The Samba-Bugzilla – Attachment 7400 Details for
Bug 8815
PIDL based autogenerated code allows overwriting beyond of allocated array; CVE-2012-1182
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v3-0-test
pidl-array-length-03.v3-0.txt (text/plain), 3.15 KB, created by
Stefan Metzmacher
on 2012-03-17 00:38:16 UTC
(
hide
)
Description:
Patch for v3-0-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-03-17 00:38:16 UTC
Size:
3.15 KB
patch
obsolete
>From e11637c2c89c2d38963311416c34a4767b19e175 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Sat, 17 Mar 2012 01:22:27 +0100 >Subject: [PATCH] s3:librpc/gen_ndr: fix array checks (bug #8815 / CVE-2012-1182) > >An Anonymous researcher working with HP's Zero Day Initiative program >has found this and notified us. > >metze >--- > source/librpc/gen_ndr/ndr_wkssvc.c | 12 ++++++------ > 1 files changed, 6 insertions(+), 6 deletions(-) > >diff --git a/source/librpc/gen_ndr/ndr_wkssvc.c b/source/librpc/gen_ndr/ndr_wkssvc.c >index 2af3587..07cf1a1 100644 >--- a/source/librpc/gen_ndr/ndr_wkssvc.c >+++ b/source/librpc/gen_ndr/ndr_wkssvc.c >@@ -1385,10 +1385,10 @@ NTSTATUS ndr_pull_USER_INFO_0_CONTAINER(struct ndr_pull *ndr, int ndr_flags, str > NDR_PULL_ALLOC_N(ndr, r->user0, ndr_get_array_size(ndr, &r->user0)); > _mem_save_user0_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->user0, 0); >- for (cntr_user0_1 = 0; cntr_user0_1 < r->entries_read; cntr_user0_1++) { >+ for (cntr_user0_1 = 0; cntr_user0_1 < ndr_get_array_size(ndr, &r->user0); cntr_user0_1++) { > NDR_CHECK(ndr_pull_USER_INFO_0(ndr, NDR_SCALARS, &r->user0[cntr_user0_1])); > } >- for (cntr_user0_1 = 0; cntr_user0_1 < r->entries_read; cntr_user0_1++) { >+ for (cntr_user0_1 = 0; cntr_user0_1 < ndr_get_array_size(ndr, &r->user0); cntr_user0_1++) { > NDR_CHECK(ndr_pull_USER_INFO_0(ndr, NDR_BUFFERS, &r->user0[cntr_user0_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user0_1, 0); >@@ -1631,10 +1631,10 @@ NTSTATUS ndr_pull_USER_INFO_1_CONTAINER(struct ndr_pull *ndr, int ndr_flags, str > NDR_PULL_ALLOC_N(ndr, r->user1, ndr_get_array_size(ndr, &r->user1)); > _mem_save_user1_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->user1, 0); >- for (cntr_user1_1 = 0; cntr_user1_1 < r->entries_read; cntr_user1_1++) { >+ for (cntr_user1_1 = 0; cntr_user1_1 < ndr_get_array_size(ndr, &r->user1); cntr_user1_1++) { > NDR_CHECK(ndr_pull_USER_INFO_1(ndr, NDR_SCALARS, &r->user1[cntr_user1_1])); > } >- for (cntr_user1_1 = 0; cntr_user1_1 < r->entries_read; cntr_user1_1++) { >+ for (cntr_user1_1 = 0; cntr_user1_1 < ndr_get_array_size(ndr, &r->user1); cntr_user1_1++) { > NDR_CHECK(ndr_pull_USER_INFO_1(ndr, NDR_BUFFERS, &r->user1[cntr_user1_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user1_1, 0); >@@ -1953,10 +1953,10 @@ NTSTATUS ndr_pull_wkssvc_NetWkstaTransportCtr0(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < ndr_get_array_size(ndr, &r->array); cntr_array_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetWkstaTransportInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < ndr_get_array_size(ndr, &r->array); cntr_array_1++) { > NDR_CHECK(ndr_pull_wkssvc_NetWkstaTransportInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >-- >1.7.4.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 8815
:
7389
|
7390
|
7391
|
7392
|
7393
|
7398
|
7399
| 7400 |
7418
|
7419
|
7420
|
7421
|
7426
|
7427
|
7428
|
7429
|
7430
|
7431
|
7432
|
7433
|
7436
|
7437