uint32_t size_computer_name_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->computer_name, 16)); >+ size_computer_name_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->computer_name, size_computer_name_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->timecreated)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->serial_number)); > } >@@ -5434,6 +5503,8 @@ static enum ndr_err_code ndr_push_netr_NETLOGON_INFO_2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_2(struct ndr_pull *ndr, int ndr_flags, struct netr_NETLOGON_INFO_2 *r) > { > uint32_t _ptr_trusted_dc_name; >+ uint32_t size_trusted_dc_name_1 = 0; >+ uint32_t length_trusted_dc_name_1 = 0; > TALLOC_CTX *_mem_save_trusted_dc_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -5453,11 +5524,13 @@ static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->trusted_dc_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_dc_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->trusted_dc_name)); >- if (ndr_get_array_length(ndr, &r->trusted_dc_name) > ndr_get_array_size(ndr, &r->trusted_dc_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->trusted_dc_name), ndr_get_array_length(ndr, &r->trusted_dc_name)); >+ size_trusted_dc_name_1 = ndr_get_array_size(ndr, &r->trusted_dc_name); >+ length_trusted_dc_name_1 = ndr_get_array_length(ndr, &r->trusted_dc_name); >+ if (length_trusted_dc_name_1 > size_trusted_dc_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_dc_name_1, length_trusted_dc_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_dc_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, length_trusted_dc_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_dc_name_0, 0); > } > } >@@ -5583,8 +5656,11 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -5593,7 +5669,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > } > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -5603,7 +5678,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -5613,7 +5687,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -5799,6 +5872,9 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_domain_0; >+ uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -5807,7 +5883,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > } > switch (level) { > case NETLOGON_CONTROL_REDISCOVER: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -5817,7 +5892,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_TC_QUERY: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -5827,7 +5901,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_TRANSPORT_NOTIFY: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -5852,11 +5925,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -5867,11 +5942,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -5882,11 +5959,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6007,6 +6086,7 @@ static enum ndr_err_code ndr_push_netr_Blob(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_netr_Blob(struct ndr_pull *ndr, int ndr_flags, struct netr_Blob *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6023,8 +6103,9 @@ static enum ndr_err_code ndr_pull_netr_Blob(struct ndr_pull *ndr, int ndr_flags, > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -6208,16 +6289,28 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_DsRGetDCNameInfo(struct ndr_push *ndr, > _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRGetDCNameInfo *r) > { > uint32_t _ptr_dc_unc; >+ uint32_t size_dc_unc_1 = 0; >+ uint32_t length_dc_unc_1 = 0; > TALLOC_CTX *_mem_save_dc_unc_0; > uint32_t _ptr_dc_address; >+ uint32_t size_dc_address_1 = 0; >+ uint32_t length_dc_address_1 = 0; > TALLOC_CTX *_mem_save_dc_address_0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_domain_name_0; > uint32_t _ptr_forest_name; >+ uint32_t size_forest_name_1 = 0; >+ uint32_t length_forest_name_1 = 0; > TALLOC_CTX *_mem_save_forest_name_0; > uint32_t _ptr_dc_site_name; >+ uint32_t size_dc_site_name_1 = 0; >+ uint32_t length_dc_site_name_1 = 0; > TALLOC_CTX *_mem_save_dc_site_name_0; > uint32_t _ptr_client_site_name; >+ uint32_t size_client_site_name_1 = 0; >+ uint32_t length_client_site_name_1 = 0; > TALLOC_CTX *_mem_save_client_site_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6267,11 +6360,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->dc_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_unc)); >- if (ndr_get_array_length(ndr, &r->dc_unc) > ndr_get_array_size(ndr, &r->dc_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_unc), ndr_get_array_length(ndr, &r->dc_unc)); >+ size_dc_unc_1 = ndr_get_array_size(ndr, &r->dc_unc); >+ length_dc_unc_1 = ndr_get_array_length(ndr, &r->dc_unc); >+ if (length_dc_unc_1 > size_dc_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_unc_1, length_dc_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_unc, ndr_get_array_length(ndr, &r->dc_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_unc, length_dc_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_unc_0, 0); > } > if (r->dc_address) { >@@ -6279,11 +6374,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->dc_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_address)); >- if (ndr_get_array_length(ndr, &r->dc_address) > ndr_get_array_size(ndr, &r->dc_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_address), ndr_get_array_length(ndr, &r->dc_address)); >+ size_dc_address_1 = ndr_get_array_size(ndr, &r->dc_address); >+ length_dc_address_1 = ndr_get_array_length(ndr, &r->dc_address); >+ if (length_dc_address_1 > size_dc_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_address_1, length_dc_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_address, ndr_get_array_length(ndr, &r->dc_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_address, length_dc_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_address_0, 0); > } > NDR_CHECK(ndr_pull_GUID(ndr, NDR_BUFFERS, &r->domain_guid)); >@@ -6292,11 +6389,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); >- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > if (r->forest_name) { >@@ -6304,11 +6403,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->forest_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->forest_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->forest_name)); >- if (ndr_get_array_length(ndr, &r->forest_name) > ndr_get_array_size(ndr, &r->forest_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->forest_name), ndr_get_array_length(ndr, &r->forest_name)); >+ size_forest_name_1 = ndr_get_array_size(ndr, &r->forest_name); >+ length_forest_name_1 = ndr_get_array_length(ndr, &r->forest_name); >+ if (length_forest_name_1 > size_forest_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_forest_name_1, length_forest_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->forest_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest_name, ndr_get_array_length(ndr, &r->forest_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_forest_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest_name, length_forest_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_name_0, 0); > } > if (r->dc_site_name) { >@@ -6316,11 +6417,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->dc_site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_site_name)); >- if (ndr_get_array_length(ndr, &r->dc_site_name) > ndr_get_array_size(ndr, &r->dc_site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_site_name), ndr_get_array_length(ndr, &r->dc_site_name)); >+ size_dc_site_name_1 = ndr_get_array_size(ndr, &r->dc_site_name); >+ length_dc_site_name_1 = ndr_get_array_length(ndr, &r->dc_site_name); >+ if (length_dc_site_name_1 > size_dc_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_site_name_1, length_dc_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_site_name, ndr_get_array_length(ndr, &r->dc_site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_site_name, length_dc_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_site_name_0, 0); > } > if (r->client_site_name) { >@@ -6328,11 +6431,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->client_site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_site_name)); >- if (ndr_get_array_length(ndr, &r->client_site_name) > ndr_get_array_size(ndr, &r->client_site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_site_name), ndr_get_array_length(ndr, &r->client_site_name)); >+ size_client_site_name_1 = ndr_get_array_size(ndr, &r->client_site_name); >+ length_client_site_name_1 = ndr_get_array_length(ndr, &r->client_site_name); >+ if (length_client_site_name_1 > size_client_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_site_name_1, length_client_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_site_name, ndr_get_array_length(ndr, &r->client_site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_site_name, length_client_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_site_name_0, 0); > } > } >@@ -6488,6 +6593,8 @@ static enum ndr_err_code ndr_push_netr_BinaryString(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_BinaryString(struct ndr_pull *ndr, int ndr_flags, struct netr_BinaryString *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; >+ uint32_t length_data_1 = 0; > uint32_t cntr_data_1; > TALLOC_CTX *_mem_save_data_0; > TALLOC_CTX *_mem_save_data_1; >@@ -6511,13 +6618,15 @@ static enum ndr_err_code ndr_pull_netr_BinaryString(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); >- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ length_data_1 = ndr_get_array_length(ndr, &r->data); >+ if (length_data_1 > size_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); > _mem_save_data_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); >- for (cntr_data_1 = 0; cntr_data_1 < r->length / 2; cntr_data_1++) { >+ for (cntr_data_1 = 0; cntr_data_1 < length_data_1; cntr_data_1++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->data[cntr_data_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_1, 0); >@@ -6634,17 +6743,30 @@ static enum ndr_err_code ndr_push_netr_DomainQuery1(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainQuery1 *r) > { > uint32_t _ptr_workstation_domain; >+ uint32_t size_workstation_domain_1 = 0; >+ uint32_t length_workstation_domain_1 = 0; > TALLOC_CTX *_mem_save_workstation_domain_0; > uint32_t _ptr_workstation_site; >+ uint32_t size_workstation_site_1 = 0; >+ uint32_t length_workstation_site_1 = 0; > TALLOC_CTX *_mem_save_workstation_site_0; > uint32_t _ptr_unknown1; >+ uint32_t size_unknown1_1 = 0; >+ uint32_t length_unknown1_1 = 0; > TALLOC_CTX *_mem_save_unknown1_0; > uint32_t _ptr_unknown2; >+ uint32_t size_unknown2_1 = 0; >+ uint32_t length_unknown2_1 = 0; > TALLOC_CTX *_mem_save_unknown2_0; > uint32_t _ptr_unknown3; >+ uint32_t size_unknown3_1 = 0; >+ uint32_t length_unknown3_1 = 0; > TALLOC_CTX *_mem_save_unknown3_0; > uint32_t _ptr_unknown4; >+ uint32_t size_unknown4_1 = 0; >+ uint32_t length_unknown4_1 = 0; > TALLOC_CTX *_mem_save_unknown4_0; >+ uint32_t size_unknown7_0 = 0; > uint32_t cntr_unknown7_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6689,7 +6811,8 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->product)); > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->unknown5)); > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->unknown6)); >- for (cntr_unknown7_0 = 0; cntr_unknown7_0 < 4; cntr_unknown7_0++) { >+ size_unknown7_0 = 4; >+ for (cntr_unknown7_0 = 0; cntr_unknown7_0 < size_unknown7_0; cntr_unknown7_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown7[cntr_unknown7_0])); > } > } >@@ -6700,11 +6823,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->workstation_domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->workstation_domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->workstation_domain)); >- if (ndr_get_array_length(ndr, &r->workstation_domain) > ndr_get_array_size(ndr, &r->workstation_domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->workstation_domain), ndr_get_array_length(ndr, &r->workstation_domain)); >+ size_workstation_domain_1 = ndr_get_array_size(ndr, &r->workstation_domain); >+ length_workstation_domain_1 = ndr_get_array_length(ndr, &r->workstation_domain); >+ if (length_workstation_domain_1 > size_workstation_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_domain_1, length_workstation_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->workstation_domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->workstation_domain, ndr_get_array_length(ndr, &r->workstation_domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->workstation_domain, length_workstation_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_workstation_domain_0, 0); > } > if (r->workstation_site) { >@@ -6712,11 +6837,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->workstation_site, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->workstation_site)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->workstation_site)); >- if (ndr_get_array_length(ndr, &r->workstation_site) > ndr_get_array_size(ndr, &r->workstation_site)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->workstation_site), ndr_get_array_length(ndr, &r->workstation_site)); >+ size_workstation_site_1 = ndr_get_array_size(ndr, &r->workstation_site); >+ length_workstation_site_1 = ndr_get_array_length(ndr, &r->workstation_site); >+ if (length_workstation_site_1 > size_workstation_site_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_site_1, length_workstation_site_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->workstation_site), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->workstation_site, ndr_get_array_length(ndr, &r->workstation_site), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_site_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->workstation_site, length_workstation_site_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_workstation_site_0, 0); > } > if (r->unknown1) { >@@ -6724,11 +6851,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown1)); >- if (ndr_get_array_length(ndr, &r->unknown1) > ndr_get_array_size(ndr, &r->unknown1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown1), ndr_get_array_length(ndr, &r->unknown1)); >+ size_unknown1_1 = ndr_get_array_size(ndr, &r->unknown1); >+ length_unknown1_1 = ndr_get_array_length(ndr, &r->unknown1); >+ if (length_unknown1_1 > size_unknown1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown1_1, length_unknown1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown1, ndr_get_array_length(ndr, &r->unknown1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown1, length_unknown1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown1_0, 0); > } > if (r->unknown2) { >@@ -6736,11 +6865,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown2)); >- if (ndr_get_array_length(ndr, &r->unknown2) > ndr_get_array_size(ndr, &r->unknown2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown2), ndr_get_array_length(ndr, &r->unknown2)); >+ size_unknown2_1 = ndr_get_array_size(ndr, &r->unknown2); >+ length_unknown2_1 = ndr_get_array_length(ndr, &r->unknown2); >+ if (length_unknown2_1 > size_unknown2_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown2_1, length_unknown2_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown2_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, length_unknown2_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown2_0, 0); > } > if (r->unknown3) { >@@ -6748,11 +6879,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown3, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown3)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown3)); >- if (ndr_get_array_length(ndr, &r->unknown3) > ndr_get_array_size(ndr, &r->unknown3)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown3), ndr_get_array_length(ndr, &r->unknown3)); >+ size_unknown3_1 = ndr_get_array_size(ndr, &r->unknown3); >+ length_unknown3_1 = ndr_get_array_length(ndr, &r->unknown3); >+ if (length_unknown3_1 > size_unknown3_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown3_1, length_unknown3_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown3), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown3, ndr_get_array_length(ndr, &r->unknown3), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown3_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown3, length_unknown3_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown3_0, 0); > } > if (r->unknown4) { >@@ -6760,11 +6893,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown4, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown4)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown4)); >- if (ndr_get_array_length(ndr, &r->unknown4) > ndr_get_array_size(ndr, &r->unknown4)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown4), ndr_get_array_length(ndr, &r->unknown4)); >+ size_unknown4_1 = ndr_get_array_size(ndr, &r->unknown4); >+ length_unknown4_1 = ndr_get_array_length(ndr, &r->unknown4); >+ if (length_unknown4_1 > size_unknown4_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown4_1, length_unknown4_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown4), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown4, ndr_get_array_length(ndr, &r->unknown4), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown4_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown4, length_unknown4_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown4_0, 0); > } > NDR_CHECK(ndr_pull_netr_BinaryString(ndr, NDR_BUFFERS, &r->blob2)); >@@ -6879,6 +7014,7 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery(struct ndr_pull *ndr, int ndr > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_query1_0; >+ uint32_t _ptr_query1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -6887,7 +7023,6 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery(struct ndr_pull *ndr, int ndr > } > switch (level) { > case 1: { >- uint32_t _ptr_query1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_query1)); > if (_ptr_query1) { > NDR_PULL_ALLOC(ndr, r->query1); >@@ -6897,7 +7032,6 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery(struct ndr_pull *ndr, int ndr > break; } > > case 2: { >- uint32_t _ptr_query1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_query1)); > if (_ptr_query1) { > NDR_PULL_ALLOC(ndr, r->query1); >@@ -7003,7 +7137,9 @@ static enum ndr_err_code ndr_pull_netr_DomainTrustInfo(struct ndr_pull *ndr, int > { > uint32_t _ptr_sid; > TALLOC_CTX *_mem_save_sid_0; >+ uint32_t size_unknown1_0 = 0; > uint32_t cntr_unknown1_0; >+ uint32_t size_unknown_0 = 0; > uint32_t cntr_unknown_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7017,10 +7153,12 @@ static enum ndr_err_code ndr_pull_netr_DomainTrustInfo(struct ndr_pull *ndr, int > } else { > r->sid = NULL; > } >- for (cntr_unknown1_0 = 0; cntr_unknown1_0 < 4; cntr_unknown1_0++) { >+ size_unknown1_0 = 4; >+ for (cntr_unknown1_0 = 0; cntr_unknown1_0 < size_unknown1_0; cntr_unknown1_0++) { > NDR_CHECK(ndr_pull_netr_BinaryString(ndr, NDR_SCALARS, &r->unknown1[cntr_unknown1_0])); > } >- for (cntr_unknown_0 = 0; cntr_unknown_0 < 4; cntr_unknown_0++) { >+ size_unknown_0 = 4; >+ for (cntr_unknown_0 = 0; cntr_unknown_0 < size_unknown_0; cntr_unknown_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown[cntr_unknown_0])); > } > } >@@ -7035,7 +7173,8 @@ static enum ndr_err_code ndr_pull_netr_DomainTrustInfo(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_dom_sid2(ndr, NDR_SCALARS|NDR_BUFFERS, r->sid)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sid_0, 0); > } >- for (cntr_unknown1_0 = 0; cntr_unknown1_0 < 4; cntr_unknown1_0++) { >+ size_unknown1_0 = 4; >+ for (cntr_unknown1_0 = 0; cntr_unknown1_0 < size_unknown1_0; cntr_unknown1_0++) { > NDR_CHECK(ndr_pull_netr_BinaryString(ndr, NDR_BUFFERS, &r->unknown1[cntr_unknown1_0])); > } > } >@@ -7112,9 +7251,11 @@ static enum ndr_err_code ndr_push_netr_DomainInfo1(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_netr_DomainInfo1(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainInfo1 *r) > { > uint32_t _ptr_trusts; >+ uint32_t size_trusts_1 = 0; > uint32_t cntr_trusts_1; > TALLOC_CTX *_mem_save_trusts_0; > TALLOC_CTX *_mem_save_trusts_1; >+ uint32_t size_unknown_0 = 0; > uint32_t cntr_unknown_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7126,7 +7267,8 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo1(struct ndr_pull *ndr, int ndr > } else { > r->trusts = NULL; > } >- for (cntr_unknown_0 = 0; cntr_unknown_0 < 14; cntr_unknown_0++) { >+ size_unknown_0 = 14; >+ for (cntr_unknown_0 = 0; cntr_unknown_0 < size_unknown_0; cntr_unknown_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown[cntr_unknown_0])); > } > } >@@ -7136,13 +7278,14 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo1(struct ndr_pull *ndr, int ndr > _mem_save_trusts_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->trusts, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->trusts)); >- NDR_PULL_ALLOC_N(ndr, r->trusts, ndr_get_array_size(ndr, &r->trusts)); >+ size_trusts_1 = ndr_get_array_size(ndr, &r->trusts); >+ NDR_PULL_ALLOC_N(ndr, r->trusts, size_trusts_1); > _mem_save_trusts_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->trusts, 0); >- for (cntr_trusts_1 = 0; cntr_trusts_1 < r->num_trusts; cntr_trusts_1++) { >+ for (cntr_trusts_1 = 0; cntr_trusts_1 < size_trusts_1; cntr_trusts_1++) { > NDR_CHECK(ndr_pull_netr_DomainTrustInfo(ndr, NDR_SCALARS, &r->trusts[cntr_trusts_1])); > } >- for (cntr_trusts_1 = 0; cntr_trusts_1 < r->num_trusts; cntr_trusts_1++) { >+ for (cntr_trusts_1 = 0; cntr_trusts_1 < size_trusts_1; cntr_trusts_1++) { > NDR_CHECK(ndr_pull_netr_DomainTrustInfo(ndr, NDR_BUFFERS, &r->trusts[cntr_trusts_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusts_1, 0); >@@ -7236,6 +7379,7 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo(struct ndr_pull *ndr, int ndr_ > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -7244,7 +7388,6 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo(struct ndr_pull *ndr, int ndr_ > } > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -7254,7 +7397,6 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo(struct ndr_pull *ndr, int ndr_ > break; } > > case 2: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -7342,12 +7484,14 @@ static enum ndr_err_code ndr_push_netr_CryptPassword(struct ndr_push *ndr, int n > > static enum ndr_err_code ndr_pull_netr_CryptPassword(struct ndr_pull *ndr, int ndr_flags, struct netr_CryptPassword *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 512)); >+ size_data_0 = 512; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -7396,6 +7540,7 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesWCtr(struct ndr_push > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesWCtr(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddressToSitenamesWCtr *r) > { > uint32_t _ptr_sitename; >+ uint32_t size_sitename_1 = 0; > uint32_t cntr_sitename_1; > TALLOC_CTX *_mem_save_sitename_0; > TALLOC_CTX *_mem_save_sitename_1; >@@ -7414,13 +7559,14 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesWCtr(struct ndr_pull > _mem_save_sitename_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sitename)); >- NDR_PULL_ALLOC_N(ndr, r->sitename, ndr_get_array_size(ndr, &r->sitename)); >+ size_sitename_1 = ndr_get_array_size(ndr, &r->sitename); >+ NDR_PULL_ALLOC_N(ndr, r->sitename, size_sitename_1); > _mem_save_sitename_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sitename[cntr_sitename_1])); > } >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sitename[cntr_sitename_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sitename_1, 0); >@@ -7476,6 +7622,7 @@ static enum ndr_err_code ndr_push_netr_DsRAddress(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_netr_DsRAddress(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddress *r) > { > uint32_t _ptr_buffer; >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_buffer_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7492,8 +7639,9 @@ static enum ndr_err_code ndr_pull_netr_DsRAddress(struct ndr_pull *ndr, int ndr_ > _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->buffer)); >- NDR_PULL_ALLOC_N(ndr, r->buffer, ndr_get_array_size(ndr, &r->buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, ndr_get_array_size(ndr, &r->buffer))); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->buffer); >+ NDR_PULL_ALLOC_N(ndr, r->buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, size_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > if (r->buffer) { >@@ -7636,8 +7784,12 @@ static enum ndr_err_code ndr_push_netr_DomainTrust(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_netr_DomainTrust(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainTrust *r) > { > uint32_t _ptr_netbios_name; >+ uint32_t size_netbios_name_1 = 0; >+ uint32_t length_netbios_name_1 = 0; > TALLOC_CTX *_mem_save_netbios_name_0; > uint32_t _ptr_dns_name; >+ uint32_t size_dns_name_1 = 0; >+ uint32_t length_dns_name_1 = 0; > TALLOC_CTX *_mem_save_dns_name_0; > uint32_t _ptr_sid; > TALLOC_CTX *_mem_save_sid_0; >@@ -7673,11 +7825,13 @@ static enum ndr_err_code ndr_pull_netr_DomainTrust(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); >- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); >+ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); >+ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); >+ if (length_netbios_name_1 > size_netbios_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); > } > if (r->dns_name) { >@@ -7685,11 +7839,13 @@ static enum ndr_err_code ndr_pull_netr_DomainTrust(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); >- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); >+ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); >+ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); >+ if (length_dns_name_1 > size_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); > } > if (r->sid) { >@@ -7758,6 +7914,7 @@ static enum ndr_err_code ndr_push_netr_DomainTrustList(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DomainTrustList(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainTrustList *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -7776,13 +7933,14 @@ static enum ndr_err_code ndr_pull_netr_DomainTrustList(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_netr_DomainTrust(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_netr_DomainTrust(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -7855,10 +8013,12 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesExWCtr(struct ndr_pu > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExWCtr(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddressToSitenamesExWCtr *r) > { > uint32_t _ptr_sitename; >+ uint32_t size_sitename_1 = 0; > uint32_t cntr_sitename_1; > TALLOC_CTX *_mem_save_sitename_0; > TALLOC_CTX *_mem_save_sitename_1; > uint32_t _ptr_subnetname; >+ uint32_t size_subnetname_1 = 0; > uint32_t cntr_subnetname_1; > TALLOC_CTX *_mem_save_subnetname_0; > TALLOC_CTX *_mem_save_subnetname_1; >@@ -7883,13 +8043,14 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExWCtr(struct ndr_pu > _mem_save_sitename_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sitename)); >- NDR_PULL_ALLOC_N(ndr, r->sitename, ndr_get_array_size(ndr, &r->sitename)); >+ size_sitename_1 = ndr_get_array_size(ndr, &r->sitename); >+ NDR_PULL_ALLOC_N(ndr, r->sitename, size_sitename_1); > _mem_save_sitename_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sitename[cntr_sitename_1])); > } >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sitename[cntr_sitename_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sitename_1, 0); >@@ -7899,13 +8060,14 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExWCtr(struct ndr_pu > _mem_save_subnetname_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->subnetname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->subnetname)); >- NDR_PULL_ALLOC_N(ndr, r->subnetname, ndr_get_array_size(ndr, &r->subnetname)); >+ size_subnetname_1 = ndr_get_array_size(ndr, &r->subnetname); >+ NDR_PULL_ALLOC_N(ndr, r->subnetname, size_subnetname_1); > _mem_save_subnetname_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->subnetname, 0); >- for (cntr_subnetname_1 = 0; cntr_subnetname_1 < r->count; cntr_subnetname_1++) { >+ for (cntr_subnetname_1 = 0; cntr_subnetname_1 < size_subnetname_1; cntr_subnetname_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->subnetname[cntr_subnetname_1])); > } >- for (cntr_subnetname_1 = 0; cntr_subnetname_1 < r->count; cntr_subnetname_1++) { >+ for (cntr_subnetname_1 = 0; cntr_subnetname_1 < size_subnetname_1; cntr_subnetname_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->subnetname[cntr_subnetname_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_subnetname_1, 0); >@@ -7986,6 +8148,7 @@ static enum ndr_err_code ndr_push_DcSitesCtr(struct ndr_push *ndr, int ndr_flags > static enum ndr_err_code ndr_pull_DcSitesCtr(struct ndr_pull *ndr, int ndr_flags, struct DcSitesCtr *r) > { > uint32_t _ptr_sites; >+ uint32_t size_sites_1 = 0; > uint32_t cntr_sites_1; > TALLOC_CTX *_mem_save_sites_0; > TALLOC_CTX *_mem_save_sites_1; >@@ -8004,13 +8167,14 @@ static enum ndr_err_code ndr_pull_DcSitesCtr(struct ndr_pull *ndr, int ndr_flags > _mem_save_sites_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sites, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sites)); >- NDR_PULL_ALLOC_N(ndr, r->sites, ndr_get_array_size(ndr, &r->sites)); >+ size_sites_1 = ndr_get_array_size(ndr, &r->sites); >+ NDR_PULL_ALLOC_N(ndr, r->sites, size_sites_1); > _mem_save_sites_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sites, 0); >- for (cntr_sites_1 = 0; cntr_sites_1 < r->num_sites; cntr_sites_1++) { >+ for (cntr_sites_1 = 0; cntr_sites_1 < size_sites_1; cntr_sites_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sites[cntr_sites_1])); > } >- for (cntr_sites_1 = 0; cntr_sites_1 < r->num_sites; cntr_sites_1++) { >+ for (cntr_sites_1 = 0; cntr_sites_1 < size_sites_1; cntr_sites_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sites[cntr_sites_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sites_1, 0); >@@ -8079,6 +8243,12 @@ static enum ndr_err_code ndr_push_netr_LogonUasLogon(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_LogonUasLogon(struct ndr_pull *ndr, int flags, struct netr_LogonUasLogon *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_workstation_0 = 0; >+ uint32_t length_workstation_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -8095,27 +8265,33 @@ static enum ndr_err_code ndr_pull_netr_LogonUasLogon(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.workstation)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.workstation)); >- if (ndr_get_array_length(ndr, &r->in.workstation) > ndr_get_array_size(ndr, &r->in.workstation)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.workstation), ndr_get_array_length(ndr, &r->in.workstation)); >+ size_workstation_0 = ndr_get_array_size(ndr, &r->in.workstation); >+ length_workstation_0 = ndr_get_array_length(ndr, &r->in.workstation); >+ if (length_workstation_0 > size_workstation_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_0, length_workstation_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, length_workstation_0, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); > } >@@ -8197,6 +8373,12 @@ static enum ndr_err_code ndr_push_netr_LogonUasLogoff(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonUasLogoff(struct ndr_pull *ndr, int flags, struct netr_LogonUasLogoff *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_workstation_0 = 0; >+ uint32_t length_workstation_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -8213,27 +8395,33 @@ static enum ndr_err_code ndr_pull_netr_LogonUasLogoff(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.workstation)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.workstation)); >- if (ndr_get_array_length(ndr, &r->in.workstation) > ndr_get_array_size(ndr, &r->in.workstation)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.workstation), ndr_get_array_length(ndr, &r->in.workstation)); >+ size_workstation_0 = ndr_get_array_size(ndr, &r->in.workstation); >+ length_workstation_0 = ndr_get_array_length(ndr, &r->in.workstation); >+ if (length_workstation_0 > size_workstation_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_0, length_workstation_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, length_workstation_0, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); > } >@@ -8338,7 +8526,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogon(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_LogonSamLogon(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogon *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_credential; > uint32_t _ptr_return_authenticator; > TALLOC_CTX *_mem_save_server_name_0; >@@ -8362,11 +8554,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogon(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -8380,11 +8574,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogon(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); >@@ -8568,7 +8764,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogoff(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonSamLogoff(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogoff *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_credential; > uint32_t _ptr_return_authenticator; > TALLOC_CTX *_mem_save_server_name_0; >@@ -8589,11 +8789,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogoff(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -8607,11 +8809,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogoff(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); >@@ -8746,6 +8950,10 @@ static enum ndr_err_code ndr_push_netr_ServerReqChallenge(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerReqChallenge(struct ndr_pull *ndr, int flags, struct netr_ServerReqChallenge *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -8763,20 +8971,24 @@ static enum ndr_err_code ndr_pull_netr_ServerReqChallenge(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -8873,6 +9085,12 @@ static enum ndr_err_code ndr_push_netr_ServerAuthenticate(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerAuthenticate(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -8890,28 +9108,34 @@ static enum ndr_err_code ndr_pull_netr_ServerAuthenticate(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -9014,6 +9238,12 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordSet(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_ServerPasswordSet(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordSet *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -9032,28 +9262,34 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -9175,6 +9411,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseDeltas(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_netr_DatabaseDeltas(struct ndr_pull *ndr, int flags, struct netr_DatabaseDeltas *r) > { >+ uint32_t size_logon_server_0 = 0; >+ uint32_t length_logon_server_0 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > uint32_t _ptr_delta_enum_array; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -9186,18 +9426,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseDeltas(struct ndr_pull *ndr, int > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_0 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_0 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_0 > size_logon_server_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_0, length_logon_server_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -9363,6 +9607,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseSync(struct ndr_push *ndr, int fl > > static enum ndr_err_code ndr_pull_netr_DatabaseSync(struct ndr_pull *ndr, int flags, struct netr_DatabaseSync *r) > { >+ uint32_t size_logon_server_0 = 0; >+ uint32_t length_logon_server_0 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > TALLOC_CTX *_mem_save_return_authenticator_0; > TALLOC_CTX *_mem_save_sync_context_0; > TALLOC_CTX *_mem_save_delta_enum_array_0; >@@ -9371,18 +9619,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseSync(struct ndr_pull *ndr, int fl > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_0 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_0 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_0 > size_logon_server_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_0, length_logon_server_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.return_authenticator); >@@ -9538,6 +9790,10 @@ static enum ndr_err_code ndr_push_netr_AccountDeltas(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_AccountDeltas(struct ndr_pull *ndr, int flags, struct netr_AccountDeltas *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_return_authenticator_0; > TALLOC_CTX *_mem_save_buffer_0; >@@ -9558,20 +9814,24 @@ static enum ndr_err_code ndr_pull_netr_AccountDeltas(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.return_authenticator); >@@ -9763,6 +10023,10 @@ static enum ndr_err_code ndr_push_netr_AccountSync(struct ndr_push *ndr, int fla > static enum ndr_err_code ndr_pull_netr_AccountSync(struct ndr_pull *ndr, int flags, struct netr_AccountSync *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_return_authenticator_0; > TALLOC_CTX *_mem_save_buffer_0; >@@ -9784,20 +10048,24 @@ static enum ndr_err_code ndr_pull_netr_AccountSync(struct ndr_pull *ndr, int fla > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.return_authenticator); >@@ -9979,8 +10247,14 @@ static enum ndr_err_code ndr_push_netr_GetDcName(struct ndr_push *ndr, int flags > > static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags, struct netr_GetDcName *r) > { >+ uint32_t size_logon_server_0 = 0; >+ uint32_t length_logon_server_0 = 0; > uint32_t _ptr_domainname; >+ uint32_t size_domainname_1 = 0; >+ uint32_t length_domainname_1 = 0; > uint32_t _ptr_dcname; >+ uint32_t size_dcname_2 = 0; >+ uint32_t length_dcname_2 = 0; > TALLOC_CTX *_mem_save_domainname_0; > TALLOC_CTX *_mem_save_dcname_0; > TALLOC_CTX *_mem_save_dcname_1; >@@ -9989,11 +10263,13 @@ static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_0 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_0 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_0 > size_logon_server_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_0, length_logon_server_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domainname)); > if (_ptr_domainname) { > NDR_PULL_ALLOC(ndr, r->in.domainname); >@@ -10005,11 +10281,13 @@ static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags > NDR_PULL_SET_MEM_CTX(ndr, r->in.domainname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domainname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domainname)); >- if (ndr_get_array_length(ndr, &r->in.domainname) > ndr_get_array_size(ndr, &r->in.domainname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domainname), ndr_get_array_length(ndr, &r->in.domainname)); >+ size_domainname_1 = ndr_get_array_size(ndr, &r->in.domainname); >+ length_domainname_1 = ndr_get_array_length(ndr, &r->in.domainname); >+ if (length_domainname_1 > size_domainname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domainname_1, length_domainname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domainname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, length_domainname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domainname_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.dcname); >@@ -10032,11 +10310,13 @@ static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags > NDR_PULL_SET_MEM_CTX(ndr, *r->out.dcname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.dcname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.dcname)); >- if (ndr_get_array_length(ndr, r->out.dcname) > ndr_get_array_size(ndr, r->out.dcname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.dcname), ndr_get_array_length(ndr, r->out.dcname)); >+ size_dcname_2 = ndr_get_array_size(ndr, r->out.dcname); >+ length_dcname_2 = ndr_get_array_length(ndr, r->out.dcname); >+ if (length_dcname_2 > size_dcname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dcname_2, length_dcname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dcname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, length_dcname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -10109,6 +10389,8 @@ static enum ndr_err_code ndr_push_netr_LogonControl(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_netr_LogonControl(struct ndr_pull *ndr, int flags, struct netr_LogonControl *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -10125,11 +10407,13 @@ static enum ndr_err_code ndr_pull_netr_LogonControl(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); >@@ -10222,8 +10506,14 @@ static enum ndr_err_code ndr_push_netr_GetAnyDCName(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int flags, struct netr_GetAnyDCName *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > uint32_t _ptr_domainname; >+ uint32_t size_domainname_1 = 0; >+ uint32_t length_domainname_1 = 0; > uint32_t _ptr_dcname; >+ uint32_t size_dcname_2 = 0; >+ uint32_t length_dcname_2 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_domainname_0; > TALLOC_CTX *_mem_save_dcname_0; >@@ -10242,11 +10532,13 @@ static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domainname)); >@@ -10260,11 +10552,13 @@ static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.domainname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domainname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domainname)); >- if (ndr_get_array_length(ndr, &r->in.domainname) > ndr_get_array_size(ndr, &r->in.domainname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domainname), ndr_get_array_length(ndr, &r->in.domainname)); >+ size_domainname_1 = ndr_get_array_size(ndr, &r->in.domainname); >+ length_domainname_1 = ndr_get_array_length(ndr, &r->in.domainname); >+ if (length_domainname_1 > size_domainname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domainname_1, length_domainname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domainname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, length_domainname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domainname_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.dcname); >@@ -10287,11 +10581,13 @@ static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, *r->out.dcname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.dcname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.dcname)); >- if (ndr_get_array_length(ndr, r->out.dcname) > ndr_get_array_size(ndr, r->out.dcname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.dcname), ndr_get_array_length(ndr, r->out.dcname)); >+ size_dcname_2 = ndr_get_array_size(ndr, r->out.dcname); >+ length_dcname_2 = ndr_get_array_length(ndr, r->out.dcname); >+ if (length_dcname_2 > size_dcname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dcname_2, length_dcname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dcname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, length_dcname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -10374,6 +10670,8 @@ static enum ndr_err_code ndr_push_netr_LogonControl2(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_LogonControl2(struct ndr_pull *ndr, int flags, struct netr_LogonControl2 *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_data_0; > TALLOC_CTX *_mem_save_query_0; >@@ -10391,11 +10689,13 @@ static enum ndr_err_code ndr_pull_netr_LogonControl2(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); >@@ -10509,6 +10809,12 @@ static enum ndr_err_code ndr_push_netr_ServerAuthenticate2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerAuthenticate2(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -10527,28 +10833,34 @@ static enum ndr_err_code ndr_pull_netr_ServerAuthenticate2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -10684,6 +10996,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseSync2(struct ndr_push *ndr, int f > > static enum ndr_err_code ndr_pull_netr_DatabaseSync2(struct ndr_pull *ndr, int flags, struct netr_DatabaseSync2 *r) > { >+ uint32_t size_logon_server_0 = 0; >+ uint32_t length_logon_server_0 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > uint32_t _ptr_delta_enum_array; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -10695,18 +11011,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseSync2(struct ndr_pull *ndr, int f > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_0 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_0 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_0 > size_logon_server_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_0, length_logon_server_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -10870,7 +11190,12 @@ static enum ndr_err_code ndr_push_netr_DatabaseRedo(struct ndr_push *ndr, int fl > > static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int flags, struct netr_DatabaseRedo *r) > { >+ uint32_t size_logon_server_0 = 0; >+ uint32_t length_logon_server_0 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > uint32_t _ptr_change_log_entry; >+ uint32_t size_change_log_entry_1 = 0; > TALLOC_CTX *_mem_save_return_authenticator_0; > TALLOC_CTX *_mem_save_change_log_entry_0; > TALLOC_CTX *_mem_save_delta_enum_array_0; >@@ -10879,18 +11204,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int fl > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_0 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_0 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_0 > size_logon_server_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_0, length_logon_server_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.return_authenticator); >@@ -10909,8 +11238,9 @@ static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int fl > _mem_save_change_log_entry_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.change_log_entry, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.change_log_entry)); >- NDR_PULL_ALLOC_N(ndr, r->in.change_log_entry, ndr_get_array_size(ndr, &r->in.change_log_entry)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.change_log_entry, ndr_get_array_size(ndr, &r->in.change_log_entry))); >+ size_change_log_entry_1 = ndr_get_array_size(ndr, &r->in.change_log_entry); >+ NDR_PULL_ALLOC_N(ndr, r->in.change_log_entry, size_change_log_entry_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.change_log_entry, size_change_log_entry_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_change_log_entry_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.change_log_entry_size)); >@@ -11014,6 +11344,8 @@ static enum ndr_err_code ndr_push_netr_LogonControl2Ex(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonControl2Ex(struct ndr_pull *ndr, int flags, struct netr_LogonControl2Ex *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_query_0; > if (flags & NDR_IN) { >@@ -11030,11 +11362,13 @@ static enum ndr_err_code ndr_pull_netr_LogonControl2Ex(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.function_code)); >@@ -11118,6 +11452,8 @@ static enum ndr_err_code ndr_push_netr_NetrEnumerateTrustedDomains(struct ndr_pu > static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomains(struct ndr_pull *ndr, int flags, struct netr_NetrEnumerateTrustedDomains *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_trusted_domains_blob_0; > if (flags & NDR_IN) { >@@ -11134,11 +11470,13 @@ static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomains(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.trusted_domains_blob); >@@ -11231,7 +11569,11 @@ static enum ndr_err_code ndr_push_netr_DsRGetDCName(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_netr_DsRGetDCName(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCName *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_site_guid; > uint32_t _ptr_info; >@@ -11255,11 +11597,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); >@@ -11273,11 +11617,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -11428,7 +11774,11 @@ static enum ndr_err_code ndr_push_netr_LogonGetCapabilities(struct ndr_push *ndr > > static enum ndr_err_code ndr_pull_netr_LogonGetCapabilities(struct ndr_pull *ndr, int flags, struct netr_LogonGetCapabilities *r) > { >+ uint32_t size_server_name_0 = 0; >+ uint32_t length_server_name_0 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -11438,11 +11788,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetCapabilities(struct ndr_pull *ndr > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_0 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_0 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_0 > size_server_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_0, length_server_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); > if (_ptr_computer_name) { > NDR_PULL_ALLOC(ndr, r->in.computer_name); >@@ -11454,11 +11806,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetCapabilities(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -11620,7 +11974,11 @@ static enum ndr_err_code ndr_push_netr_LogonGetTrustRid(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_netr_LogonGetTrustRid(struct ndr_pull *ndr, int flags, struct netr_LogonGetTrustRid *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_domain_name_0; > TALLOC_CTX *_mem_save_rid_0; >@@ -11638,11 +11996,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetTrustRid(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); >@@ -11656,11 +12016,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetTrustRid(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.rid); >@@ -11847,6 +12209,12 @@ static enum ndr_err_code ndr_push_netr_ServerAuthenticate3(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerAuthenticate3(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate3 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_negotiate_flags_0; >@@ -11865,28 +12233,34 @@ static enum ndr_err_code ndr_pull_netr_ServerAuthenticate3(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -12031,9 +12405,15 @@ static enum ndr_err_code ndr_push_netr_DsRGetDCNameEx(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCNameEx *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_domain_name_0; >@@ -12055,11 +12435,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); >@@ -12073,11 +12455,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -12103,11 +12487,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); >- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_DsRGetDCName_flags(ndr, NDR_SCALARS, &r->in.flags)); >@@ -12223,7 +12609,11 @@ static enum ndr_err_code ndr_push_netr_DsRGetSiteName(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DsRGetSiteName(struct ndr_pull *ndr, int flags, struct netr_DsRGetSiteName *r) > { > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_site; >+ uint32_t size_site_2 = 0; >+ uint32_t length_site_2 = 0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_site_0; > TALLOC_CTX *_mem_save_site_1; >@@ -12241,11 +12631,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetSiteName(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.site); >@@ -12268,11 +12660,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetSiteName(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, *r->out.site, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.site)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.site)); >- if (ndr_get_array_length(ndr, r->out.site) > ndr_get_array_size(ndr, r->out.site)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.site), ndr_get_array_length(ndr, r->out.site)); >+ size_site_2 = ndr_get_array_size(ndr, r->out.site); >+ length_site_2 = ndr_get_array_length(ndr, r->out.site); >+ if (length_site_2 > size_site_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_2, length_site_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.site), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.site, ndr_get_array_length(ndr, r->out.site), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.site, length_site_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_0, LIBNDR_FLAG_REF_ALLOC); >@@ -12360,7 +12754,11 @@ static enum ndr_err_code ndr_push_netr_LogonGetDomainInfo(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_netr_LogonGetDomainInfo(struct ndr_pull *ndr, int flags, struct netr_LogonGetDomainInfo *r) > { >+ uint32_t size_server_name_0 = 0; >+ uint32_t length_server_name_0 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -12370,11 +12768,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetDomainInfo(struct ndr_pull *ndr, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_0 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_0 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_0 > size_server_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_0, length_server_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); > if (_ptr_computer_name) { > NDR_PULL_ALLOC(ndr, r->in.computer_name); >@@ -12386,11 +12786,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetDomainInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -12525,6 +12927,12 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordSet2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordSet2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -12543,28 +12951,34 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -12678,6 +13092,12 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordGet(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_ServerPasswordGet(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordGet *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -12696,28 +13116,34 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordGet(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -12872,6 +13298,9 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesW(struct ndr_push *n > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesW(struct ndr_pull *ndr, int flags, struct netr_DsRAddressToSitenamesW *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_addresses_1 = 0; > uint32_t cntr_addresses_1; > uint32_t _ptr_ctr; > TALLOC_CTX *_mem_save_server_name_0; >@@ -12892,11 +13321,13 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); >@@ -12904,15 +13335,16 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesW(struct ndr_pull *n > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.addresses)); >+ size_addresses_1 = ndr_get_array_size(ndr, &r->in.addresses); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.addresses, ndr_get_array_size(ndr, &r->in.addresses)); >+ NDR_PULL_ALLOC_N(ndr, r->in.addresses, size_addresses_1); > } > _mem_save_addresses_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.addresses, 0); >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_SCALARS, &r->in.addresses[cntr_addresses_1])); > } >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_BUFFERS, &r->in.addresses[cntr_addresses_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_1, 0); >@@ -13051,10 +13483,18 @@ static enum ndr_err_code ndr_push_netr_DsRGetDCNameEx2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCNameEx2 *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_client_account; >+ uint32_t size_client_account_1 = 0; >+ uint32_t length_client_account_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_client_account_0; >@@ -13077,11 +13517,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client_account)); >@@ -13095,11 +13537,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.client_account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.client_account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.client_account)); >- if (ndr_get_array_length(ndr, &r->in.client_account) > ndr_get_array_size(ndr, &r->in.client_account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.client_account), ndr_get_array_length(ndr, &r->in.client_account)); >+ size_client_account_1 = ndr_get_array_size(ndr, &r->in.client_account); >+ length_client_account_1 = ndr_get_array_length(ndr, &r->in.client_account); >+ if (length_client_account_1 > size_client_account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_account_1, length_client_account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.client_account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client_account, ndr_get_array_length(ndr, &r->in.client_account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client_account, length_client_account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_account_0, 0); > } > NDR_CHECK(ndr_pull_samr_AcctFlags(ndr, NDR_SCALARS, &r->in.mask)); >@@ -13114,11 +13558,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -13144,11 +13590,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); >- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_DsRGetDCName_flags(ndr, NDR_SCALARS, &r->in.flags)); >@@ -13306,6 +13754,8 @@ static enum ndr_err_code ndr_push_netr_NetrEnumerateTrustedDomainsEx(struct ndr_ > static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomainsEx(struct ndr_pull *ndr, int flags, struct netr_NetrEnumerateTrustedDomainsEx *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_dom_trust_list_0; > if (flags & NDR_IN) { >@@ -13322,11 +13772,13 @@ static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomainsEx(struct ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.dom_trust_list); >@@ -13415,6 +13867,9 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesExW(struct ndr_push > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExW(struct ndr_pull *ndr, int flags, struct netr_DsRAddressToSitenamesExW *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_addresses_1 = 0; > uint32_t cntr_addresses_1; > uint32_t _ptr_ctr; > TALLOC_CTX *_mem_save_server_name_0; >@@ -13435,11 +13890,13 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExW(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); >@@ -13447,15 +13904,16 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExW(struct ndr_pull > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.addresses)); >+ size_addresses_1 = ndr_get_array_size(ndr, &r->in.addresses); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.addresses, ndr_get_array_size(ndr, &r->in.addresses)); >+ NDR_PULL_ALLOC_N(ndr, r->in.addresses, size_addresses_1); > } > _mem_save_addresses_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.addresses, 0); >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_SCALARS, &r->in.addresses[cntr_addresses_1])); > } >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_BUFFERS, &r->in.addresses[cntr_addresses_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_1, 0); >@@ -13564,6 +14022,8 @@ static enum ndr_err_code ndr_push_netr_DsrGetDcSiteCoverageW(struct ndr_push *nd > static enum ndr_err_code ndr_pull_netr_DsrGetDcSiteCoverageW(struct ndr_pull *ndr, int flags, struct netr_DsrGetDcSiteCoverageW *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_ctr_0; > if (flags & NDR_IN) { >@@ -13580,11 +14040,13 @@ static enum ndr_err_code ndr_pull_netr_DsrGetDcSiteCoverageW(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.ctr); >@@ -13685,7 +14147,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogonEx(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonSamLogonEx(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogonEx *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_logon_0; >@@ -13706,11 +14172,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -13724,11 +14192,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonLevel(ndr, NDR_SCALARS, &r->in.logon_level)); >@@ -13865,6 +14335,8 @@ static enum ndr_err_code ndr_push_netr_DsrEnumerateDomainTrusts(struct ndr_push > static enum ndr_err_code ndr_pull_netr_DsrEnumerateDomainTrusts(struct ndr_pull *ndr, int flags, struct netr_DsrEnumerateDomainTrusts *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_trusts_0; > if (flags & NDR_IN) { >@@ -13881,11 +14353,13 @@ static enum ndr_err_code ndr_pull_netr_DsrEnumerateDomainTrusts(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_TrustFlags(ndr, NDR_SCALARS, &r->in.trust_flags)); >@@ -13979,9 +14453,15 @@ static enum ndr_err_code ndr_push_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pull *ndr, int flags, struct netr_DsrDeregisterDNSHostRecords *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_dsa_guid; >+ uint32_t size_dns_host_1 = 0; >+ uint32_t length_dns_host_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_domain_0; > TALLOC_CTX *_mem_save_domain_guid_0; >@@ -13998,11 +14478,13 @@ static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); >@@ -14016,11 +14498,13 @@ static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain)); >- if (ndr_get_array_length(ndr, &r->in.domain) > ndr_get_array_size(ndr, &r->in.domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain), ndr_get_array_length(ndr, &r->in.domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->in.domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->in.domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -14049,11 +14533,13 @@ static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_host)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_host)); >- if (ndr_get_array_length(ndr, &r->in.dns_host) > ndr_get_array_size(ndr, &r->in.dns_host)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_host), ndr_get_array_length(ndr, &r->in.dns_host)); >+ size_dns_host_1 = ndr_get_array_size(ndr, &r->in.dns_host); >+ length_dns_host_1 = ndr_get_array_length(ndr, &r->in.dns_host); >+ if (length_dns_host_1 > size_dns_host_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_host_1, length_dns_host_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_host), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_host, ndr_get_array_length(ndr, &r->in.dns_host), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_host_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_host, length_dns_host_1, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -14155,6 +14641,12 @@ static enum ndr_err_code ndr_push_netr_ServerTrustPasswordsGet(struct ndr_push * > static enum ndr_err_code ndr_pull_netr_ServerTrustPasswordsGet(struct ndr_pull *ndr, int flags, struct netr_ServerTrustPasswordsGet *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -14174,28 +14666,34 @@ static enum ndr_err_code ndr_pull_netr_ServerTrustPasswordsGet(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -14318,7 +14816,11 @@ static enum ndr_err_code ndr_push_netr_DsRGetForestTrustInformation(struct ndr_p > static enum ndr_err_code ndr_pull_netr_DsRGetForestTrustInformation(struct ndr_pull *ndr, int flags, struct netr_DsRGetForestTrustInformation *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_trusted_domain_name; >+ uint32_t size_trusted_domain_name_1 = 0; >+ uint32_t length_trusted_domain_name_1 = 0; > uint32_t _ptr_forest_trust_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_trusted_domain_name_0; >@@ -14338,11 +14840,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetForestTrustInformation(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_trusted_domain_name)); >@@ -14356,11 +14860,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetForestTrustInformation(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.trusted_domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.trusted_domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.trusted_domain_name)); >- if (ndr_get_array_length(ndr, &r->in.trusted_domain_name) > ndr_get_array_size(ndr, &r->in.trusted_domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.trusted_domain_name), ndr_get_array_length(ndr, &r->in.trusted_domain_name)); >+ size_trusted_domain_name_1 = ndr_get_array_size(ndr, &r->in.trusted_domain_name); >+ length_trusted_domain_name_1 = ndr_get_array_length(ndr, &r->in.trusted_domain_name); >+ if (length_trusted_domain_name_1 > size_trusted_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_domain_name_1, length_trusted_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, length_trusted_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); >@@ -14477,6 +14983,10 @@ static enum ndr_err_code ndr_push_netr_GetForestTrustInformation(struct ndr_push > static enum ndr_err_code ndr_pull_netr_GetForestTrustInformation(struct ndr_pull *ndr, int flags, struct netr_GetForestTrustInformation *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_trusted_domain_name_1 = 0; >+ uint32_t length_trusted_domain_name_1 = 0; > uint32_t _ptr_forest_trust_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; >@@ -14497,20 +15007,24 @@ static enum ndr_err_code ndr_pull_netr_GetForestTrustInformation(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.trusted_domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.trusted_domain_name)); >- if (ndr_get_array_length(ndr, &r->in.trusted_domain_name) > ndr_get_array_size(ndr, &r->in.trusted_domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.trusted_domain_name), ndr_get_array_length(ndr, &r->in.trusted_domain_name)); >+ size_trusted_domain_name_1 = ndr_get_array_size(ndr, &r->in.trusted_domain_name); >+ length_trusted_domain_name_1 = ndr_get_array_length(ndr, &r->in.trusted_domain_name); >+ if (length_trusted_domain_name_1 > size_trusted_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_domain_name_1, length_trusted_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, length_trusted_domain_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -14664,7 +15178,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogonWithFlags(struct ndr_push *n > static enum ndr_err_code ndr_pull_netr_LogonSamLogonWithFlags(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogonWithFlags *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_credential; > uint32_t _ptr_return_authenticator; > TALLOC_CTX *_mem_save_server_name_0; >@@ -14688,11 +15206,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonWithFlags(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -14706,11 +15226,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonWithFlags(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); >diff --git a/source/librpc/gen_ndr/ndr_notify.c b/source/librpc/gen_ndr/ndr_notify.c >index 00ba8bc..f390b9e 100644 >--- a/source/librpc/gen_ndr/ndr_notify.c >+++ b/source/librpc/gen_ndr/ndr_notify.c >@@ -82,6 +82,7 @@ static enum ndr_err_code ndr_push_notify_depth(struct ndr_push *ndr, int ndr_fla > > static enum ndr_err_code ndr_pull_notify_depth(struct ndr_pull *ndr, int ndr_flags, struct notify_depth *r) > { >+ uint32_t size_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_entries_0; > if (ndr_flags & NDR_SCALARS) { >@@ -89,18 +90,20 @@ static enum ndr_err_code ndr_pull_notify_depth(struct ndr_pull *ndr, int ndr_fla > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask_subdir)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, r->num_entries); >+ size_entries_0 = r->num_entries; >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_SCALARS, &r->entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_entries_0 = r->num_entries; > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -149,23 +152,26 @@ _PUBLIC_ enum ndr_err_code ndr_push_notify_array(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_notify_array(struct ndr_pull *ndr, int ndr_flags, struct notify_array *r) > { >+ uint32_t size_depth_0 = 0; > uint32_t cntr_depth_0; > TALLOC_CTX *_mem_save_depth_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_depths)); >- NDR_PULL_ALLOC_N(ndr, r->depth, r->num_depths); >+ size_depth_0 = r->num_depths; >+ NDR_PULL_ALLOC_N(ndr, r->depth, size_depth_0); > _mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0); >- for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) { >+ for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) { > NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_SCALARS, &r->depth[cntr_depth_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_depth_0 = r->num_depths; > _mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0); >- for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) { >+ for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) { > NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_BUFFERS, &r->depth[cntr_depth_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0); >diff --git a/source/librpc/gen_ndr/ndr_ntsvcs.c b/source/librpc/gen_ndr/ndr_ntsvcs.c >index 77b418d..a1f9b28 100644 >--- a/source/librpc/gen_ndr/ndr_ntsvcs.c >+++ b/source/librpc/gen_ndr/ndr_ntsvcs.c >@@ -21,11 +21,13 @@ static enum ndr_err_code ndr_push_PNP_HwProfInfo(struct ndr_push *ndr, int ndr_f > > static enum ndr_err_code ndr_pull_PNP_HwProfInfo(struct ndr_pull *ndr, int ndr_flags, struct PNP_HwProfInfo *r) > { >+ uint32_t size_friendly_name_0 = 0; > uint32_t cntr_friendly_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->profile_handle)); >- for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < 80; cntr_friendly_name_0++) { >+ size_friendly_name_0 = 80; >+ for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < size_friendly_name_0; cntr_friendly_name_0++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->friendly_name[cntr_friendly_name_0])); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->flags)); >@@ -341,14 +343,18 @@ static enum ndr_err_code ndr_push_PNP_ValidateDeviceInstance(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_PNP_ValidateDeviceInstance(struct ndr_pull *ndr, int flags, struct PNP_ValidateDeviceInstance *r) > { >+ uint32_t size_devicepath_1 = 0; >+ uint32_t length_devicepath_1 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); >- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); >+ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); >+ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); >+ if (length_devicepath_1 > size_devicepath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -572,6 +578,8 @@ static enum ndr_err_code ndr_push_PNP_GetDeviceListSize(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_PNP_GetDeviceListSize(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceListSize *r) > { > uint32_t _ptr_devicename; >+ uint32_t size_devicename_1 = 0; >+ uint32_t length_devicename_1 = 0; > TALLOC_CTX *_mem_save_devicename_0; > TALLOC_CTX *_mem_save_size_0; > if (flags & NDR_IN) { >@@ -588,11 +596,13 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceListSize(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.devicename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicename)); >- if (ndr_get_array_length(ndr, &r->in.devicename) > ndr_get_array_size(ndr, &r->in.devicename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicename), ndr_get_array_length(ndr, &r->in.devicename)); >+ size_devicename_1 = ndr_get_array_size(ndr, &r->in.devicename); >+ length_devicename_1 = ndr_get_array_length(ndr, &r->in.devicename); >+ if (length_devicename_1 > size_devicename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicename_1, length_devicename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicename, ndr_get_array_length(ndr, &r->in.devicename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicename, length_devicename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_devicename_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); >@@ -1848,9 +1858,15 @@ static enum ndr_err_code ndr_push_PNP_HwProfFlags(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flags, struct PNP_HwProfFlags *r) > { >+ uint32_t size_devicepath_1 = 0; >+ uint32_t length_devicepath_1 = 0; > uint32_t _ptr_unknown4; > uint32_t _ptr_unknown5; >+ uint32_t size_unknown5_1 = 0; >+ uint32_t length_unknown5_1 = 0; > uint32_t _ptr_unknown5a; >+ uint32_t size_unknown5a_2 = 0; >+ uint32_t length_unknown5a_2 = 0; > TALLOC_CTX *_mem_save_unknown3_0; > TALLOC_CTX *_mem_save_unknown4_0; > TALLOC_CTX *_mem_save_unknown5_0; >@@ -1862,11 +1878,13 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown1)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); >- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); >+ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); >+ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); >+ if (length_devicepath_1 > size_devicepath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown2)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.unknown3); >@@ -1898,11 +1916,13 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown5, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown5)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown5)); >- if (ndr_get_array_length(ndr, &r->in.unknown5) > ndr_get_array_size(ndr, &r->in.unknown5)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown5), ndr_get_array_length(ndr, &r->in.unknown5)); >+ size_unknown5_1 = ndr_get_array_size(ndr, &r->in.unknown5); >+ length_unknown5_1 = ndr_get_array_length(ndr, &r->in.unknown5); >+ if (length_unknown5_1 > size_unknown5_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown5_1, length_unknown5_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown5_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, length_unknown5_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown6)); >@@ -1950,11 +1970,13 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, *r->out.unknown5a, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.unknown5a)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.unknown5a)); >- if (ndr_get_array_length(ndr, r->out.unknown5a) > ndr_get_array_size(ndr, r->out.unknown5a)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.unknown5a), ndr_get_array_length(ndr, r->out.unknown5a)); >+ size_unknown5a_2 = ndr_get_array_size(ndr, r->out.unknown5a); >+ length_unknown5a_2 = ndr_get_array_length(ndr, r->out.unknown5a); >+ if (length_unknown5a_2 > size_unknown5a_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown5a_2, length_unknown5a_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.unknown5a), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.unknown5a, ndr_get_array_length(ndr, r->out.unknown5a), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown5a_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.unknown5a, length_unknown5a_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5a_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5a_0, 0); >diff --git a/source/librpc/gen_ndr/ndr_samr.c b/source/librpc/gen_ndr/ndr_samr.c >index 62676d2..a0f03f1 100644 >--- a/source/librpc/gen_ndr/ndr_samr.c >+++ b/source/librpc/gen_ndr/ndr_samr.c >@@ -249,6 +249,7 @@ static enum ndr_err_code ndr_push_samr_SamArray(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_samr_SamArray(struct ndr_pull *ndr, int ndr_flags, struct samr_SamArray *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -267,13 +268,14 @@ static enum ndr_err_code ndr_pull_samr_SamArray(struct ndr_pull *ndr, int ndr_fl > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_SamEntry(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_SamEntry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -1110,6 +1112,7 @@ static enum ndr_err_code ndr_push_samr_Ids(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_samr_Ids(struct ndr_pull *ndr, int ndr_flags, struct samr_Ids *r) > { > uint32_t _ptr_ids; >+ uint32_t size_ids_1 = 0; > uint32_t cntr_ids_1; > TALLOC_CTX *_mem_save_ids_0; > TALLOC_CTX *_mem_save_ids_1; >@@ -1131,10 +1134,11 @@ static enum ndr_err_code ndr_pull_samr_Ids(struct ndr_pull *ndr, int ndr_flags, > _mem_save_ids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->ids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->ids)); >- NDR_PULL_ALLOC_N(ndr, r->ids, ndr_get_array_size(ndr, &r->ids)); >+ size_ids_1 = ndr_get_array_size(ndr, &r->ids); >+ NDR_PULL_ALLOC_N(ndr, r->ids, size_ids_1); > _mem_save_ids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->ids, 0); >- for (cntr_ids_1 = 0; cntr_ids_1 < r->count; cntr_ids_1++) { >+ for (cntr_ids_1 = 0; cntr_ids_1 < size_ids_1; cntr_ids_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ids[cntr_ids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ids_1, 0); >@@ -1483,10 +1487,12 @@ static enum ndr_err_code ndr_push_samr_RidTypeArray(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_samr_RidTypeArray(struct ndr_pull *ndr, int ndr_flags, struct samr_RidTypeArray *r) > { > uint32_t _ptr_rids; >+ uint32_t size_rids_1 = 0; > uint32_t cntr_rids_1; > TALLOC_CTX *_mem_save_rids_0; > TALLOC_CTX *_mem_save_rids_1; > uint32_t _ptr_types; >+ uint32_t size_types_1 = 0; > uint32_t cntr_types_1; > TALLOC_CTX *_mem_save_types_0; > TALLOC_CTX *_mem_save_types_1; >@@ -1511,10 +1517,11 @@ static enum ndr_err_code ndr_pull_samr_RidTypeArray(struct ndr_pull *ndr, int nd > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); >- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); >+ size_rids_1 = ndr_get_array_size(ndr, &r->rids); >+ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); > _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); >- for (cntr_rids_1 = 0; cntr_rids_1 < r->count; cntr_rids_1++) { >+ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); >@@ -1524,10 +1531,11 @@ static enum ndr_err_code ndr_pull_samr_RidTypeArray(struct ndr_pull *ndr, int nd > _mem_save_types_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->types, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->types)); >- NDR_PULL_ALLOC_N(ndr, r->types, ndr_get_array_size(ndr, &r->types)); >+ size_types_1 = ndr_get_array_size(ndr, &r->types); >+ NDR_PULL_ALLOC_N(ndr, r->types, size_types_1); > _mem_save_types_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->types, 0); >- for (cntr_types_1 = 0; cntr_types_1 < r->count; cntr_types_1++) { >+ for (cntr_types_1 = 0; cntr_types_1 < size_types_1; cntr_types_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->types[cntr_types_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_types_1, 0); >@@ -1883,6 +1891,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_LogonHours(struct ndr_push *ndr, int nd > _PUBLIC_ enum ndr_err_code ndr_pull_samr_LogonHours(struct ndr_pull *ndr, int ndr_flags, struct samr_LogonHours *r) > { > uint32_t _ptr_bits; >+ uint32_t size_bits_1 = 0; >+ uint32_t length_bits_1 = 0; > TALLOC_CTX *_mem_save_bits_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -1903,11 +1913,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_LogonHours(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->bits, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->bits)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->bits)); >- if (ndr_get_array_length(ndr, &r->bits) > ndr_get_array_size(ndr, &r->bits)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->bits), ndr_get_array_length(ndr, &r->bits)); >+ size_bits_1 = ndr_get_array_size(ndr, &r->bits); >+ length_bits_1 = ndr_get_array_length(ndr, &r->bits); >+ if (length_bits_1 > size_bits_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_bits_1, length_bits_1); > } >- NDR_PULL_ALLOC_N(ndr, r->bits, ndr_get_array_size(ndr, &r->bits)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->bits, ndr_get_array_length(ndr, &r->bits))); >+ NDR_PULL_ALLOC_N(ndr, r->bits, size_bits_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->bits, length_bits_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_bits_0, 0); > } > if (r->bits) { >@@ -2543,12 +2555,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_Password(struct ndr_push *ndr, int ndr_ > > _PUBLIC_ enum ndr_err_code ndr_pull_samr_Password(struct ndr_pull *ndr, int ndr_flags, struct samr_Password *r) > { >+ uint32_t size_hash_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); >+ size_hash_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -2757,6 +2771,7 @@ static enum ndr_err_code ndr_push_samr_UserInfo21(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_samr_UserInfo21(struct ndr_pull *ndr, int ndr_flags, struct samr_UserInfo21 *r) > { > uint32_t _ptr_buffer; >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_buffer_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2818,8 +2833,9 @@ static enum ndr_err_code ndr_pull_samr_UserInfo21(struct ndr_pull *ndr, int ndr_ > _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->buffer)); >- NDR_PULL_ALLOC_N(ndr, r->buffer, ndr_get_array_size(ndr, &r->buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, ndr_get_array_size(ndr, &r->buffer))); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->buffer); >+ NDR_PULL_ALLOC_N(ndr, r->buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, size_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > NDR_CHECK(ndr_pull_samr_LogonHours(ndr, NDR_BUFFERS, &r->logon_hours)); >@@ -2894,12 +2910,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_CryptPassword(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_samr_CryptPassword(struct ndr_pull *ndr, int ndr_flags, struct samr_CryptPassword *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 516)); >+ size_data_0 = 516; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -3007,12 +3025,14 @@ static enum ndr_err_code ndr_push_samr_CryptPasswordEx(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_samr_CryptPasswordEx(struct ndr_pull *ndr, int ndr_flags, struct samr_CryptPasswordEx *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 532)); >+ size_data_0 = 532; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -3660,6 +3680,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_RidWithAttributeArray(struct ndr_push * > _PUBLIC_ enum ndr_err_code ndr_pull_samr_RidWithAttributeArray(struct ndr_pull *ndr, int ndr_flags, struct samr_RidWithAttributeArray *r) > { > uint32_t _ptr_rids; >+ uint32_t size_rids_1 = 0; > uint32_t cntr_rids_1; > TALLOC_CTX *_mem_save_rids_0; > TALLOC_CTX *_mem_save_rids_1; >@@ -3678,10 +3699,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_RidWithAttributeArray(struct ndr_pull * > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); >- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); >+ size_rids_1 = ndr_get_array_size(ndr, &r->rids); >+ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); > _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); >- for (cntr_rids_1 = 0; cntr_rids_1 < r->count; cntr_rids_1++) { >+ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { > NDR_CHECK(ndr_pull_samr_RidWithAttribute(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); >@@ -3794,6 +3816,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoGeneral(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_samr_DispInfoGeneral(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoGeneral *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -3812,13 +3835,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoGeneral(struct ndr_pull *ndr, int > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryGeneral(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryGeneral(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -3926,6 +3950,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoFull(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_samr_DispInfoFull(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoFull *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -3944,13 +3969,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoFull(struct ndr_pull *ndr, int nd > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFull(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFull(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4058,6 +4084,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoFullGroups(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_samr_DispInfoFullGroups(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoFullGroups *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -4076,13 +4103,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoFullGroups(struct ndr_pull *ndr, > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFullGroup(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFullGroup(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4179,6 +4207,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoAscii(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_samr_DispInfoAscii(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoAscii *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -4197,13 +4226,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoAscii(struct ndr_pull *ndr, int n > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryAscii(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryAscii(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4700,6 +4730,7 @@ static enum ndr_err_code ndr_push_samr_ValidationBlob(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_samr_ValidationBlob(struct ndr_pull *ndr, int ndr_flags, struct samr_ValidationBlob *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4716,8 +4747,9 @@ static enum ndr_err_code ndr_pull_samr_ValidationBlob(struct ndr_pull *ndr, int > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -4771,6 +4803,7 @@ static enum ndr_err_code ndr_push_samr_ValidatePasswordInfo(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_samr_ValidatePasswordInfo(struct ndr_pull *ndr, int ndr_flags, struct samr_ValidatePasswordInfo *r) > { > uint32_t _ptr_pwd_history; >+ uint32_t size_pwd_history_1 = 0; > uint32_t cntr_pwd_history_1; > TALLOC_CTX *_mem_save_pwd_history_0; > TALLOC_CTX *_mem_save_pwd_history_1; >@@ -4794,13 +4827,14 @@ static enum ndr_err_code ndr_pull_samr_ValidatePasswordInfo(struct ndr_pull *ndr > _mem_save_pwd_history_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->pwd_history, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->pwd_history)); >- NDR_PULL_ALLOC_N(ndr, r->pwd_history, ndr_get_array_size(ndr, &r->pwd_history)); >+ size_pwd_history_1 = ndr_get_array_size(ndr, &r->pwd_history); >+ NDR_PULL_ALLOC_N(ndr, r->pwd_history, size_pwd_history_1); > _mem_save_pwd_history_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->pwd_history, 0); >- for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < r->pwd_history_len; cntr_pwd_history_1++) { >+ for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < size_pwd_history_1; cntr_pwd_history_1++) { > NDR_CHECK(ndr_pull_samr_ValidationBlob(ndr, NDR_SCALARS, &r->pwd_history[cntr_pwd_history_1])); > } >- for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < r->pwd_history_len; cntr_pwd_history_1++) { >+ for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < size_pwd_history_1; cntr_pwd_history_1++) { > NDR_CHECK(ndr_pull_samr_ValidationBlob(ndr, NDR_BUFFERS, &r->pwd_history[cntr_pwd_history_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pwd_history_1, 0); >@@ -7117,6 +7151,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_LookupNames(struct ndr_push *ndr, int f > > _PUBLIC_ enum ndr_err_code ndr_pull_samr_LookupNames(struct ndr_pull *ndr, int flags, struct samr_LookupNames *r) > { >+ uint32_t size_names_0 = 0; >+ uint32_t length_names_0 = 0; > uint32_t cntr_names_0; > TALLOC_CTX *_mem_save_domain_handle_0; > TALLOC_CTX *_mem_save_names_0; >@@ -7138,16 +7174,18 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_LookupNames(struct ndr_pull *ndr, int f > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.names)); >- if (ndr_get_array_length(ndr, &r->in.names) > ndr_get_array_size(ndr, &r->in.names)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.names), ndr_get_array_length(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ length_names_0 = ndr_get_array_length(ndr, &r->in.names); >+ if (length_names_0 > size_names_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_names_0, length_names_0); > } >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < length_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < length_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -7259,6 +7297,8 @@ static enum ndr_err_code ndr_push_samr_LookupRids(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_samr_LookupRids(struct ndr_pull *ndr, int flags, struct samr_LookupRids *r) > { >+ uint32_t size_rids_0 = 0; >+ uint32_t length_rids_0 = 0; > uint32_t cntr_rids_0; > TALLOC_CTX *_mem_save_domain_handle_0; > TALLOC_CTX *_mem_save_rids_0; >@@ -7280,13 +7320,15 @@ static enum ndr_err_code ndr_pull_samr_LookupRids(struct ndr_pull *ndr, int flag > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rids)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rids)); >- if (ndr_get_array_length(ndr, &r->in.rids) > ndr_get_array_size(ndr, &r->in.rids)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rids), ndr_get_array_length(ndr, &r->in.rids)); >+ size_rids_0 = ndr_get_array_size(ndr, &r->in.rids); >+ length_rids_0 = ndr_get_array_length(ndr, &r->in.rids); >+ if (length_rids_0 > size_rids_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rids_0, length_rids_0); > } >- NDR_PULL_ALLOC_N(ndr, r->in.rids, ndr_get_array_size(ndr, &r->in.rids)); >+ NDR_PULL_ALLOC_N(ndr, r->in.rids, size_rids_0); > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.rids, 0); >- for (cntr_rids_0 = 0; cntr_rids_0 < r->in.num_rids; cntr_rids_0++) { >+ for (cntr_rids_0 = 0; cntr_rids_0 < length_rids_0; cntr_rids_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.rids[cntr_rids_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_0, 0); >@@ -10937,6 +10979,8 @@ static enum ndr_err_code ndr_push_samr_Connect2(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_samr_Connect2(struct ndr_pull *ndr, int flags, struct samr_Connect2 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_connect_handle_0; > if (flags & NDR_IN) { >@@ -10953,11 +10997,13 @@ static enum ndr_err_code ndr_pull_samr_Connect2(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_samr_ConnectAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); >@@ -11257,6 +11303,8 @@ static enum ndr_err_code ndr_push_samr_Connect3(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_samr_Connect3(struct ndr_pull *ndr, int flags, struct samr_Connect3 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_connect_handle_0; > if (flags & NDR_IN) { >@@ -11273,11 +11321,13 @@ static enum ndr_err_code ndr_pull_samr_Connect3(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown)); >@@ -11357,6 +11407,8 @@ static enum ndr_err_code ndr_push_samr_Connect4(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_samr_Connect4(struct ndr_pull *ndr, int flags, struct samr_Connect4 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_connect_handle_0; > if (flags & NDR_IN) { >@@ -11373,11 +11425,13 @@ static enum ndr_err_code ndr_pull_samr_Connect4(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_samr_ConnectVersion(ndr, NDR_SCALARS, &r->in.client_version)); >@@ -11755,6 +11809,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_Connect5(struct ndr_push *ndr, int flag > _PUBLIC_ enum ndr_err_code ndr_pull_samr_Connect5(struct ndr_pull *ndr, int flags, struct samr_Connect5 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_info_in_0; > TALLOC_CTX *_mem_save_level_out_0; >@@ -11774,11 +11830,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_Connect5(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_samr_ConnectAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); >diff --git a/source/librpc/gen_ndr/ndr_security.c b/source/librpc/gen_ndr/ndr_security.c >index d031c46..6a3ab10 100644 >--- a/source/librpc/gen_ndr/ndr_security.c >+++ b/source/librpc/gen_ndr/ndr_security.c >@@ -492,6 +492,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_security_acl(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_security_acl(struct ndr_pull *ndr, int ndr_flags, struct security_acl *r) > { >+ uint32_t size_aces_0 = 0; > uint32_t cntr_aces_0; > TALLOC_CTX *_mem_save_aces_0; > if (ndr_flags & NDR_SCALARS) { >@@ -502,18 +503,20 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_acl(struct ndr_pull *ndr, int ndr_f > if (r->num_aces < 0 || r->num_aces > 1000) { > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } >- NDR_PULL_ALLOC_N(ndr, r->aces, r->num_aces); >+ size_aces_0 = r->num_aces; >+ NDR_PULL_ALLOC_N(ndr, r->aces, size_aces_0); > _mem_save_aces_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->aces, 0); >- for (cntr_aces_0 = 0; cntr_aces_0 < r->num_aces; cntr_aces_0++) { >+ for (cntr_aces_0 = 0; cntr_aces_0 < size_aces_0; cntr_aces_0++) { > NDR_CHECK(ndr_pull_security_ace(ndr, NDR_SCALARS, &r->aces[cntr_aces_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_aces_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_aces_0 = r->num_aces; > _mem_save_aces_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->aces, 0); >- for (cntr_aces_0 = 0; cntr_aces_0 < r->num_aces; cntr_aces_0++) { >+ for (cntr_aces_0 = 0; cntr_aces_0 < size_aces_0; cntr_aces_0++) { > NDR_CHECK(ndr_pull_security_ace(ndr, NDR_BUFFERS, &r->aces[cntr_aces_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_aces_0, 0); >@@ -875,6 +878,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct ndr_pull *ndr, int ndr > uint32_t _ptr_group_sid; > TALLOC_CTX *_mem_save_group_sid_0; > uint32_t _ptr_sids; >+ uint32_t size_sids_0 = 0; > uint32_t cntr_sids_0; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -894,10 +898,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct ndr_pull *ndr, int ndr > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_sids)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_0 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_0); > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_0 = 0; cntr_sids_0 < r->num_sids; cntr_sids_0++) { >+ for (cntr_sids_0 = 0; cntr_sids_0 < size_sids_0; cntr_sids_0++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sids)); > if (_ptr_sids) { > NDR_PULL_ALLOC(ndr, r->sids[cntr_sids_0]); >@@ -924,9 +929,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct ndr_pull *ndr, int ndr > NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS|NDR_BUFFERS, r->group_sid)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0); > } >+ size_sids_0 = ndr_get_array_size(ndr, &r->sids); > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_0 = 0; cntr_sids_0 < r->num_sids; cntr_sids_0++) { >+ for (cntr_sids_0 = 0; cntr_sids_0 < size_sids_0; cntr_sids_0++) { > if (r->sids[cntr_sids_0]) { > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids[cntr_sids_0], 0); >diff --git a/source/librpc/gen_ndr/ndr_srvsvc.c b/source/librpc/gen_ndr/ndr_srvsvc.c >index d97ee01..893a3b11 100644 >--- a/source/librpc/gen_ndr/ndr_srvsvc.c >+++ b/source/librpc/gen_ndr/ndr_srvsvc.c >@@ -25,6 +25,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevInfo0(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevInfo0 *r) > { > uint32_t _ptr_device; >+ uint32_t size_device_1 = 0; >+ uint32_t length_device_1 = 0; > TALLOC_CTX *_mem_save_device_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -41,11 +43,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo0(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); >- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); >+ size_device_1 = ndr_get_array_size(ndr, &r->device); >+ length_device_1 = ndr_get_array_length(ndr, &r->device); >+ if (length_device_1 > size_device_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); > } > } >@@ -90,6 +94,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevCtr0(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -108,13 +113,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr0(struct ndr_pull *ndr, in > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -180,8 +186,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevInfo1(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevInfo1 *r) > { > uint32_t _ptr_device; >+ uint32_t size_device_1 = 0; >+ uint32_t length_device_1 = 0; > TALLOC_CTX *_mem_save_device_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -206,11 +216,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo1(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); >- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); >+ size_device_1 = ndr_get_array_size(ndr, &r->device); >+ length_device_1 = ndr_get_array_length(ndr, &r->device); >+ if (length_device_1 > size_device_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); > } > if (r->user) { >@@ -218,11 +230,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo1(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -275,6 +289,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevCtr1(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -293,13 +308,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr1(struct ndr_pull *ndr, in > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -383,7 +399,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo(struct ndr_pull *ndr, in > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -392,7 +410,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo(struct ndr_pull *ndr, in > } > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -402,7 +419,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo(struct ndr_pull *ndr, in > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -521,7 +537,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr(struct ndr_pull *ndr, int > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -530,7 +548,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr(struct ndr_pull *ndr, int > } > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -540,7 +557,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr(struct ndr_pull *ndr, int > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -632,6 +648,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQInfo0(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQInfo0 *r) > { > uint32_t _ptr_device; >+ uint32_t size_device_1 = 0; >+ uint32_t length_device_1 = 0; > TALLOC_CTX *_mem_save_device_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -648,11 +666,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo0(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); >- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); >+ size_device_1 = ndr_get_array_size(ndr, &r->device); >+ length_device_1 = ndr_get_array_length(ndr, &r->device); >+ if (length_device_1 > size_device_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); > } > } >@@ -697,6 +717,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQCtr0(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -715,13 +736,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr0(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -788,8 +810,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQInfo1(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQInfo1 *r) > { > uint32_t _ptr_device; >+ uint32_t size_device_1 = 0; >+ uint32_t length_device_1 = 0; > TALLOC_CTX *_mem_save_device_0; > uint32_t _ptr_devices; >+ uint32_t size_devices_1 = 0; >+ uint32_t length_devices_1 = 0; > TALLOC_CTX *_mem_save_devices_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -815,11 +841,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); >- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); >+ size_device_1 = ndr_get_array_size(ndr, &r->device); >+ length_device_1 = ndr_get_array_length(ndr, &r->device); >+ if (length_device_1 > size_device_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); > } > if (r->devices) { >@@ -827,11 +855,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->devices, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->devices)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->devices)); >- if (ndr_get_array_length(ndr, &r->devices) > ndr_get_array_size(ndr, &r->devices)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->devices), ndr_get_array_length(ndr, &r->devices)); >+ size_devices_1 = ndr_get_array_size(ndr, &r->devices); >+ length_devices_1 = ndr_get_array_length(ndr, &r->devices); >+ if (length_devices_1 > size_devices_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devices_1, length_devices_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->devices), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->devices, ndr_get_array_length(ndr, &r->devices), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devices_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->devices, length_devices_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_devices_0, 0); > } > } >@@ -885,6 +915,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQCtr1(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -903,13 +934,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr1(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -993,7 +1025,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo(struct ndr_pull *ndr, i > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -1002,7 +1036,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo(struct ndr_pull *ndr, i > } > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -1012,7 +1045,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo(struct ndr_pull *ndr, i > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -1131,7 +1163,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr(struct ndr_pull *ndr, in > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -1140,7 +1174,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr(struct ndr_pull *ndr, in > } > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -1150,7 +1183,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr(struct ndr_pull *ndr, in > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -1274,6 +1306,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetConnCtr0(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetConnCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -1292,10 +1325,11 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr0(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetConnInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -1364,8 +1398,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetConnInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetConnInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetConnInfo1 *r) > { > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; > TALLOC_CTX *_mem_save_share_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1393,11 +1431,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (r->share) { >@@ -1405,11 +1445,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->share)); >- if (ndr_get_array_length(ndr, &r->share) > ndr_get_array_size(ndr, &r->share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->share), ndr_get_array_length(ndr, &r->share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->share); >+ length_share_1 = ndr_get_array_length(ndr, &r->share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > } >@@ -1465,6 +1507,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetConnCtr1(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetConnCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -1483,13 +1526,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr1(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetConnInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetConnInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -1573,7 +1617,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr(struct ndr_pull *ndr, int nd > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -1582,7 +1628,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr(struct ndr_pull *ndr, int nd > } > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -1592,7 +1637,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr(struct ndr_pull *ndr, int nd > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -1754,6 +1798,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileCtr2(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetFileCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -1772,10 +1817,11 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr2(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetFileInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -1842,8 +1888,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileInfo3(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetFileInfo3 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1869,11 +1919,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->user) { >@@ -1881,11 +1933,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -1939,6 +1993,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileCtr3(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetFileCtr3 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -1957,13 +2012,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr3(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetFileInfo3(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetFileInfo3(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -2047,7 +2103,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo(struct ndr_pull *ndr, int n > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -2056,7 +2114,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo(struct ndr_pull *ndr, int n > } > switch (level) { > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -2066,7 +2123,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo(struct ndr_pull *ndr, int n > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -2185,7 +2241,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr(struct ndr_pull *ndr, int nd > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr2_0; >+ uint32_t _ptr_ctr2; > TALLOC_CTX *_mem_save_ctr3_0; >+ uint32_t _ptr_ctr3; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -2194,7 +2252,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr(struct ndr_pull *ndr, int nd > } > switch (level) { > case 2: { >- uint32_t _ptr_ctr2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); > if (_ptr_ctr2) { > NDR_PULL_ALLOC(ndr, r->ctr2); >@@ -2204,7 +2261,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr(struct ndr_pull *ndr, int nd > break; } > > case 3: { >- uint32_t _ptr_ctr3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr3)); > if (_ptr_ctr3) { > NDR_PULL_ALLOC(ndr, r->ctr3); >@@ -2334,6 +2390,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessInfo0(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo0 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2350,11 +2408,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo0(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > } >@@ -2399,6 +2459,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessCtr0(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -2417,13 +2478,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr0(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -2491,8 +2553,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo1 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2519,11 +2585,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > if (r->user) { >@@ -2531,11 +2599,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -2590,6 +2660,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessCtr1(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -2608,13 +2679,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr1(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -2689,10 +2761,16 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessInfo2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo2 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > uint32_t _ptr_client_type; >+ uint32_t size_client_type_1 = 0; >+ uint32_t length_client_type_1 = 0; > TALLOC_CTX *_mem_save_client_type_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2725,11 +2803,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > if (r->user) { >@@ -2737,11 +2817,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (r->client_type) { >@@ -2749,11 +2831,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->client_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_type)); >- if (ndr_get_array_length(ndr, &r->client_type) > ndr_get_array_size(ndr, &r->client_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_type), ndr_get_array_length(ndr, &r->client_type)); >+ size_client_type_1 = ndr_get_array_size(ndr, &r->client_type); >+ length_client_type_1 = ndr_get_array_length(ndr, &r->client_type); >+ if (length_client_type_1 > size_client_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_type_1, length_client_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, length_client_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_type_0, 0); > } > } >@@ -2814,6 +2898,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessCtr2(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -2832,13 +2917,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr2(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -2904,8 +2990,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessInfo10(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo10(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo10 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2930,11 +3020,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo10(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > if (r->user) { >@@ -2942,11 +3034,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo10(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -2999,6 +3093,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessCtr10(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr10(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr10 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -3017,13 +3112,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr10(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo10(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo10(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -3105,12 +3201,20 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessInfo502(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo502 *r) > { > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > TALLOC_CTX *_mem_save_client_0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_user_0; > uint32_t _ptr_client_type; >+ uint32_t size_client_type_1 = 0; >+ uint32_t length_client_type_1 = 0; > TALLOC_CTX *_mem_save_client_type_0; > uint32_t _ptr_transport; >+ uint32_t size_transport_1 = 0; >+ uint32_t length_transport_1 = 0; > TALLOC_CTX *_mem_save_transport_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -3149,11 +3253,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); >- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->client); >+ length_client_1 = ndr_get_array_length(ndr, &r->client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > if (r->user) { >@@ -3161,11 +3267,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (r->client_type) { >@@ -3173,11 +3281,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->client_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_type)); >- if (ndr_get_array_length(ndr, &r->client_type) > ndr_get_array_size(ndr, &r->client_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_type), ndr_get_array_length(ndr, &r->client_type)); >+ size_client_type_1 = ndr_get_array_size(ndr, &r->client_type); >+ length_client_type_1 = ndr_get_array_length(ndr, &r->client_type); >+ if (length_client_type_1 > size_client_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_type_1, length_client_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, length_client_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_type_0, 0); > } > if (r->transport) { >@@ -3185,11 +3295,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->transport, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->transport)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->transport)); >- if (ndr_get_array_length(ndr, &r->transport) > ndr_get_array_size(ndr, &r->transport)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->transport), ndr_get_array_length(ndr, &r->transport)); >+ size_transport_1 = ndr_get_array_size(ndr, &r->transport); >+ length_transport_1 = ndr_get_array_length(ndr, &r->transport); >+ if (length_transport_1 > size_transport_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_1, length_transport_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->transport), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport, ndr_get_array_length(ndr, &r->transport), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport, length_transport_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_0, 0); > } > } >@@ -3256,6 +3368,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessCtr502(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr502 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -3274,13 +3387,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr502(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo502(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetSessInfo502(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -3394,10 +3508,15 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > TALLOC_CTX *_mem_save_ctr2_0; >+ uint32_t _ptr_ctr2; > TALLOC_CTX *_mem_save_ctr10_0; >+ uint32_t _ptr_ctr10; > TALLOC_CTX *_mem_save_ctr502_0; >+ uint32_t _ptr_ctr502; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -3406,7 +3525,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > } > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -3416,7 +3534,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -3426,7 +3543,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > break; } > > case 2: { >- uint32_t _ptr_ctr2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); > if (_ptr_ctr2) { > NDR_PULL_ALLOC(ndr, r->ctr2); >@@ -3436,7 +3552,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > break; } > > case 10: { >- uint32_t _ptr_ctr10; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr10)); > if (_ptr_ctr10) { > NDR_PULL_ALLOC(ndr, r->ctr10); >@@ -3446,7 +3561,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr(struct ndr_pull *ndr, int nd > break; } > > case 502: { >- uint32_t _ptr_ctr502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr502)); > if (_ptr_ctr502) { > NDR_PULL_ALLOC(ndr, r->ctr502); >@@ -3680,6 +3794,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo0(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo0 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -3696,11 +3812,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo0(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > } >@@ -3745,6 +3863,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr0(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -3763,13 +3882,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr0(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -3834,8 +3954,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo1 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -3859,11 +3983,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->comment) { >@@ -3871,11 +3997,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -3927,6 +4055,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -3945,13 +4074,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -4033,12 +4163,20 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo2 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_password_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4077,11 +4215,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->comment) { >@@ -4089,11 +4229,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->path) { >@@ -4101,11 +4243,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->password) { >@@ -4113,11 +4257,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->password)); >- if (ndr_get_array_length(ndr, &r->password) > ndr_get_array_size(ndr, &r->password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->password), ndr_get_array_length(ndr, &r->password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->password); >+ length_password_1 = ndr_get_array_length(ndr, &r->password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > } >@@ -4184,6 +4330,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4202,13 +4349,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr2(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -4274,8 +4422,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo501(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo501(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo501 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4300,11 +4452,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo501(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->comment) { >@@ -4312,11 +4466,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo501(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -4369,6 +4525,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr501(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr501(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr501 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4387,13 +4544,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr501(struct ndr_pull *ndr, in > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo501(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo501(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -4477,12 +4635,20 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo502(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo502 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_password_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4522,11 +4688,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->comment) { >@@ -4534,11 +4702,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->path) { >@@ -4546,11 +4716,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->password) { >@@ -4558,11 +4730,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->password)); >- if (ndr_get_array_length(ndr, &r->password) > ndr_get_array_size(ndr, &r->password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->password), ndr_get_array_length(ndr, &r->password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->password); >+ length_password_1 = ndr_get_array_length(ndr, &r->password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_BUFFERS, &r->sd_buf)); >@@ -4631,6 +4805,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr502(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr502 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4649,13 +4824,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr502(struct ndr_pull *ndr, in > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo502(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo502(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -4712,6 +4888,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo1004(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1004(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo1004 *r) > { > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4728,11 +4906,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1004(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -4777,6 +4957,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1004(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1004(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1004 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4795,13 +4976,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1004(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1004(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1004(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -4913,6 +5095,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1005(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1005(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1005 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -4931,10 +5114,11 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1005(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1005(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5023,6 +5207,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1006(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1006(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1006 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -5041,10 +5226,11 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1006(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1006(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5102,6 +5288,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareInfo1007(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1007(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo1007 *r) > { > uint32_t _ptr_alternate_directory_name; >+ uint32_t size_alternate_directory_name_1 = 0; >+ uint32_t length_alternate_directory_name_1 = 0; > TALLOC_CTX *_mem_save_alternate_directory_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -5119,11 +5307,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1007(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->alternate_directory_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->alternate_directory_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->alternate_directory_name)); >- if (ndr_get_array_length(ndr, &r->alternate_directory_name) > ndr_get_array_size(ndr, &r->alternate_directory_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->alternate_directory_name), ndr_get_array_length(ndr, &r->alternate_directory_name)); >+ size_alternate_directory_name_1 = ndr_get_array_size(ndr, &r->alternate_directory_name); >+ length_alternate_directory_name_1 = ndr_get_array_length(ndr, &r->alternate_directory_name); >+ if (length_alternate_directory_name_1 > size_alternate_directory_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_alternate_directory_name_1, length_alternate_directory_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->alternate_directory_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alternate_directory_name, ndr_get_array_length(ndr, &r->alternate_directory_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_alternate_directory_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alternate_directory_name, length_alternate_directory_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_alternate_directory_name_0, 0); > } > } >@@ -5169,6 +5359,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1007(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1007(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1007 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -5187,13 +5378,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1007(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1007(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1007(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5255,6 +5447,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCtr1501(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1501(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1501 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -5273,13 +5466,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1501(struct ndr_pull *ndr, i > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5443,15 +5637,25 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info501_0; >+ uint32_t _ptr_info501; > TALLOC_CTX *_mem_save_info502_0; >+ uint32_t _ptr_info502; > TALLOC_CTX *_mem_save_info1004_0; >+ uint32_t _ptr_info1004; > TALLOC_CTX *_mem_save_info1005_0; >+ uint32_t _ptr_info1005; > TALLOC_CTX *_mem_save_info1006_0; >+ uint32_t _ptr_info1006; > TALLOC_CTX *_mem_save_info1007_0; >+ uint32_t _ptr_info1007; > TALLOC_CTX *_mem_save_info1501_0; >+ uint32_t _ptr_info1501; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -5460,7 +5664,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > } > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -5470,7 +5673,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -5480,7 +5682,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -5490,7 +5691,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 501: { >- uint32_t _ptr_info501; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info501)); > if (_ptr_info501) { > NDR_PULL_ALLOC(ndr, r->info501); >@@ -5500,7 +5700,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 502: { >- uint32_t _ptr_info502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info502)); > if (_ptr_info502) { > NDR_PULL_ALLOC(ndr, r->info502); >@@ -5510,7 +5709,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1004: { >- uint32_t _ptr_info1004; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1004)); > if (_ptr_info1004) { > NDR_PULL_ALLOC(ndr, r->info1004); >@@ -5520,7 +5718,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1005: { >- uint32_t _ptr_info1005; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1005)); > if (_ptr_info1005) { > NDR_PULL_ALLOC(ndr, r->info1005); >@@ -5530,7 +5727,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1006: { >- uint32_t _ptr_info1006; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1006)); > if (_ptr_info1006) { > NDR_PULL_ALLOC(ndr, r->info1006); >@@ -5540,7 +5736,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1007: { >- uint32_t _ptr_info1007; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1007)); > if (_ptr_info1007) { > NDR_PULL_ALLOC(ndr, r->info1007); >@@ -5550,7 +5745,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo(struct ndr_pull *ndr, int > break; } > > case 1501: { >- uint32_t _ptr_info1501; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1501)); > if (_ptr_info1501) { > NDR_PULL_ALLOC(ndr, r->info1501); >@@ -5893,15 +6087,25 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > TALLOC_CTX *_mem_save_ctr2_0; >+ uint32_t _ptr_ctr2; > TALLOC_CTX *_mem_save_ctr501_0; >+ uint32_t _ptr_ctr501; > TALLOC_CTX *_mem_save_ctr502_0; >+ uint32_t _ptr_ctr502; > TALLOC_CTX *_mem_save_ctr1004_0; >+ uint32_t _ptr_ctr1004; > TALLOC_CTX *_mem_save_ctr1005_0; >+ uint32_t _ptr_ctr1005; > TALLOC_CTX *_mem_save_ctr1006_0; >+ uint32_t _ptr_ctr1006; > TALLOC_CTX *_mem_save_ctr1007_0; >+ uint32_t _ptr_ctr1007; > TALLOC_CTX *_mem_save_ctr1501_0; >+ uint32_t _ptr_ctr1501; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -5910,7 +6114,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > } > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -5920,7 +6123,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -5930,7 +6132,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 2: { >- uint32_t _ptr_ctr2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); > if (_ptr_ctr2) { > NDR_PULL_ALLOC(ndr, r->ctr2); >@@ -5940,7 +6141,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 501: { >- uint32_t _ptr_ctr501; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr501)); > if (_ptr_ctr501) { > NDR_PULL_ALLOC(ndr, r->ctr501); >@@ -5950,7 +6150,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 502: { >- uint32_t _ptr_ctr502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr502)); > if (_ptr_ctr502) { > NDR_PULL_ALLOC(ndr, r->ctr502); >@@ -5960,7 +6159,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1004: { >- uint32_t _ptr_ctr1004; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1004)); > if (_ptr_ctr1004) { > NDR_PULL_ALLOC(ndr, r->ctr1004); >@@ -5970,7 +6168,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1005: { >- uint32_t _ptr_ctr1005; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1005)); > if (_ptr_ctr1005) { > NDR_PULL_ALLOC(ndr, r->ctr1005); >@@ -5980,7 +6177,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1006: { >- uint32_t _ptr_ctr1006; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1006)); > if (_ptr_ctr1006) { > NDR_PULL_ALLOC(ndr, r->ctr1006); >@@ -5990,7 +6186,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1007: { >- uint32_t _ptr_ctr1007; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1007)); > if (_ptr_ctr1007) { > NDR_PULL_ALLOC(ndr, r->ctr1007); >@@ -6000,7 +6195,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr(struct ndr_pull *ndr, int n > break; } > > case 1501: { >- uint32_t _ptr_ctr1501; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1501)); > if (_ptr_ctr1501) { > NDR_PULL_ALLOC(ndr, r->ctr1501); >@@ -6303,6 +6497,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo100(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo100(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo100 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6320,11 +6516,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo100(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > } >@@ -6376,8 +6574,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo101(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo101(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo101 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6404,11 +6606,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo101(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->comment) { >@@ -6416,11 +6620,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo101(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -6494,10 +6700,16 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo102(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo102(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo102 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_userpath; >+ uint32_t size_userpath_1 = 0; >+ uint32_t length_userpath_1 = 0; > TALLOC_CTX *_mem_save_userpath_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6536,11 +6748,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo102(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->comment) { >@@ -6548,11 +6762,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo102(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->userpath) { >@@ -6560,11 +6776,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo102(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->userpath, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->userpath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->userpath)); >- if (ndr_get_array_length(ndr, &r->userpath) > ndr_get_array_size(ndr, &r->userpath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->userpath), ndr_get_array_length(ndr, &r->userpath)); >+ size_userpath_1 = ndr_get_array_size(ndr, &r->userpath); >+ length_userpath_1 = ndr_get_array_length(ndr, &r->userpath); >+ if (length_userpath_1 > size_userpath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_userpath_1, length_userpath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->userpath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->userpath, ndr_get_array_length(ndr, &r->userpath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_userpath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->userpath, length_userpath_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_userpath_0, 0); > } > } >@@ -6667,10 +6885,16 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo402(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo402(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo402 *r) > { > uint32_t _ptr_alerts; >+ uint32_t size_alerts_1 = 0; >+ uint32_t length_alerts_1 = 0; > TALLOC_CTX *_mem_save_alerts_0; > uint32_t _ptr_guestaccount; >+ uint32_t size_guestaccount_1 = 0; >+ uint32_t length_guestaccount_1 = 0; > TALLOC_CTX *_mem_save_guestaccount_0; > uint32_t _ptr_srvheuristics; >+ uint32_t size_srvheuristics_1 = 0; >+ uint32_t length_srvheuristics_1 = 0; > TALLOC_CTX *_mem_save_srvheuristics_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6726,11 +6950,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo402(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->alerts, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->alerts)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->alerts)); >- if (ndr_get_array_length(ndr, &r->alerts) > ndr_get_array_size(ndr, &r->alerts)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->alerts), ndr_get_array_length(ndr, &r->alerts)); >+ size_alerts_1 = ndr_get_array_size(ndr, &r->alerts); >+ length_alerts_1 = ndr_get_array_length(ndr, &r->alerts); >+ if (length_alerts_1 > size_alerts_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_alerts_1, length_alerts_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_alerts_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, length_alerts_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_alerts_0, 0); > } > if (r->guestaccount) { >@@ -6738,11 +6964,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo402(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->guestaccount, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->guestaccount)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->guestaccount)); >- if (ndr_get_array_length(ndr, &r->guestaccount) > ndr_get_array_size(ndr, &r->guestaccount)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->guestaccount), ndr_get_array_length(ndr, &r->guestaccount)); >+ size_guestaccount_1 = ndr_get_array_size(ndr, &r->guestaccount); >+ length_guestaccount_1 = ndr_get_array_length(ndr, &r->guestaccount); >+ if (length_guestaccount_1 > size_guestaccount_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_guestaccount_1, length_guestaccount_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_guestaccount_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, length_guestaccount_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_guestaccount_0, 0); > } > if (r->srvheuristics) { >@@ -6750,11 +6978,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo402(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->srvheuristics, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->srvheuristics)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->srvheuristics)); >- if (ndr_get_array_length(ndr, &r->srvheuristics) > ndr_get_array_size(ndr, &r->srvheuristics)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->srvheuristics), ndr_get_array_length(ndr, &r->srvheuristics)); >+ size_srvheuristics_1 = ndr_get_array_size(ndr, &r->srvheuristics); >+ length_srvheuristics_1 = ndr_get_array_length(ndr, &r->srvheuristics); >+ if (length_srvheuristics_1 > size_srvheuristics_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_srvheuristics_1, length_srvheuristics_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_srvheuristics_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, length_srvheuristics_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_srvheuristics_0, 0); > } > } >@@ -6883,12 +7113,20 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo403(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo403 *r) > { > uint32_t _ptr_alerts; >+ uint32_t size_alerts_1 = 0; >+ uint32_t length_alerts_1 = 0; > TALLOC_CTX *_mem_save_alerts_0; > uint32_t _ptr_guestaccount; >+ uint32_t size_guestaccount_1 = 0; >+ uint32_t length_guestaccount_1 = 0; > TALLOC_CTX *_mem_save_guestaccount_0; > uint32_t _ptr_srvheuristics; >+ uint32_t size_srvheuristics_1 = 0; >+ uint32_t length_srvheuristics_1 = 0; > TALLOC_CTX *_mem_save_srvheuristics_0; > uint32_t _ptr_autopath; >+ uint32_t size_autopath_1 = 0; >+ uint32_t length_autopath_1 = 0; > TALLOC_CTX *_mem_save_autopath_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6952,11 +7190,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->alerts, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->alerts)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->alerts)); >- if (ndr_get_array_length(ndr, &r->alerts) > ndr_get_array_size(ndr, &r->alerts)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->alerts), ndr_get_array_length(ndr, &r->alerts)); >+ size_alerts_1 = ndr_get_array_size(ndr, &r->alerts); >+ length_alerts_1 = ndr_get_array_length(ndr, &r->alerts); >+ if (length_alerts_1 > size_alerts_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_alerts_1, length_alerts_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_alerts_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, length_alerts_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_alerts_0, 0); > } > if (r->guestaccount) { >@@ -6964,11 +7204,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->guestaccount, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->guestaccount)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->guestaccount)); >- if (ndr_get_array_length(ndr, &r->guestaccount) > ndr_get_array_size(ndr, &r->guestaccount)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->guestaccount), ndr_get_array_length(ndr, &r->guestaccount)); >+ size_guestaccount_1 = ndr_get_array_size(ndr, &r->guestaccount); >+ length_guestaccount_1 = ndr_get_array_length(ndr, &r->guestaccount); >+ if (length_guestaccount_1 > size_guestaccount_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_guestaccount_1, length_guestaccount_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_guestaccount_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, length_guestaccount_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_guestaccount_0, 0); > } > if (r->srvheuristics) { >@@ -6976,11 +7218,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->srvheuristics, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->srvheuristics)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->srvheuristics)); >- if (ndr_get_array_length(ndr, &r->srvheuristics) > ndr_get_array_size(ndr, &r->srvheuristics)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->srvheuristics), ndr_get_array_length(ndr, &r->srvheuristics)); >+ size_srvheuristics_1 = ndr_get_array_size(ndr, &r->srvheuristics); >+ length_srvheuristics_1 = ndr_get_array_length(ndr, &r->srvheuristics); >+ if (length_srvheuristics_1 > size_srvheuristics_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_srvheuristics_1, length_srvheuristics_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_srvheuristics_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, length_srvheuristics_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_srvheuristics_0, 0); > } > if (r->autopath) { >@@ -6988,11 +7232,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->autopath, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->autopath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->autopath)); >- if (ndr_get_array_length(ndr, &r->autopath) > ndr_get_array_size(ndr, &r->autopath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->autopath), ndr_get_array_length(ndr, &r->autopath)); >+ size_autopath_1 = ndr_get_array_size(ndr, &r->autopath); >+ length_autopath_1 = ndr_get_array_length(ndr, &r->autopath); >+ if (length_autopath_1 > size_autopath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_autopath_1, length_autopath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->autopath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->autopath, ndr_get_array_length(ndr, &r->autopath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_autopath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->autopath, length_autopath_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_autopath_0, 0); > } > } >@@ -7201,6 +7447,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo503(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo503(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo503 *r) > { > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7258,11 +7506,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo503(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > } >@@ -7397,6 +7647,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo599(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo599(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo599 *r) > { > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7467,11 +7719,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo599(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > } >@@ -7565,6 +7819,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvInfo1005(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo1005(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo1005 *r) > { > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7581,11 +7837,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo1005(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -9722,64 +9980,123 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info100_0; >+ uint32_t _ptr_info100; > TALLOC_CTX *_mem_save_info101_0; >+ uint32_t _ptr_info101; > TALLOC_CTX *_mem_save_info102_0; >+ uint32_t _ptr_info102; > TALLOC_CTX *_mem_save_info402_0; >+ uint32_t _ptr_info402; > TALLOC_CTX *_mem_save_info403_0; >+ uint32_t _ptr_info403; > TALLOC_CTX *_mem_save_info502_0; >+ uint32_t _ptr_info502; > TALLOC_CTX *_mem_save_info503_0; >+ uint32_t _ptr_info503; > TALLOC_CTX *_mem_save_info599_0; >+ uint32_t _ptr_info599; > TALLOC_CTX *_mem_save_info1005_0; >+ uint32_t _ptr_info1005; > TALLOC_CTX *_mem_save_info1010_0; >+ uint32_t _ptr_info1010; > TALLOC_CTX *_mem_save_info1016_0; >+ uint32_t _ptr_info1016; > TALLOC_CTX *_mem_save_info1017_0; >+ uint32_t _ptr_info1017; > TALLOC_CTX *_mem_save_info1018_0; >+ uint32_t _ptr_info1018; > TALLOC_CTX *_mem_save_info1107_0; >+ uint32_t _ptr_info1107; > TALLOC_CTX *_mem_save_info1501_0; >+ uint32_t _ptr_info1501; > TALLOC_CTX *_mem_save_info1502_0; >+ uint32_t _ptr_info1502; > TALLOC_CTX *_mem_save_info1503_0; >+ uint32_t _ptr_info1503; > TALLOC_CTX *_mem_save_info1506_0; >+ uint32_t _ptr_info1506; > TALLOC_CTX *_mem_save_info1509_0; >+ uint32_t _ptr_info1509; > TALLOC_CTX *_mem_save_info1510_0; >+ uint32_t _ptr_info1510; > TALLOC_CTX *_mem_save_info1511_0; >+ uint32_t _ptr_info1511; > TALLOC_CTX *_mem_save_info1512_0; >+ uint32_t _ptr_info1512; > TALLOC_CTX *_mem_save_info1513_0; >+ uint32_t _ptr_info1513; > TALLOC_CTX *_mem_save_info1514_0; >+ uint32_t _ptr_info1514; > TALLOC_CTX *_mem_save_info1515_0; >+ uint32_t _ptr_info1515; > TALLOC_CTX *_mem_save_info1516_0; >+ uint32_t _ptr_info1516; > TALLOC_CTX *_mem_save_info1518_0; >+ uint32_t _ptr_info1518; > TALLOC_CTX *_mem_save_info1520_0; >+ uint32_t _ptr_info1520; > TALLOC_CTX *_mem_save_info1521_0; >+ uint32_t _ptr_info1521; > TALLOC_CTX *_mem_save_info1522_0; >+ uint32_t _ptr_info1522; > TALLOC_CTX *_mem_save_info1523_0; >+ uint32_t _ptr_info1523; > TALLOC_CTX *_mem_save_info1524_0; >+ uint32_t _ptr_info1524; > TALLOC_CTX *_mem_save_info1525_0; >+ uint32_t _ptr_info1525; > TALLOC_CTX *_mem_save_info1528_0; >+ uint32_t _ptr_info1528; > TALLOC_CTX *_mem_save_info1529_0; >+ uint32_t _ptr_info1529; > TALLOC_CTX *_mem_save_info1530_0; >+ uint32_t _ptr_info1530; > TALLOC_CTX *_mem_save_info1533_0; >+ uint32_t _ptr_info1533; > TALLOC_CTX *_mem_save_info1534_0; >+ uint32_t _ptr_info1534; > TALLOC_CTX *_mem_save_info1535_0; >+ uint32_t _ptr_info1535; > TALLOC_CTX *_mem_save_info1536_0; >+ uint32_t _ptr_info1536; > TALLOC_CTX *_mem_save_info1537_0; >+ uint32_t _ptr_info1537; > TALLOC_CTX *_mem_save_info1538_0; >+ uint32_t _ptr_info1538; > TALLOC_CTX *_mem_save_info1539_0; >+ uint32_t _ptr_info1539; > TALLOC_CTX *_mem_save_info1540_0; >+ uint32_t _ptr_info1540; > TALLOC_CTX *_mem_save_info1541_0; >+ uint32_t _ptr_info1541; > TALLOC_CTX *_mem_save_info1542_0; >+ uint32_t _ptr_info1542; > TALLOC_CTX *_mem_save_info1543_0; >+ uint32_t _ptr_info1543; > TALLOC_CTX *_mem_save_info1544_0; >+ uint32_t _ptr_info1544; > TALLOC_CTX *_mem_save_info1545_0; >+ uint32_t _ptr_info1545; > TALLOC_CTX *_mem_save_info1546_0; >+ uint32_t _ptr_info1546; > TALLOC_CTX *_mem_save_info1547_0; >+ uint32_t _ptr_info1547; > TALLOC_CTX *_mem_save_info1548_0; >+ uint32_t _ptr_info1548; > TALLOC_CTX *_mem_save_info1549_0; >+ uint32_t _ptr_info1549; > TALLOC_CTX *_mem_save_info1550_0; >+ uint32_t _ptr_info1550; > TALLOC_CTX *_mem_save_info1552_0; >+ uint32_t _ptr_info1552; > TALLOC_CTX *_mem_save_info1553_0; >+ uint32_t _ptr_info1553; > TALLOC_CTX *_mem_save_info1554_0; >+ uint32_t _ptr_info1554; > TALLOC_CTX *_mem_save_info1555_0; >+ uint32_t _ptr_info1555; > TALLOC_CTX *_mem_save_info1556_0; >+ uint32_t _ptr_info1556; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -9788,7 +10105,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > } > switch (level) { > case 100: { >- uint32_t _ptr_info100; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info100)); > if (_ptr_info100) { > NDR_PULL_ALLOC(ndr, r->info100); >@@ -9798,7 +10114,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 101: { >- uint32_t _ptr_info101; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info101)); > if (_ptr_info101) { > NDR_PULL_ALLOC(ndr, r->info101); >@@ -9808,7 +10123,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 102: { >- uint32_t _ptr_info102; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info102)); > if (_ptr_info102) { > NDR_PULL_ALLOC(ndr, r->info102); >@@ -9818,7 +10132,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 402: { >- uint32_t _ptr_info402; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info402)); > if (_ptr_info402) { > NDR_PULL_ALLOC(ndr, r->info402); >@@ -9828,7 +10141,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 403: { >- uint32_t _ptr_info403; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info403)); > if (_ptr_info403) { > NDR_PULL_ALLOC(ndr, r->info403); >@@ -9838,7 +10150,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 502: { >- uint32_t _ptr_info502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info502)); > if (_ptr_info502) { > NDR_PULL_ALLOC(ndr, r->info502); >@@ -9848,7 +10159,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 503: { >- uint32_t _ptr_info503; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info503)); > if (_ptr_info503) { > NDR_PULL_ALLOC(ndr, r->info503); >@@ -9858,7 +10168,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 599: { >- uint32_t _ptr_info599; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info599)); > if (_ptr_info599) { > NDR_PULL_ALLOC(ndr, r->info599); >@@ -9868,7 +10177,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1005: { >- uint32_t _ptr_info1005; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1005)); > if (_ptr_info1005) { > NDR_PULL_ALLOC(ndr, r->info1005); >@@ -9878,7 +10186,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1010: { >- uint32_t _ptr_info1010; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1010)); > if (_ptr_info1010) { > NDR_PULL_ALLOC(ndr, r->info1010); >@@ -9888,7 +10195,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1016: { >- uint32_t _ptr_info1016; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1016)); > if (_ptr_info1016) { > NDR_PULL_ALLOC(ndr, r->info1016); >@@ -9898,7 +10204,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1017: { >- uint32_t _ptr_info1017; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1017)); > if (_ptr_info1017) { > NDR_PULL_ALLOC(ndr, r->info1017); >@@ -9908,7 +10213,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1018: { >- uint32_t _ptr_info1018; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1018)); > if (_ptr_info1018) { > NDR_PULL_ALLOC(ndr, r->info1018); >@@ -9918,7 +10222,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1107: { >- uint32_t _ptr_info1107; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1107)); > if (_ptr_info1107) { > NDR_PULL_ALLOC(ndr, r->info1107); >@@ -9928,7 +10231,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1501: { >- uint32_t _ptr_info1501; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1501)); > if (_ptr_info1501) { > NDR_PULL_ALLOC(ndr, r->info1501); >@@ -9938,7 +10240,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1502: { >- uint32_t _ptr_info1502; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1502)); > if (_ptr_info1502) { > NDR_PULL_ALLOC(ndr, r->info1502); >@@ -9948,7 +10249,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1503: { >- uint32_t _ptr_info1503; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1503)); > if (_ptr_info1503) { > NDR_PULL_ALLOC(ndr, r->info1503); >@@ -9958,7 +10258,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1506: { >- uint32_t _ptr_info1506; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1506)); > if (_ptr_info1506) { > NDR_PULL_ALLOC(ndr, r->info1506); >@@ -9968,7 +10267,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1509: { >- uint32_t _ptr_info1509; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1509)); > if (_ptr_info1509) { > NDR_PULL_ALLOC(ndr, r->info1509); >@@ -9978,7 +10276,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1510: { >- uint32_t _ptr_info1510; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1510)); > if (_ptr_info1510) { > NDR_PULL_ALLOC(ndr, r->info1510); >@@ -9988,7 +10285,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1511: { >- uint32_t _ptr_info1511; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1511)); > if (_ptr_info1511) { > NDR_PULL_ALLOC(ndr, r->info1511); >@@ -9998,7 +10294,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1512: { >- uint32_t _ptr_info1512; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1512)); > if (_ptr_info1512) { > NDR_PULL_ALLOC(ndr, r->info1512); >@@ -10008,7 +10303,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1513: { >- uint32_t _ptr_info1513; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1513)); > if (_ptr_info1513) { > NDR_PULL_ALLOC(ndr, r->info1513); >@@ -10018,7 +10312,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1514: { >- uint32_t _ptr_info1514; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1514)); > if (_ptr_info1514) { > NDR_PULL_ALLOC(ndr, r->info1514); >@@ -10028,7 +10321,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1515: { >- uint32_t _ptr_info1515; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1515)); > if (_ptr_info1515) { > NDR_PULL_ALLOC(ndr, r->info1515); >@@ -10038,7 +10330,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1516: { >- uint32_t _ptr_info1516; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1516)); > if (_ptr_info1516) { > NDR_PULL_ALLOC(ndr, r->info1516); >@@ -10048,7 +10339,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1518: { >- uint32_t _ptr_info1518; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1518)); > if (_ptr_info1518) { > NDR_PULL_ALLOC(ndr, r->info1518); >@@ -10058,7 +10348,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1520: { >- uint32_t _ptr_info1520; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1520)); > if (_ptr_info1520) { > NDR_PULL_ALLOC(ndr, r->info1520); >@@ -10068,7 +10357,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1521: { >- uint32_t _ptr_info1521; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1521)); > if (_ptr_info1521) { > NDR_PULL_ALLOC(ndr, r->info1521); >@@ -10078,7 +10366,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1522: { >- uint32_t _ptr_info1522; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1522)); > if (_ptr_info1522) { > NDR_PULL_ALLOC(ndr, r->info1522); >@@ -10088,7 +10375,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1523: { >- uint32_t _ptr_info1523; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1523)); > if (_ptr_info1523) { > NDR_PULL_ALLOC(ndr, r->info1523); >@@ -10098,7 +10384,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1524: { >- uint32_t _ptr_info1524; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1524)); > if (_ptr_info1524) { > NDR_PULL_ALLOC(ndr, r->info1524); >@@ -10108,7 +10393,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1525: { >- uint32_t _ptr_info1525; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1525)); > if (_ptr_info1525) { > NDR_PULL_ALLOC(ndr, r->info1525); >@@ -10118,7 +10402,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1528: { >- uint32_t _ptr_info1528; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1528)); > if (_ptr_info1528) { > NDR_PULL_ALLOC(ndr, r->info1528); >@@ -10128,7 +10411,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1529: { >- uint32_t _ptr_info1529; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1529)); > if (_ptr_info1529) { > NDR_PULL_ALLOC(ndr, r->info1529); >@@ -10138,7 +10420,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1530: { >- uint32_t _ptr_info1530; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1530)); > if (_ptr_info1530) { > NDR_PULL_ALLOC(ndr, r->info1530); >@@ -10148,7 +10429,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1533: { >- uint32_t _ptr_info1533; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1533)); > if (_ptr_info1533) { > NDR_PULL_ALLOC(ndr, r->info1533); >@@ -10158,7 +10438,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1534: { >- uint32_t _ptr_info1534; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1534)); > if (_ptr_info1534) { > NDR_PULL_ALLOC(ndr, r->info1534); >@@ -10168,7 +10447,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1535: { >- uint32_t _ptr_info1535; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1535)); > if (_ptr_info1535) { > NDR_PULL_ALLOC(ndr, r->info1535); >@@ -10178,7 +10456,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1536: { >- uint32_t _ptr_info1536; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1536)); > if (_ptr_info1536) { > NDR_PULL_ALLOC(ndr, r->info1536); >@@ -10188,7 +10465,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1537: { >- uint32_t _ptr_info1537; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1537)); > if (_ptr_info1537) { > NDR_PULL_ALLOC(ndr, r->info1537); >@@ -10198,7 +10474,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1538: { >- uint32_t _ptr_info1538; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1538)); > if (_ptr_info1538) { > NDR_PULL_ALLOC(ndr, r->info1538); >@@ -10208,7 +10483,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1539: { >- uint32_t _ptr_info1539; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1539)); > if (_ptr_info1539) { > NDR_PULL_ALLOC(ndr, r->info1539); >@@ -10218,7 +10492,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1540: { >- uint32_t _ptr_info1540; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1540)); > if (_ptr_info1540) { > NDR_PULL_ALLOC(ndr, r->info1540); >@@ -10228,7 +10501,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1541: { >- uint32_t _ptr_info1541; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1541)); > if (_ptr_info1541) { > NDR_PULL_ALLOC(ndr, r->info1541); >@@ -10238,7 +10510,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1542: { >- uint32_t _ptr_info1542; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1542)); > if (_ptr_info1542) { > NDR_PULL_ALLOC(ndr, r->info1542); >@@ -10248,7 +10519,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1543: { >- uint32_t _ptr_info1543; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1543)); > if (_ptr_info1543) { > NDR_PULL_ALLOC(ndr, r->info1543); >@@ -10258,7 +10528,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1544: { >- uint32_t _ptr_info1544; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1544)); > if (_ptr_info1544) { > NDR_PULL_ALLOC(ndr, r->info1544); >@@ -10268,7 +10537,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1545: { >- uint32_t _ptr_info1545; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1545)); > if (_ptr_info1545) { > NDR_PULL_ALLOC(ndr, r->info1545); >@@ -10278,7 +10546,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1546: { >- uint32_t _ptr_info1546; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1546)); > if (_ptr_info1546) { > NDR_PULL_ALLOC(ndr, r->info1546); >@@ -10288,7 +10555,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1547: { >- uint32_t _ptr_info1547; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1547)); > if (_ptr_info1547) { > NDR_PULL_ALLOC(ndr, r->info1547); >@@ -10298,7 +10564,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1548: { >- uint32_t _ptr_info1548; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1548)); > if (_ptr_info1548) { > NDR_PULL_ALLOC(ndr, r->info1548); >@@ -10308,7 +10573,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1549: { >- uint32_t _ptr_info1549; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1549)); > if (_ptr_info1549) { > NDR_PULL_ALLOC(ndr, r->info1549); >@@ -10318,7 +10582,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1550: { >- uint32_t _ptr_info1550; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1550)); > if (_ptr_info1550) { > NDR_PULL_ALLOC(ndr, r->info1550); >@@ -10328,7 +10591,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1552: { >- uint32_t _ptr_info1552; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1552)); > if (_ptr_info1552) { > NDR_PULL_ALLOC(ndr, r->info1552); >@@ -10338,7 +10600,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1553: { >- uint32_t _ptr_info1553; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1553)); > if (_ptr_info1553) { > NDR_PULL_ALLOC(ndr, r->info1553); >@@ -10348,7 +10609,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1554: { >- uint32_t _ptr_info1554; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1554)); > if (_ptr_info1554) { > NDR_PULL_ALLOC(ndr, r->info1554); >@@ -10358,7 +10618,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1555: { >- uint32_t _ptr_info1555; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1555)); > if (_ptr_info1555) { > NDR_PULL_ALLOC(ndr, r->info1555); >@@ -10368,7 +10627,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo(struct ndr_pull *ndr, int nd > break; } > > case 1556: { >- uint32_t _ptr_info1556; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1556)); > if (_ptr_info1556) { > NDR_PULL_ALLOC(ndr, r->info1556); >@@ -11530,6 +11788,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetDiskInfo(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_srvsvc_NetDiskInfo(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetDiskInfo *r) > { > uint32_t _ptr_disks; >+ uint32_t size_disks_1 = 0; >+ uint32_t length_disks_1 = 0; > uint32_t cntr_disks_1; > TALLOC_CTX *_mem_save_disks_0; > TALLOC_CTX *_mem_save_disks_1; >@@ -11549,13 +11809,15 @@ static enum ndr_err_code ndr_pull_srvsvc_NetDiskInfo(struct ndr_pull *ndr, int n > NDR_PULL_SET_MEM_CTX(ndr, r->disks, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->disks)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->disks)); >- if (ndr_get_array_length(ndr, &r->disks) > ndr_get_array_size(ndr, &r->disks)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->disks), ndr_get_array_length(ndr, &r->disks)); >+ size_disks_1 = ndr_get_array_size(ndr, &r->disks); >+ length_disks_1 = ndr_get_array_length(ndr, &r->disks); >+ if (length_disks_1 > size_disks_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_disks_1, length_disks_1); > } >- NDR_PULL_ALLOC_N(ndr, r->disks, ndr_get_array_size(ndr, &r->disks)); >+ NDR_PULL_ALLOC_N(ndr, r->disks, size_disks_1); > _mem_save_disks_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->disks, 0); >- for (cntr_disks_1 = 0; cntr_disks_1 < r->count; cntr_disks_1++) { >+ for (cntr_disks_1 = 0; cntr_disks_1 < length_disks_1; cntr_disks_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetDiskInfo0(ndr, NDR_SCALARS, &r->disks[cntr_disks_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_disks_1, 0); >@@ -11707,10 +11969,15 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportInfo0(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo0 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_addr; >+ uint32_t size_addr_1 = 0; > TALLOC_CTX *_mem_save_addr_0; > uint32_t _ptr_net_addr; >+ uint32_t size_net_addr_1 = 0; >+ uint32_t length_net_addr_1 = 0; > TALLOC_CTX *_mem_save_net_addr_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -11741,19 +12008,22 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo0(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->addr) { > _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); >- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); >+ size_addr_1 = ndr_get_array_size(ndr, &r->addr); >+ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); > } > if (r->net_addr) { >@@ -11761,11 +12031,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo0(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); >- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); >+ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); >+ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); >+ if (length_net_addr_1 > size_net_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); > } > if (r->addr) { >@@ -11827,6 +12099,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportCtr0(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr0 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -11845,13 +12118,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr0(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -11929,12 +12203,19 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportInfo1(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo1 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_addr; >+ uint32_t size_addr_1 = 0; > TALLOC_CTX *_mem_save_addr_0; > uint32_t _ptr_net_addr; >+ uint32_t size_net_addr_1 = 0; >+ uint32_t length_net_addr_1 = 0; > TALLOC_CTX *_mem_save_net_addr_0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -11971,19 +12252,22 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->addr) { > _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); >- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); >+ size_addr_1 = ndr_get_array_size(ndr, &r->addr); >+ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); > } > if (r->net_addr) { >@@ -11991,11 +12275,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); >- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); >+ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); >+ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); >+ if (length_net_addr_1 > size_net_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); > } > if (r->domain) { >@@ -12003,11 +12289,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->addr) { >@@ -12075,6 +12363,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportCtr1(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -12093,13 +12382,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr1(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -12178,12 +12468,19 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportInfo2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo2 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_addr; >+ uint32_t size_addr_1 = 0; > TALLOC_CTX *_mem_save_addr_0; > uint32_t _ptr_net_addr; >+ uint32_t size_net_addr_1 = 0; >+ uint32_t length_net_addr_1 = 0; > TALLOC_CTX *_mem_save_net_addr_0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -12221,19 +12518,22 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->addr) { > _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); >- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); >+ size_addr_1 = ndr_get_array_size(ndr, &r->addr); >+ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); > } > if (r->net_addr) { >@@ -12241,11 +12541,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); >- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); >+ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); >+ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); >+ if (length_net_addr_1 > size_net_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); > } > if (r->domain) { >@@ -12253,11 +12555,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->addr) { >@@ -12326,6 +12630,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportCtr2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -12344,13 +12649,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr2(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -12431,13 +12737,21 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportInfo3(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo3 *r) > { > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_addr; >+ uint32_t size_addr_1 = 0; > TALLOC_CTX *_mem_save_addr_0; > uint32_t _ptr_net_addr; >+ uint32_t size_net_addr_1 = 0; >+ uint32_t length_net_addr_1 = 0; > TALLOC_CTX *_mem_save_net_addr_0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; >+ uint32_t size_unknown3_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->vcs)); >@@ -12468,7 +12782,8 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown2)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unknown3, 256)); >+ size_unknown3_0 = 256; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unknown3, size_unknown3_0)); > } > if (ndr_flags & NDR_BUFFERS) { > if (r->name) { >@@ -12476,19 +12791,22 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->addr) { > _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); >- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); >+ size_addr_1 = ndr_get_array_size(ndr, &r->addr); >+ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); > } > if (r->net_addr) { >@@ -12496,11 +12814,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); >- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); >+ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); >+ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); >+ if (length_net_addr_1 > size_net_addr_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); > } > if (r->domain) { >@@ -12508,11 +12828,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->addr) { >@@ -12583,6 +12905,7 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportCtr3(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr3 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -12601,13 +12924,14 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr3(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo3(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo3(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -12711,9 +13035,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr(struct ndr_pull *ndr, i > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_ctr0_0; >+ uint32_t _ptr_ctr0; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > TALLOC_CTX *_mem_save_ctr2_0; >+ uint32_t _ptr_ctr2; > TALLOC_CTX *_mem_save_ctr3_0; >+ uint32_t _ptr_ctr3; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -12722,7 +13050,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr(struct ndr_pull *ndr, i > } > switch (level) { > case 0: { >- uint32_t _ptr_ctr0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); > if (_ptr_ctr0) { > NDR_PULL_ALLOC(ndr, r->ctr0); >@@ -12732,7 +13059,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr(struct ndr_pull *ndr, i > break; } > > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -12742,7 +13068,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr(struct ndr_pull *ndr, i > break; } > > case 2: { >- uint32_t _ptr_ctr2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); > if (_ptr_ctr2) { > NDR_PULL_ALLOC(ndr, r->ctr2); >@@ -12752,7 +13077,6 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr(struct ndr_pull *ndr, i > break; } > > case 3: { >- uint32_t _ptr_ctr3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr3)); > if (_ptr_ctr3) { > NDR_PULL_ALLOC(ndr, r->ctr3); >@@ -13109,6 +13433,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevEnum(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_level_0; >@@ -13129,11 +13455,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevEnum(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -13303,6 +13631,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevGetInfo(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevGetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_device_name_0 = 0; >+ uint32_t length_device_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -13319,20 +13651,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevGetInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.device_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.device_name)); >- if (ndr_get_array_length(ndr, &r->in.device_name) > ndr_get_array_size(ndr, &r->in.device_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.device_name), ndr_get_array_length(ndr, &r->in.device_name)); >+ size_device_name_0 = ndr_get_array_size(ndr, &r->in.device_name); >+ length_device_name_0 = ndr_get_array_length(ndr, &r->in.device_name); >+ if (length_device_name_0 > size_device_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_name_0, length_device_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, length_device_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); >@@ -13410,6 +13746,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevControl(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevControl(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevControl *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_device_name_0 = 0; >+ uint32_t length_device_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -13423,20 +13763,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevControl(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.device_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.device_name)); >- if (ndr_get_array_length(ndr, &r->in.device_name) > ndr_get_array_size(ndr, &r->in.device_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.device_name), ndr_get_array_length(ndr, &r->in.device_name)); >+ size_device_name_0 = ndr_get_array_size(ndr, &r->in.device_name); >+ length_device_name_0 = ndr_get_array_length(ndr, &r->in.device_name); >+ if (length_device_name_0 > size_device_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_name_0, length_device_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, length_device_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.opcode)); > } > if (flags & NDR_OUT) { >@@ -13532,7 +13876,11 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQEnum(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_user_0; >@@ -13554,11 +13902,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQEnum(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); >@@ -13572,11 +13922,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQEnum(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); >- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->in.user); >+ length_user_1 = ndr_get_array_length(ndr, &r->in.user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -13756,6 +14108,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQGetInfo(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQGetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_queue_name_0 = 0; >+ uint32_t length_queue_name_0 = 0; >+ uint32_t size_user_0 = 0; >+ uint32_t length_user_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -13772,27 +14130,33 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQGetInfo(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); >- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); >+ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); >+ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); >+ if (length_queue_name_0 > size_queue_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); >- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); >+ size_user_0 = ndr_get_array_size(ndr, &r->in.user); >+ length_user_0 = ndr_get_array_length(ndr, &r->in.user); >+ if (length_user_0 > size_user_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_0, length_user_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); >@@ -13881,6 +14245,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQSetInfo(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQSetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQSetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_queue_name_0 = 0; >+ uint32_t length_queue_name_0 = 0; > uint32_t _ptr_parm_error; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_parm_error_0; >@@ -13898,20 +14266,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQSetInfo(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); >- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); >+ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); >+ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); >+ if (length_queue_name_0 > size_queue_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->in.info, r->in.level)); > NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.info)); >@@ -14013,6 +14385,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQPurge(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQPurge(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQPurge *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_queue_name_0 = 0; >+ uint32_t length_queue_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -14026,20 +14402,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQPurge(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); >- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); >+ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); >+ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); >+ if (length_queue_name_0 > size_queue_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -14103,6 +14483,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetCharDevQPurgeSelf(struct ndr_push *n > static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQPurgeSelf(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQPurgeSelf *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_queue_name_0 = 0; >+ uint32_t length_queue_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -14116,27 +14502,33 @@ static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQPurgeSelf(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); >- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); >+ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); >+ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); >+ if (length_queue_name_0 > size_queue_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -14221,7 +14613,11 @@ static enum ndr_err_code ndr_push_srvsvc_NetConnEnum(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetConnEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetConnEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_path_0; >@@ -14242,11 +14638,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_path)); >@@ -14260,11 +14658,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetConnEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_1 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -14437,8 +14837,14 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileEnum(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetFileEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetFileEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_path_0; >@@ -14460,11 +14866,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_path)); >@@ -14478,11 +14886,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_1 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); >@@ -14496,11 +14906,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); >- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->in.user); >+ length_user_1 = ndr_get_array_length(ndr, &r->in.user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -14651,6 +15063,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileGetInfo(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetFileGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetFileGetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -14667,11 +15081,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileGetInfo(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.fid)); >@@ -14748,6 +15164,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetFileClose(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetFileClose(struct ndr_pull *ndr, int flags, struct srvsvc_NetFileClose *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -14761,11 +15179,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetFileClose(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.fid)); >@@ -14859,8 +15279,14 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessEnum(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetSessEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetSessEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_client_0; >@@ -14882,11 +15308,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client)); >@@ -14900,11 +15328,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.client)); >- if (ndr_get_array_length(ndr, &r->in.client) > ndr_get_array_size(ndr, &r->in.client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.client), ndr_get_array_length(ndr, &r->in.client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->in.client); >+ length_client_1 = ndr_get_array_length(ndr, &r->in.client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); >@@ -14918,11 +15348,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); >- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->in.user); >+ length_user_1 = ndr_get_array_length(ndr, &r->in.user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -15080,8 +15512,14 @@ static enum ndr_err_code ndr_push_srvsvc_NetSessDel(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_srvsvc_NetSessDel(struct ndr_pull *ndr, int flags, struct srvsvc_NetSessDel *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_client; >+ uint32_t size_client_1 = 0; >+ uint32_t length_client_1 = 0; > uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_client_0; > TALLOC_CTX *_mem_save_user_0; >@@ -15097,11 +15535,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessDel(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client)); >@@ -15115,11 +15555,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessDel(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.client, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.client)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.client)); >- if (ndr_get_array_length(ndr, &r->in.client) > ndr_get_array_size(ndr, &r->in.client)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.client), ndr_get_array_length(ndr, &r->in.client)); >+ size_client_1 = ndr_get_array_size(ndr, &r->in.client); >+ length_client_1 = ndr_get_array_length(ndr, &r->in.client); >+ if (length_client_1 > size_client_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, length_client_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); >@@ -15133,11 +15575,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSessDel(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); >- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->in.user); >+ length_user_1 = ndr_get_array_length(ndr, &r->in.user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > } >@@ -15220,6 +15664,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareAdd(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetShareAdd(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareAdd *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_parm_error; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; >@@ -15238,11 +15684,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareAdd(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -15371,6 +15819,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareEnumAll(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareEnumAll(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareEnumAll *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_ctr_0; >@@ -15390,11 +15840,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareEnumAll(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -15536,6 +15988,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareGetInfo(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareGetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_share_name_0 = 0; >+ uint32_t length_share_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -15552,20 +16008,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareGetInfo(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); >- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); >+ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); >+ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); >+ if (length_share_name_0 > size_share_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); >@@ -15656,6 +16116,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareSetInfo(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetShareSetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareSetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_share_name_0 = 0; >+ uint32_t length_share_name_0 = 0; > uint32_t _ptr_parm_error; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; >@@ -15674,20 +16138,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareSetInfo(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); >- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); >+ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); >+ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); >+ if (length_share_name_0 > size_share_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.info); >@@ -15799,6 +16267,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareDel(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetShareDel(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareDel *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_share_name_0 = 0; >+ uint32_t length_share_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -15812,20 +16284,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareDel(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); >- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); >+ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); >+ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); >+ if (length_share_name_0 > size_share_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.reserved)); > } > if (flags & NDR_OUT) { >@@ -15888,6 +16364,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareDelSticky(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetShareDelSticky(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareDelSticky *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_share_name_0 = 0; >+ uint32_t length_share_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -15901,20 +16381,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareDelSticky(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); >- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); >+ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); >+ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); >+ if (length_share_name_0 > size_share_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.reserved)); > } > if (flags & NDR_OUT) { >@@ -15980,6 +16464,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareCheck(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareCheck(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareCheck *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_device_name_0 = 0; >+ uint32_t length_device_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_type_0; > if (flags & NDR_IN) { >@@ -15996,20 +16484,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareCheck(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.device_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.device_name)); >- if (ndr_get_array_length(ndr, &r->in.device_name) > ndr_get_array_size(ndr, &r->in.device_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.device_name), ndr_get_array_length(ndr, &r->in.device_name)); >+ size_device_name_0 = ndr_get_array_size(ndr, &r->in.device_name); >+ length_device_name_0 = ndr_get_array_length(ndr, &r->in.device_name); >+ if (length_device_name_0 > size_device_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_name_0, length_device_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, length_device_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.type); > ZERO_STRUCTP(r->out.type); > } >@@ -16084,6 +16576,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvGetInfo(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetSrvGetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -16100,11 +16594,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvGetInfo(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -16192,6 +16688,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetSrvSetInfo(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetSrvSetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetSrvSetInfo *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_parm_error; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; >@@ -16210,11 +16708,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSrvSetInfo(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -16344,6 +16844,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetDiskEnum(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetDiskEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetDiskEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; >@@ -16363,11 +16865,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetDiskEnum(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -16514,7 +17018,11 @@ static enum ndr_err_code ndr_push_srvsvc_NetServerStatisticsGet(struct ndr_push > static enum ndr_err_code ndr_pull_srvsvc_NetServerStatisticsGet(struct ndr_pull *ndr, int flags, struct srvsvc_NetServerStatisticsGet *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_service; >+ uint32_t size_service_1 = 0; >+ uint32_t length_service_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_service_0; > TALLOC_CTX *_mem_save_stats_0; >@@ -16532,11 +17040,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerStatisticsGet(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service)); >@@ -16550,11 +17060,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerStatisticsGet(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.service, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service)); >- if (ndr_get_array_length(ndr, &r->in.service) > ndr_get_array_size(ndr, &r->in.service)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service), ndr_get_array_length(ndr, &r->in.service)); >+ size_service_1 = ndr_get_array_size(ndr, &r->in.service); >+ length_service_1 = ndr_get_array_length(ndr, &r->in.service); >+ if (length_service_1 > size_service_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_1, length_service_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service, ndr_get_array_length(ndr, &r->in.service), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service, length_service_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -16637,6 +17149,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportAdd(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetTransportAdd(struct ndr_pull *ndr, int flags, struct srvsvc_NetTransportAdd *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -16650,11 +17164,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportAdd(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -16748,6 +17264,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportEnum(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetTransportEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetTransportEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_level_0; >@@ -16768,11 +17286,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportEnum(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -16934,6 +17454,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetTransportDel(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetTransportDel(struct ndr_pull *ndr, int flags, struct srvsvc_NetTransportDel *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -16947,11 +17469,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetTransportDel(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown)); >@@ -17019,6 +17543,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetRemoteTOD(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetRemoteTOD(struct ndr_pull *ndr, int flags, struct srvsvc_NetRemoteTOD *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_0; >@@ -17037,11 +17563,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetRemoteTOD(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.info); >@@ -17136,7 +17664,11 @@ static enum ndr_err_code ndr_push_srvsvc_NetSetServiceBits(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetSetServiceBits(struct ndr_pull *ndr, int flags, struct srvsvc_NetSetServiceBits *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_transport; >+ uint32_t size_transport_1 = 0; >+ uint32_t length_transport_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_transport_0; > if (flags & NDR_IN) { >@@ -17151,11 +17683,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSetServiceBits(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_transport)); >@@ -17169,11 +17703,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSetServiceBits(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.transport, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.transport)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.transport)); >- if (ndr_get_array_length(ndr, &r->in.transport) > ndr_get_array_size(ndr, &r->in.transport)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.transport), ndr_get_array_length(ndr, &r->in.transport)); >+ size_transport_1 = ndr_get_array_size(ndr, &r->in.transport); >+ length_transport_1 = ndr_get_array_length(ndr, &r->in.transport); >+ if (length_transport_1 > size_transport_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_1, length_transport_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, length_transport_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.servicebits)); >@@ -17249,6 +17785,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetPathType(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_srvsvc_NetPathType(struct ndr_pull *ndr, int flags, struct srvsvc_NetPathType *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_path_0 = 0; >+ uint32_t length_path_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_pathtype_0; > if (flags & NDR_IN) { >@@ -17265,20 +17805,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetPathType(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_0 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_0 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_0 > size_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_0, length_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.pathflags)); > NDR_PULL_ALLOC(ndr, r->out.pathtype); > ZERO_STRUCTP(r->out.pathtype); >@@ -17369,6 +17913,13 @@ static enum ndr_err_code ndr_push_srvsvc_NetPathCanonicalize(struct ndr_push *nd > static enum ndr_err_code ndr_pull_srvsvc_NetPathCanonicalize(struct ndr_pull *ndr, int flags, struct srvsvc_NetPathCanonicalize *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_path_0 = 0; >+ uint32_t length_path_0 = 0; >+ uint32_t size_can_path_0 = 0; >+ uint32_t size_prefix_0 = 0; >+ uint32_t length_prefix_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_pathtype_0; > if (flags & NDR_IN) { >@@ -17385,28 +17936,34 @@ static enum ndr_err_code ndr_pull_srvsvc_NetPathCanonicalize(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_0 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_0 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_0 > size_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_0, length_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.maxbuf)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.prefix)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.prefix)); >- if (ndr_get_array_length(ndr, &r->in.prefix) > ndr_get_array_size(ndr, &r->in.prefix)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.prefix), ndr_get_array_length(ndr, &r->in.prefix)); >+ size_prefix_0 = ndr_get_array_size(ndr, &r->in.prefix); >+ length_prefix_0 = ndr_get_array_length(ndr, &r->in.prefix); >+ if (length_prefix_0 > size_prefix_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_prefix_0, length_prefix_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.prefix), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.prefix, ndr_get_array_length(ndr, &r->in.prefix), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_prefix_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.prefix, length_prefix_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.pathtype); > } >@@ -17420,8 +17977,9 @@ static enum ndr_err_code ndr_pull_srvsvc_NetPathCanonicalize(struct ndr_pull *nd > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.can_path)); >- NDR_PULL_ALLOC_N(ndr, r->out.can_path, ndr_get_array_size(ndr, &r->out.can_path)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.can_path, ndr_get_array_size(ndr, &r->out.can_path))); >+ size_can_path_0 = ndr_get_array_size(ndr, &r->out.can_path); >+ NDR_PULL_ALLOC_N(ndr, r->out.can_path, size_can_path_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.can_path, size_can_path_0)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.pathtype); > } >@@ -17507,6 +18065,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetPathCompare(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_srvsvc_NetPathCompare(struct ndr_pull *ndr, int flags, struct srvsvc_NetPathCompare *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_path1_0 = 0; >+ uint32_t length_path1_0 = 0; >+ uint32_t size_path2_0 = 0; >+ uint32_t length_path2_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -17520,27 +18084,33 @@ static enum ndr_err_code ndr_pull_srvsvc_NetPathCompare(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path1)); >- if (ndr_get_array_length(ndr, &r->in.path1) > ndr_get_array_size(ndr, &r->in.path1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path1), ndr_get_array_length(ndr, &r->in.path1)); >+ size_path1_0 = ndr_get_array_size(ndr, &r->in.path1); >+ length_path1_0 = ndr_get_array_length(ndr, &r->in.path1); >+ if (length_path1_0 > size_path1_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path1_0, length_path1_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path1, ndr_get_array_length(ndr, &r->in.path1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path1_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path1, length_path1_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path2)); >- if (ndr_get_array_length(ndr, &r->in.path2) > ndr_get_array_size(ndr, &r->in.path2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path2), ndr_get_array_length(ndr, &r->in.path2)); >+ size_path2_0 = ndr_get_array_size(ndr, &r->in.path2); >+ length_path2_0 = ndr_get_array_length(ndr, &r->in.path2); >+ if (length_path2_0 > size_path2_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path2_0, length_path2_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path2, ndr_get_array_length(ndr, &r->in.path2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path2_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path2, length_path2_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.pathtype)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.pathflags)); > } >@@ -17607,6 +18177,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetNameValidate(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_srvsvc_NetNameValidate(struct ndr_pull *ndr, int flags, struct srvsvc_NetNameValidate *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_name_0 = 0; >+ uint32_t length_name_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -17620,20 +18194,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetNameValidate(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name)); >- if (ndr_get_array_length(ndr, &r->in.name) > ndr_get_array_size(ndr, &r->in.name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name), ndr_get_array_length(ndr, &r->in.name)); >+ size_name_0 = ndr_get_array_size(ndr, &r->in.name); >+ length_name_0 = ndr_get_array_length(ndr, &r->in.name); >+ if (length_name_0 > size_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_0, length_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, length_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_type)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } >@@ -17744,6 +18322,12 @@ static enum ndr_err_code ndr_push_srvsvc_NetPRNameCompare(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetPRNameCompare(struct ndr_pull *ndr, int flags, struct srvsvc_NetPRNameCompare *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_name1_0 = 0; >+ uint32_t length_name1_0 = 0; >+ uint32_t size_name2_0 = 0; >+ uint32_t length_name2_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -17757,27 +18341,33 @@ static enum ndr_err_code ndr_pull_srvsvc_NetPRNameCompare(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name1)); >- if (ndr_get_array_length(ndr, &r->in.name1) > ndr_get_array_size(ndr, &r->in.name1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name1), ndr_get_array_length(ndr, &r->in.name1)); >+ size_name1_0 = ndr_get_array_size(ndr, &r->in.name1); >+ length_name1_0 = ndr_get_array_length(ndr, &r->in.name1); >+ if (length_name1_0 > size_name1_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name1_0, length_name1_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name1, ndr_get_array_length(ndr, &r->in.name1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name1_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name1, length_name1_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name2)); >- if (ndr_get_array_length(ndr, &r->in.name2) > ndr_get_array_size(ndr, &r->in.name2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name2), ndr_get_array_length(ndr, &r->in.name2)); >+ size_name2_0 = ndr_get_array_size(ndr, &r->in.name2); >+ length_name2_0 = ndr_get_array_length(ndr, &r->in.name2); >+ if (length_name2_0 > size_name2_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name2_0, length_name2_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name2, ndr_get_array_length(ndr, &r->in.name2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name2_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name2, length_name2_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_type)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } >@@ -17859,6 +18449,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareEnum(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_srvsvc_NetShareEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareEnum *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_info_ctr_0; >@@ -17878,11 +18470,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareEnum(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -18023,6 +18617,10 @@ static enum ndr_err_code ndr_push_srvsvc_NetShareDelStart(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_srvsvc_NetShareDelStart(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareDelStart *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; >+ uint32_t size_share_0 = 0; >+ uint32_t length_share_0 = 0; > uint32_t _ptr_hnd; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_hnd_0; >@@ -18040,20 +18638,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetShareDelStart(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); >- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); >+ size_share_0 = ndr_get_array_size(ndr, &r->in.share); >+ length_share_0 = ndr_get_array_length(ndr, &r->in.share); >+ if (length_share_0 > size_share_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_0, length_share_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.reserved)); > } > if (flags & NDR_OUT) { >@@ -18237,7 +18839,13 @@ static enum ndr_err_code ndr_push_srvsvc_NetGetFileSecurity(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_srvsvc_NetGetFileSecurity(struct ndr_pull *ndr, int flags, struct srvsvc_NetGetFileSecurity *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; >+ uint32_t size_file_0 = 0; >+ uint32_t length_file_0 = 0; > uint32_t _ptr_sd_buf; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_share_0; >@@ -18257,11 +18865,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetGetFileSecurity(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_share)); >@@ -18275,20 +18885,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetGetFileSecurity(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); >- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->in.share); >+ length_share_1 = ndr_get_array_length(ndr, &r->in.share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.file)); >- if (ndr_get_array_length(ndr, &r->in.file) > ndr_get_array_size(ndr, &r->in.file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.file), ndr_get_array_length(ndr, &r->in.file)); >+ size_file_0 = ndr_get_array_size(ndr, &r->in.file); >+ length_file_0 = ndr_get_array_length(ndr, &r->in.file); >+ if (length_file_0 > size_file_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_file_0, length_file_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_file_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, length_file_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_security_secinfo(ndr, NDR_SCALARS, &r->in.securityinformation)); > NDR_PULL_ALLOC(ndr, r->out.sd_buf); > ZERO_STRUCTP(r->out.sd_buf); >@@ -18397,7 +19011,13 @@ static enum ndr_err_code ndr_push_srvsvc_NetSetFileSecurity(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_srvsvc_NetSetFileSecurity(struct ndr_pull *ndr, int flags, struct srvsvc_NetSetFileSecurity *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; >+ uint32_t size_file_0 = 0; >+ uint32_t length_file_0 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_share_0; > TALLOC_CTX *_mem_save_sd_buf_0; >@@ -18413,11 +19033,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSetFileSecurity(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_share)); >@@ -18431,20 +19053,24 @@ static enum ndr_err_code ndr_pull_srvsvc_NetSetFileSecurity(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); >- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->in.share); >+ length_share_1 = ndr_get_array_length(ndr, &r->in.share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.file)); >- if (ndr_get_array_length(ndr, &r->in.file) > ndr_get_array_size(ndr, &r->in.file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.file), ndr_get_array_length(ndr, &r->in.file)); >+ size_file_0 = ndr_get_array_size(ndr, &r->in.file); >+ length_file_0 = ndr_get_array_length(ndr, &r->in.file); >+ if (length_file_0 > size_file_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_file_0, length_file_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_file_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, length_file_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_security_secinfo(ndr, NDR_SCALARS, &r->in.securityinformation)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.sd_buf); >@@ -18522,6 +19148,8 @@ static enum ndr_err_code ndr_push_srvsvc_NetServerTransportAddEx(struct ndr_push > static enum ndr_err_code ndr_pull_srvsvc_NetServerTransportAddEx(struct ndr_pull *ndr, int flags, struct srvsvc_NetServerTransportAddEx *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); >@@ -18535,11 +19163,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerTransportAddEx(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -18619,8 +19249,14 @@ static enum ndr_err_code ndr_push_srvsvc_NetServerSetServiceBitsEx(struct ndr_pu > static enum ndr_err_code ndr_pull_srvsvc_NetServerSetServiceBitsEx(struct ndr_pull *ndr, int flags, struct srvsvc_NetServerSetServiceBitsEx *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_emulated_server_unc; >+ uint32_t size_emulated_server_unc_1 = 0; >+ uint32_t length_emulated_server_unc_1 = 0; > uint32_t _ptr_transport; >+ uint32_t size_transport_1 = 0; >+ uint32_t length_transport_1 = 0; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_emulated_server_unc_0; > TALLOC_CTX *_mem_save_transport_0; >@@ -18636,11 +19272,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerSetServiceBitsEx(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_emulated_server_unc)); >@@ -18654,11 +19292,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerSetServiceBitsEx(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.emulated_server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.emulated_server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.emulated_server_unc)); >- if (ndr_get_array_length(ndr, &r->in.emulated_server_unc) > ndr_get_array_size(ndr, &r->in.emulated_server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.emulated_server_unc), ndr_get_array_length(ndr, &r->in.emulated_server_unc)); >+ size_emulated_server_unc_1 = ndr_get_array_size(ndr, &r->in.emulated_server_unc); >+ length_emulated_server_unc_1 = ndr_get_array_length(ndr, &r->in.emulated_server_unc); >+ if (length_emulated_server_unc_1 > size_emulated_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_emulated_server_unc_1, length_emulated_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.emulated_server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.emulated_server_unc, ndr_get_array_length(ndr, &r->in.emulated_server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_emulated_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.emulated_server_unc, length_emulated_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_emulated_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_transport)); >@@ -18672,11 +19312,13 @@ static enum ndr_err_code ndr_pull_srvsvc_NetServerSetServiceBitsEx(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.transport, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.transport)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.transport)); >- if (ndr_get_array_length(ndr, &r->in.transport) > ndr_get_array_size(ndr, &r->in.transport)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.transport), ndr_get_array_length(ndr, &r->in.transport)); >+ size_transport_1 = ndr_get_array_size(ndr, &r->in.transport); >+ length_transport_1 = ndr_get_array_length(ndr, &r->in.transport); >+ if (length_transport_1 > size_transport_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_1, length_transport_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, length_transport_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.servicebitsofinterest)); >diff --git a/source/librpc/gen_ndr/ndr_svcctl.c b/source/librpc/gen_ndr/ndr_svcctl.c >index 8ceb6b0..a9dc07f 100644 >--- a/source/librpc/gen_ndr/ndr_svcctl.c >+++ b/source/librpc/gen_ndr/ndr_svcctl.c >@@ -25,6 +25,8 @@ static enum ndr_err_code ndr_push_SERVICE_LOCK_STATUS(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_SERVICE_LOCK_STATUS(struct ndr_pull *ndr, int ndr_flags, struct SERVICE_LOCK_STATUS *r) > { > uint32_t _ptr_lock_owner; >+ uint32_t size_lock_owner_1 = 0; >+ uint32_t length_lock_owner_1 = 0; > TALLOC_CTX *_mem_save_lock_owner_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -43,11 +45,13 @@ static enum ndr_err_code ndr_pull_SERVICE_LOCK_STATUS(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->lock_owner, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->lock_owner)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->lock_owner)); >- if (ndr_get_array_length(ndr, &r->lock_owner) > ndr_get_array_size(ndr, &r->lock_owner)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->lock_owner), ndr_get_array_length(ndr, &r->lock_owner)); >+ size_lock_owner_1 = ndr_get_array_size(ndr, &r->lock_owner); >+ length_lock_owner_1 = ndr_get_array_length(ndr, &r->lock_owner); >+ if (length_lock_owner_1 > size_lock_owner_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_lock_owner_1, length_lock_owner_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->lock_owner), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lock_owner, ndr_get_array_length(ndr, &r->lock_owner), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_lock_owner_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lock_owner, length_lock_owner_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_lock_owner_0, 0); > } > } >@@ -612,6 +616,7 @@ static enum ndr_err_code ndr_push_svcctl_QueryServiceObjectSecurity(struct ndr_p > > static enum ndr_err_code ndr_pull_svcctl_QueryServiceObjectSecurity(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceObjectSecurity *r) > { >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_needed_0; > if (flags & NDR_IN) { >@@ -636,10 +641,11 @@ static enum ndr_err_code ndr_pull_svcctl_QueryServiceObjectSecurity(struct ndr_p > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.needed); > } >@@ -716,6 +722,7 @@ static enum ndr_err_code ndr_push_svcctl_SetServiceObjectSecurity(struct ndr_pus > > static enum ndr_err_code ndr_pull_svcctl_SetServiceObjectSecurity(struct ndr_pull *ndr, int flags, struct svcctl_SetServiceObjectSecurity *r) > { >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -727,10 +734,11 @@ static enum ndr_err_code ndr_pull_svcctl_SetServiceObjectSecurity(struct ndr_pul > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.security_flags)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, size_buffer_1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.buffer_size)); > if (r->in.buffer) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.buffer, r->in.buffer_size)); >@@ -1140,11 +1148,23 @@ static enum ndr_err_code ndr_push_svcctl_ChangeServiceConfigW(struct ndr_push *n > static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *ndr, int flags, struct svcctl_ChangeServiceConfigW *r) > { > uint32_t _ptr_binary_path; >+ uint32_t size_binary_path_1 = 0; >+ uint32_t length_binary_path_1 = 0; > uint32_t _ptr_load_order_group; >+ uint32_t size_load_order_group_1 = 0; >+ uint32_t length_load_order_group_1 = 0; > uint32_t _ptr_dependencies; >+ uint32_t size_dependencies_1 = 0; >+ uint32_t length_dependencies_1 = 0; > uint32_t _ptr_service_start_name; >+ uint32_t size_service_start_name_1 = 0; >+ uint32_t length_service_start_name_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > uint32_t _ptr_display_name; >+ uint32_t size_display_name_1 = 0; >+ uint32_t length_display_name_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_binary_path_0; > TALLOC_CTX *_mem_save_load_order_group_0; >@@ -1177,11 +1197,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.binary_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); >- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); >+ size_binary_path_1 = ndr_get_array_size(ndr, &r->in.binary_path); >+ length_binary_path_1 = ndr_get_array_length(ndr, &r->in.binary_path); >+ if (length_binary_path_1 > size_binary_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_1, length_binary_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_binary_path_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_load_order_group)); >@@ -1195,11 +1217,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.load_order_group, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.load_order_group)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.load_order_group)); >- if (ndr_get_array_length(ndr, &r->in.load_order_group) > ndr_get_array_size(ndr, &r->in.load_order_group)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.load_order_group), ndr_get_array_length(ndr, &r->in.load_order_group)); >+ size_load_order_group_1 = ndr_get_array_size(ndr, &r->in.load_order_group); >+ length_load_order_group_1 = ndr_get_array_length(ndr, &r->in.load_order_group); >+ if (length_load_order_group_1 > size_load_order_group_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_load_order_group_1, length_load_order_group_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_load_order_group_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, length_load_order_group_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_load_order_group_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dependencies)); >@@ -1213,11 +1237,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dependencies)); >- if (ndr_get_array_length(ndr, &r->in.dependencies) > ndr_get_array_size(ndr, &r->in.dependencies)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dependencies), ndr_get_array_length(ndr, &r->in.dependencies)); >+ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); >+ length_dependencies_1 = ndr_get_array_length(ndr, &r->in.dependencies); >+ if (length_dependencies_1 > size_dependencies_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service_start_name)); >@@ -1231,11 +1257,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); >- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); >+ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); >+ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); >+ if (length_service_start_name_1 > size_service_start_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); >@@ -1249,11 +1277,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); >- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->in.password); >+ length_password_1 = ndr_get_array_length(ndr, &r->in.password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name)); >@@ -1267,11 +1297,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.display_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.display_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.display_name)); >- if (ndr_get_array_length(ndr, &r->in.display_name) > ndr_get_array_size(ndr, &r->in.display_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.display_name), ndr_get_array_length(ndr, &r->in.display_name)); >+ size_display_name_1 = ndr_get_array_size(ndr, &r->in.display_name); >+ length_display_name_1 = ndr_get_array_length(ndr, &r->in.display_name); >+ if (length_display_name_1 > size_display_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_1, length_display_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, length_display_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.tag_id); >@@ -1431,12 +1463,24 @@ static enum ndr_err_code ndr_push_svcctl_CreateServiceW(struct ndr_push *ndr, in > > static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, int flags, struct svcctl_CreateServiceW *r) > { >+ uint32_t size_ServiceName_0 = 0; >+ uint32_t length_ServiceName_0 = 0; > uint32_t _ptr_DisplayName; >+ uint32_t size_DisplayName_1 = 0; >+ uint32_t length_DisplayName_1 = 0; >+ uint32_t size_binary_path_0 = 0; >+ uint32_t length_binary_path_0 = 0; > uint32_t _ptr_LoadOrderGroupKey; >+ uint32_t size_LoadOrderGroupKey_1 = 0; >+ uint32_t length_LoadOrderGroupKey_1 = 0; > uint32_t _ptr_TagId; > uint32_t _ptr_dependencies; >+ uint32_t size_dependencies_1 = 0; > uint32_t _ptr_service_start_name; >+ uint32_t size_service_start_name_1 = 0; >+ uint32_t length_service_start_name_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; > TALLOC_CTX *_mem_save_scmanager_handle_0; > TALLOC_CTX *_mem_save_DisplayName_0; > TALLOC_CTX *_mem_save_LoadOrderGroupKey_0; >@@ -1457,11 +1501,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_scmanager_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); >- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); >+ size_ServiceName_0 = ndr_get_array_size(ndr, &r->in.ServiceName); >+ length_ServiceName_0 = ndr_get_array_length(ndr, &r->in.ServiceName); >+ if (length_ServiceName_0 > size_ServiceName_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_0, length_ServiceName_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DisplayName)); > if (_ptr_DisplayName) { > NDR_PULL_ALLOC(ndr, r->in.DisplayName); >@@ -1473,11 +1519,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.DisplayName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DisplayName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DisplayName)); >- if (ndr_get_array_length(ndr, &r->in.DisplayName) > ndr_get_array_size(ndr, &r->in.DisplayName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DisplayName), ndr_get_array_length(ndr, &r->in.DisplayName)); >+ size_DisplayName_1 = ndr_get_array_size(ndr, &r->in.DisplayName); >+ length_DisplayName_1 = ndr_get_array_length(ndr, &r->in.DisplayName); >+ if (length_DisplayName_1 > size_DisplayName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DisplayName_1, length_DisplayName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_DisplayName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, length_DisplayName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DisplayName_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.desired_access)); >@@ -1486,11 +1534,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.error_control)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); >- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); >+ size_binary_path_0 = ndr_get_array_size(ndr, &r->in.binary_path); >+ length_binary_path_0 = ndr_get_array_length(ndr, &r->in.binary_path); >+ if (length_binary_path_0 > size_binary_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_0, length_binary_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_LoadOrderGroupKey)); > if (_ptr_LoadOrderGroupKey) { > NDR_PULL_ALLOC(ndr, r->in.LoadOrderGroupKey); >@@ -1502,11 +1552,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.LoadOrderGroupKey, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.LoadOrderGroupKey)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.LoadOrderGroupKey)); >- if (ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey) > ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey), ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey)); >+ size_LoadOrderGroupKey_1 = ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey); >+ length_LoadOrderGroupKey_1 = ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey); >+ if (length_LoadOrderGroupKey_1 > size_LoadOrderGroupKey_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_LoadOrderGroupKey_1, length_LoadOrderGroupKey_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_LoadOrderGroupKey_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, length_LoadOrderGroupKey_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_LoadOrderGroupKey_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_TagId)); >@@ -1531,8 +1583,9 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > _mem_save_dependencies_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); >- NDR_PULL_ALLOC_N(ndr, r->in.dependencies, ndr_get_array_size(ndr, &r->in.dependencies)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.dependencies, ndr_get_array_size(ndr, &r->in.dependencies))); >+ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); >+ NDR_PULL_ALLOC_N(ndr, r->in.dependencies, size_dependencies_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.dependencies, size_dependencies_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.dependencies_size)); >@@ -1547,11 +1600,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); >- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); >+ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); >+ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); >+ if (length_service_start_name_1 > size_service_start_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); >@@ -1564,8 +1619,9 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, in > _mem_save_password_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); >- NDR_PULL_ALLOC_N(ndr, r->in.password, ndr_get_array_size(ndr, &r->in.password)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.password, ndr_get_array_size(ndr, &r->in.password))); >+ size_password_1 = ndr_get_array_size(ndr, &r->in.password); >+ NDR_PULL_ALLOC_N(ndr, r->in.password, size_password_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.password, size_password_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.password_size)); >@@ -1844,6 +1900,7 @@ static enum ndr_err_code ndr_push_svcctl_EnumServicesStatusW(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusW(struct ndr_pull *ndr, int flags, struct svcctl_EnumServicesStatusW *r) > { >+ uint32_t size_service_0 = 0; > uint32_t _ptr_resume_handle; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_bytes_needed_0; >@@ -1881,8 +1938,9 @@ static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusW(struct ndr_pull *nd > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.service)); >- NDR_PULL_ALLOC_N(ndr, r->out.service, ndr_get_array_size(ndr, &r->out.service)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, ndr_get_array_size(ndr, &r->out.service))); >+ size_service_0 = ndr_get_array_size(ndr, &r->out.service); >+ NDR_PULL_ALLOC_N(ndr, r->out.service, size_service_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, size_service_0)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.bytes_needed); > } >@@ -1998,7 +2056,11 @@ static enum ndr_err_code ndr_push_svcctl_OpenSCManagerW(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerW(struct ndr_pull *ndr, int flags, struct svcctl_OpenSCManagerW *r) > { > uint32_t _ptr_MachineName; >+ uint32_t size_MachineName_1 = 0; >+ uint32_t length_MachineName_1 = 0; > uint32_t _ptr_DatabaseName; >+ uint32_t size_DatabaseName_1 = 0; >+ uint32_t length_DatabaseName_1 = 0; > TALLOC_CTX *_mem_save_MachineName_0; > TALLOC_CTX *_mem_save_DatabaseName_0; > TALLOC_CTX *_mem_save_handle_0; >@@ -2016,11 +2078,13 @@ static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.MachineName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.MachineName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.MachineName)); >- if (ndr_get_array_length(ndr, &r->in.MachineName) > ndr_get_array_size(ndr, &r->in.MachineName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.MachineName), ndr_get_array_length(ndr, &r->in.MachineName)); >+ size_MachineName_1 = ndr_get_array_size(ndr, &r->in.MachineName); >+ length_MachineName_1 = ndr_get_array_length(ndr, &r->in.MachineName); >+ if (length_MachineName_1 > size_MachineName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_MachineName_1, length_MachineName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.MachineName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.MachineName, ndr_get_array_length(ndr, &r->in.MachineName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_MachineName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.MachineName, length_MachineName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_MachineName_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DatabaseName)); >@@ -2034,11 +2098,13 @@ static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerW(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.DatabaseName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DatabaseName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DatabaseName)); >- if (ndr_get_array_length(ndr, &r->in.DatabaseName) > ndr_get_array_size(ndr, &r->in.DatabaseName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DatabaseName), ndr_get_array_length(ndr, &r->in.DatabaseName)); >+ size_DatabaseName_1 = ndr_get_array_size(ndr, &r->in.DatabaseName); >+ length_DatabaseName_1 = ndr_get_array_length(ndr, &r->in.DatabaseName); >+ if (length_DatabaseName_1 > size_DatabaseName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DatabaseName_1, length_DatabaseName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DatabaseName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DatabaseName, ndr_get_array_length(ndr, &r->in.DatabaseName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_DatabaseName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DatabaseName, length_DatabaseName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DatabaseName_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.access_mask)); >@@ -2121,6 +2187,8 @@ static enum ndr_err_code ndr_push_svcctl_OpenServiceW(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_svcctl_OpenServiceW(struct ndr_pull *ndr, int flags, struct svcctl_OpenServiceW *r) > { >+ uint32_t size_ServiceName_0 = 0; >+ uint32_t length_ServiceName_0 = 0; > TALLOC_CTX *_mem_save_scmanager_handle_0; > TALLOC_CTX *_mem_save_handle_0; > if (flags & NDR_IN) { >@@ -2135,11 +2203,13 @@ static enum ndr_err_code ndr_pull_svcctl_OpenServiceW(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_scmanager_handle_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); >- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); >+ size_ServiceName_0 = ndr_get_array_size(ndr, &r->in.ServiceName); >+ length_ServiceName_0 = ndr_get_array_length(ndr, &r->in.ServiceName); >+ if (length_ServiceName_0 > size_ServiceName_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_0, length_ServiceName_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.access_mask)); > NDR_PULL_ALLOC(ndr, r->out.handle); > ZERO_STRUCTP(r->out.handle); >@@ -2210,6 +2280,7 @@ static enum ndr_err_code ndr_push_svcctl_QueryServiceConfigW(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfigW(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceConfigW *r) > { >+ uint32_t size_query_0 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_bytes_needed_0; > if (flags & NDR_IN) { >@@ -2227,8 +2298,9 @@ static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfigW(struct ndr_pull *nd > ZERO_STRUCTP(r->out.bytes_needed); > } > if (flags & NDR_OUT) { >- NDR_PULL_ALLOC_N(ndr, r->out.query, r->in.buf_size); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.query, r->in.buf_size)); >+ size_query_0 = r->in.buf_size; >+ NDR_PULL_ALLOC_N(ndr, r->out.query, size_query_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.query, size_query_0)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.bytes_needed); > } >@@ -2395,6 +2467,8 @@ static enum ndr_err_code ndr_push_svcctl_StartServiceW(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_svcctl_StartServiceW(struct ndr_pull *ndr, int flags, struct svcctl_StartServiceW *r) > { > uint32_t _ptr_Arguments; >+ uint32_t size_Arguments_1 = 0; >+ uint32_t length_Arguments_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_Arguments_0; > if (flags & NDR_IN) { >@@ -2417,11 +2491,13 @@ static enum ndr_err_code ndr_pull_svcctl_StartServiceW(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.Arguments, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Arguments)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Arguments)); >- if (ndr_get_array_length(ndr, &r->in.Arguments) > ndr_get_array_size(ndr, &r->in.Arguments)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Arguments), ndr_get_array_length(ndr, &r->in.Arguments)); >+ size_Arguments_1 = ndr_get_array_size(ndr, &r->in.Arguments); >+ length_Arguments_1 = ndr_get_array_length(ndr, &r->in.Arguments); >+ if (length_Arguments_1 > size_Arguments_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Arguments_1, length_Arguments_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Arguments), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Arguments, ndr_get_array_length(ndr, &r->in.Arguments), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_Arguments_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Arguments, length_Arguments_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Arguments_0, 0); > } > } >@@ -2505,7 +2581,11 @@ static enum ndr_err_code ndr_push_svcctl_GetServiceDisplayNameW(struct ndr_push > static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameW(struct ndr_pull *ndr, int flags, struct svcctl_GetServiceDisplayNameW *r) > { > uint32_t _ptr_service_name; >+ uint32_t size_service_name_1 = 0; >+ uint32_t length_service_name_1 = 0; > uint32_t _ptr_display_name; >+ uint32_t size_display_name_2 = 0; >+ uint32_t length_display_name_2 = 0; > uint32_t _ptr_display_name_length; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_service_name_0; >@@ -2533,11 +2613,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameW(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_name)); >- if (ndr_get_array_length(ndr, &r->in.service_name) > ndr_get_array_size(ndr, &r->in.service_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_name), ndr_get_array_length(ndr, &r->in.service_name)); >+ size_service_name_1 = ndr_get_array_size(ndr, &r->in.service_name); >+ length_service_name_1 = ndr_get_array_length(ndr, &r->in.service_name); >+ if (length_service_name_1 > size_service_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_name_1, length_service_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, length_service_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name_length)); >@@ -2572,11 +2654,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameW(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, *r->out.display_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.display_name)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.display_name)); >- if (ndr_get_array_length(ndr, r->out.display_name) > ndr_get_array_size(ndr, r->out.display_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.display_name), ndr_get_array_length(ndr, r->out.display_name)); >+ size_display_name_2 = ndr_get_array_size(ndr, r->out.display_name); >+ length_display_name_2 = ndr_get_array_length(ndr, r->out.display_name); >+ if (length_display_name_2 > size_display_name_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_2, length_display_name_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.display_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.display_name, ndr_get_array_length(ndr, r->out.display_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.display_name, length_display_name_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, LIBNDR_FLAG_REF_ALLOC); >@@ -2691,7 +2775,11 @@ static enum ndr_err_code ndr_push_svcctl_GetServiceKeyNameW(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameW(struct ndr_pull *ndr, int flags, struct svcctl_GetServiceKeyNameW *r) > { > uint32_t _ptr_service_name; >+ uint32_t size_service_name_1 = 0; >+ uint32_t length_service_name_1 = 0; > uint32_t _ptr_key_name; >+ uint32_t size_key_name_2 = 0; >+ uint32_t length_key_name_2 = 0; > uint32_t _ptr_display_name_length; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_service_name_0; >@@ -2719,11 +2807,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameW(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_name)); >- if (ndr_get_array_length(ndr, &r->in.service_name) > ndr_get_array_size(ndr, &r->in.service_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_name), ndr_get_array_length(ndr, &r->in.service_name)); >+ size_service_name_1 = ndr_get_array_size(ndr, &r->in.service_name); >+ length_service_name_1 = ndr_get_array_length(ndr, &r->in.service_name); >+ if (length_service_name_1 > size_service_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_name_1, length_service_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, length_service_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name_length)); >@@ -2758,11 +2848,13 @@ static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameW(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, *r->out.key_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.key_name)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.key_name)); >- if (ndr_get_array_length(ndr, r->out.key_name) > ndr_get_array_size(ndr, r->out.key_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.key_name), ndr_get_array_length(ndr, r->out.key_name)); >+ size_key_name_2 = ndr_get_array_size(ndr, r->out.key_name); >+ length_key_name_2 = ndr_get_array_length(ndr, r->out.key_name); >+ if (length_key_name_2 > size_key_name_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_2, length_key_name_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.key_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.key_name, ndr_get_array_length(ndr, r->out.key_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.key_name, length_key_name_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_name_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_name_0, LIBNDR_FLAG_REF_ALLOC); >@@ -2967,11 +3059,23 @@ static enum ndr_err_code ndr_push_svcctl_ChangeServiceConfigA(struct ndr_push *n > static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *ndr, int flags, struct svcctl_ChangeServiceConfigA *r) > { > uint32_t _ptr_binary_path; >+ uint32_t size_binary_path_1 = 0; >+ uint32_t length_binary_path_1 = 0; > uint32_t _ptr_load_order_group; >+ uint32_t size_load_order_group_1 = 0; >+ uint32_t length_load_order_group_1 = 0; > uint32_t _ptr_dependencies; >+ uint32_t size_dependencies_1 = 0; >+ uint32_t length_dependencies_1 = 0; > uint32_t _ptr_service_start_name; >+ uint32_t size_service_start_name_1 = 0; >+ uint32_t length_service_start_name_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > uint32_t _ptr_display_name; >+ uint32_t size_display_name_1 = 0; >+ uint32_t length_display_name_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_binary_path_0; > TALLOC_CTX *_mem_save_load_order_group_0; >@@ -3004,11 +3108,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.binary_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); >- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); >+ size_binary_path_1 = ndr_get_array_size(ndr, &r->in.binary_path); >+ length_binary_path_1 = ndr_get_array_length(ndr, &r->in.binary_path); >+ if (length_binary_path_1 > size_binary_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_1, length_binary_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_binary_path_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_load_order_group)); >@@ -3022,11 +3128,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.load_order_group, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.load_order_group)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.load_order_group)); >- if (ndr_get_array_length(ndr, &r->in.load_order_group) > ndr_get_array_size(ndr, &r->in.load_order_group)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.load_order_group), ndr_get_array_length(ndr, &r->in.load_order_group)); >+ size_load_order_group_1 = ndr_get_array_size(ndr, &r->in.load_order_group); >+ length_load_order_group_1 = ndr_get_array_length(ndr, &r->in.load_order_group); >+ if (length_load_order_group_1 > size_load_order_group_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_load_order_group_1, length_load_order_group_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_load_order_group_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, length_load_order_group_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_load_order_group_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dependencies)); >@@ -3040,11 +3148,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dependencies)); >- if (ndr_get_array_length(ndr, &r->in.dependencies) > ndr_get_array_size(ndr, &r->in.dependencies)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dependencies), ndr_get_array_length(ndr, &r->in.dependencies)); >+ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); >+ length_dependencies_1 = ndr_get_array_length(ndr, &r->in.dependencies); >+ if (length_dependencies_1 > size_dependencies_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service_start_name)); >@@ -3058,11 +3168,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); >- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); >+ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); >+ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); >+ if (length_service_start_name_1 > size_service_start_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); >@@ -3076,11 +3188,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); >- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); >+ size_password_1 = ndr_get_array_size(ndr, &r->in.password); >+ length_password_1 = ndr_get_array_length(ndr, &r->in.password); >+ if (length_password_1 > size_password_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name)); >@@ -3094,11 +3208,13 @@ static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.display_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.display_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.display_name)); >- if (ndr_get_array_length(ndr, &r->in.display_name) > ndr_get_array_size(ndr, &r->in.display_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.display_name), ndr_get_array_length(ndr, &r->in.display_name)); >+ size_display_name_1 = ndr_get_array_size(ndr, &r->in.display_name); >+ length_display_name_1 = ndr_get_array_length(ndr, &r->in.display_name); >+ if (length_display_name_1 > size_display_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_1, length_display_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, length_display_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.tag_id); >@@ -3259,13 +3375,27 @@ static enum ndr_err_code ndr_push_svcctl_CreateServiceA(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, int flags, struct svcctl_CreateServiceA *r) > { > uint32_t _ptr_ServiceName; >+ uint32_t size_ServiceName_1 = 0; >+ uint32_t length_ServiceName_1 = 0; > uint32_t _ptr_DisplayName; >+ uint32_t size_DisplayName_1 = 0; >+ uint32_t length_DisplayName_1 = 0; > uint32_t _ptr_binary_path; >+ uint32_t size_binary_path_1 = 0; >+ uint32_t length_binary_path_1 = 0; > uint32_t _ptr_LoadOrderGroupKey; >+ uint32_t size_LoadOrderGroupKey_1 = 0; >+ uint32_t length_LoadOrderGroupKey_1 = 0; > uint32_t _ptr_TagId; > uint32_t _ptr_dependencies; >+ uint32_t size_dependencies_1 = 0; >+ uint32_t length_dependencies_1 = 0; > uint32_t _ptr_service_start_name; >+ uint32_t size_service_start_name_1 = 0; >+ uint32_t length_service_start_name_1 = 0; > uint32_t _ptr_password; >+ uint32_t size_password_1 = 0; >+ uint32_t length_password_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_ServiceName_0; > TALLOC_CTX *_mem_save_DisplayName_0; >@@ -3296,11 +3426,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.ServiceName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); >- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); >+ size_ServiceName_1 = ndr_get_array_size(ndr, &r->in.ServiceName); >+ length_ServiceName_1 = ndr_get_array_length(ndr, &r->in.ServiceName); >+ if (length_ServiceName_1 > size_ServiceName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_1, length_ServiceName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ServiceName_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DisplayName)); >@@ -3314,11 +3446,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.DisplayName, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DisplayName)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DisplayName)); >- if (ndr_get_array_length(ndr, &r->in.DisplayName) > ndr_get_array_size(ndr, &r->in.DisplayName)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DisplayName), ndr_get_array_length(ndr, &r->in.DisplayName)); >+ size_DisplayName_1 = ndr_get_array_size(ndr, &r->in.DisplayName); >+ length_DisplayName_1 = ndr_get_array_length(ndr, &r->in.DisplayName); >+ if (length_DisplayName_1 > size_DisplayName_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DisplayName_1, length_DisplayName_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_DisplayName_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, length_DisplayName_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DisplayName_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.desired_access)); >@@ -3336,11 +3470,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.binary_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); >- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); >+ size_binary_path_1 = ndr_get_array_size(ndr, &r->in.binary_path); >+ length_binary_path_1 = ndr_get_array_length(ndr, &r->in.binary_path); >+ if (length_binary_path_1 > size_binary_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_1, length_binary_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_binary_path_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_LoadOrderGroupKey)); >@@ -3354,11 +3490,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.LoadOrderGroupKey, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.LoadOrderGroupKey)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.LoadOrderGroupKey)); >- if (ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey) > ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey), ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey)); >+ size_LoadOrderGroupKey_1 = ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey); >+ length_LoadOrderGroupKey_1 = ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey); >+ if (length_LoadOrderGroupKey_1 > size_LoadOrderGroupKey_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_LoadOrderGroupKey_1, length_LoadOrderGroupKey_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_LoadOrderGroupKey_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, length_LoadOrderGroupKey_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_LoadOrderGroupKey_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dependencies)); >@@ -3372,11 +3510,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dependencies)); >- if (ndr_get_array_length(ndr, &r->in.dependencies) > ndr_get_array_size(ndr, &r->in.dependencies)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dependencies), ndr_get_array_length(ndr, &r->in.dependencies)); >+ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); >+ length_dependencies_1 = ndr_get_array_length(ndr, &r->in.dependencies); >+ if (length_dependencies_1 > size_dependencies_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service_start_name)); >@@ -3390,11 +3530,13 @@ static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); >- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); >+ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); >+ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); >+ if (length_service_start_name_1 > size_service_start_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH