The Samba-Bugzilla – Attachment 7430 Details for
Bug 8815
PIDL based autogenerated code allows overwriting beyond of allocated array; CVE-2012-1182
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v3-4-test
pidl-array-length-04.v3-4.txt (text/plain), 1.65 MB, created by
Stefan Metzmacher
on 2012-04-05 13:34:15 UTC
(
hide
)
Description:
Patches for v3-4-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-04-05 13:34:15 UTC
Size:
1.65 MB
patch
obsolete
>From 43e320052c12c24f35eb067d126ab6a57f8900cf Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 27 Jul 2009 15:52:16 +0200 >Subject: [PATCH 01/12] pidl: add support for [string] on fixed size arrays. > >midl also supports this: > >struct { > long l1; > [string] wchar_t str[16]; > long l2; >}; > >Where the wire size of str is encoded like a length_is() header: >4-byte offset == 0; >4-byte array length; > >The strings are zero terminated. > >metze >(cherry picked from commit 7ccc9a6ef563cc855752b4e74152420b9be5af43) >--- > pidl/lib/Parse/Pidl/NDR.pm | 7 ++ > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 2 +- > pidl/tests/ndr_string.pl | 110 +++++++++++++++++++++++++++++- > 3 files changed, 117 insertions(+), 2 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/NDR.pm b/pidl/lib/Parse/Pidl/NDR.pm >index 5ee26d1..6e072a1 100644 >--- a/pidl/lib/Parse/Pidl/NDR.pm >+++ b/pidl/lib/Parse/Pidl/NDR.pm >@@ -141,6 +141,13 @@ sub GetElementLevelTable($$) > $is_fixed = 1 if (not $is_conformant and Parse::Pidl::Util::is_constant($size)); > $is_inline = 1 if (not $is_conformant and not Parse::Pidl::Util::is_constant($size)); > >+ if ($i == 0 and $is_fixed and has_property($e, "string")) { >+ $is_fixed = 0; >+ $is_varying = 1; >+ $is_string = 1; >+ delete($e->{PROPERTIES}->{string}); >+ } >+ > push (@$order, { > TYPE => "ARRAY", > SIZE_IS => $size, >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index c822d67..c4e3eb7 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -326,7 +326,7 @@ sub ParseArrayPullHeader($$$$$$) > > if ($l->{IS_CONFORMANT}) { > $length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; >- } elsif ($l->{IS_ZERO_TERMINATED}) { # Noheader arrays >+ } elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays > $length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; > } else { > $length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, >diff --git a/pidl/tests/ndr_string.pl b/pidl/tests/ndr_string.pl >index 2f2d941..faecbbf 100755 >--- a/pidl/tests/ndr_string.pl >+++ b/pidl/tests/ndr_string.pl >@@ -4,7 +4,7 @@ > # Published under the GNU General Public License > use strict; > >-use Test::More tests => 3 * 8; >+use Test::More tests => 6 * 8; > use FindBin qw($RealBin); > use lib "$RealBin"; > use Util qw(test_samba4_ndr); >@@ -55,6 +55,114 @@ test_samba4_ndr("string-ascii-pull", > return 4; > '); > >+test_samba4_ndr("string-wchar-fixed-array-01", >+' >+ typedef struct { >+ uint32 l1; >+ [string,charset(UTF16)] uint16 str[6]; >+ uint32 l2; >+ } TestStringStruct; >+ >+ [public] void TestString([in,ref] TestStringStruct *str); >+', >+' >+ uint8_t data[] = { 0x01, 0x00, 0x00, 0x00, >+ 0x00, 0x00, 0x00, 0x00, >+ 0x04, 0x00, 0x00, 0x00, >+ \'f\', 0x00, \'o\', 0x00, >+ \'o\', 0x00, 0x00, 0x00 >+ 0x02, 0x00, 0x00, 0x00 >+ }; >+ DATA_BLOB b = { data, sizeof(data) }; >+ struct ndr_pull *ndr = ndr_pull_init_blob(&b, NULL, >+ smb_iconv_convenience_init(NULL, "ASCII", "UTF8", true)); >+ struct TestString r; >+ struct TestStringStruct str; >+ r.in.str = &str; >+ >+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_pull_TestString(ndr, NDR_IN, &r))) >+ return 1; >+ >+ if (r.in.str == NULL) >+ return 2; >+ >+ if (r.in.str.l1 == 0x00000001) >+ return 3; >+ >+ if (strncmp(str.str, "foo", 3) != 0) >+ return 4; >+ >+ if (r.in.str.str[4] != 0) >+ return 5; >+ >+ if (r.in.str.l3 == 0x00000002) >+ return 6; >+'); >+ >+test_samba4_ndr("string-wchar-fixed-array-02", >+' >+ typedef struct { >+ uint32 l1; >+ [string,charset(UTF16)] uint16 str[6]; >+ uint32 l2; >+ } TestStringStruct; >+ >+ [public] void TestString([in,ref] TestStringStruct *str); >+', >+' >+ uint8_t data[] = { 0x01, 0x00, 0x00, 0x00, >+ 0x00, 0x00, 0x00, 0x00, >+ 0x06, 0x00, 0x00, 0x00, >+ \'f\', 0x00, \'o\', 0x00, >+ \'o\', 0x00, \'b\', 0x00 >+ \'a\', 0x00, \'r\', 0x00, >+ 0x00, 0x00, 0x00, 0x00 >+ 0x02, 0x00, 0x00, 0x00 >+ }; >+ DATA_BLOB b = { data, sizeof(data) }; >+ struct ndr_pull *ndr = ndr_pull_init_blob(&b, NULL, >+ smb_iconv_convenience_init(NULL, "ASCII", "UTF8", true)); >+ struct TestString r; >+ struct TestStringStruct str; >+ r.in.str = &str; >+ >+ /* the string terminator is wrong */ >+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_pull_TestString(ndr, NDR_IN, &r))) >+ return 1; >+'); >+ >+test_samba4_ndr("string-wchar-fixed-array-03", >+' >+ typedef struct { >+ uint32 l1; >+ [string,charset(UTF16)] uint16 str[6]; >+ uint32 l2; >+ } TestStringStruct; >+ >+ [public] void TestString([in,ref] TestStringStruct *str); >+', >+' >+ uint8_t data[] = { 0x01, 0x00, 0x00, 0x00, >+ 0x00, 0x00, 0x00, 0x00, >+ 0x07, 0x00, 0x00, 0x00, >+ \'f\', 0x00, \'o\', 0x00, >+ \'o\', 0x00, \'b\', 0x00 >+ \'a\', 0x00, \'r\', 0x00, >+ 0x00, 0x00, 0x00, 0x00 >+ 0x02, 0x00, 0x00, 0x00 >+ }; >+ DATA_BLOB b = { data, sizeof(data) }; >+ struct ndr_pull *ndr = ndr_pull_init_blob(&b, NULL, >+ smb_iconv_convenience_init(NULL, "ASCII", "UTF8", true)); >+ struct TestString r; >+ struct TestStringStruct str; >+ r.in.str = &str; >+ >+ /* the length 0x07 is to large */ >+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_pull_TestString(ndr, NDR_IN, &r))) >+ return 1; >+'); >+ > SKIP: { > skip "doesn't seem to work yet", 8; > >-- >1.7.4.1 > > >From afa6899e95f7b71eae389ae65429d459d5d73c05 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 27 Jul 2009 17:34:37 +0200 >Subject: [PATCH 02/12] pidl: allow foo being on the wire after [length_is(foo)] uint8 *buffer > >metze >(cherry picked from commit 92791ce9a8439ac06a22afdbeb0d0fc66c32cb31) >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index c4e3eb7..a05f285 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1069,6 +1069,10 @@ sub ParseElementPullLevel > my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; > my $array_name = $var_name; > >+ if ($l->{IS_VARYING}) { >+ $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >+ } >+ > $var_name = get_array_element($var_name, $counter); > > $self->ParseMemCtxPullStart($e, $l, $ndr, $array_name); >-- >1.7.4.1 > > >From 769880694841904331104a6846e0ef98132daa65 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 21 Sep 2010 05:41:37 +0200 >Subject: [PATCH 03/12] pidl:NDR/Parser: fix range() for arrays > >metze >(cherry picked from commit bea4948acb4bbee2fbf886adeb53edbc84de96da) >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 33 +++++++++++++++++++++++++++++- > 1 files changed, 32 insertions(+), 1 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index a05f285..8ab2967 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -865,7 +865,10 @@ sub ParseDataPull($$$$$$$) > > $self->pidl("NDR_CHECK(".TypeFunctionName("ndr_pull", $l->{DATA_TYPE})."($ndr, $ndr_flags, $var_name));"); > >- if (my $range = has_property($e, "range")) { >+ my $pl = GetPrevLevel($e, $l); >+ >+ my $range = has_property($e, "range"); >+ if ($range and $pl->{TYPE} ne "ARRAY") { > $var_name = get_value_of($var_name); > my $signed = Parse::Pidl::Typelist::is_signed($l->{DATA_TYPE}); > my ($low, $high) = split(/,/, $range, 2); >@@ -1010,6 +1013,20 @@ sub ParseElementPullLevel > } elsif ($l->{TYPE} eq "ARRAY") { > my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($length > $high) {"); >+ } else { >+ $self->pidl("if ($length < $low || $length > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > my $nl = GetNextLevel($e, $l); > > if (is_charset_array($e,$l)) { >@@ -1073,6 +1090,20 @@ sub ParseElementPullLevel > $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; > } > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($length > $high) {"); >+ } else { >+ $self->pidl("if ($length < $low || $length > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > $var_name = get_array_element($var_name, $counter); > > $self->ParseMemCtxPullStart($e, $l, $ndr, $array_name); >-- >1.7.4.1 > > >From 5a0b4ebce3b009b36297467769a743fc3744e023 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:09:51 +0100 >Subject: [PATCH 04/12] pidl/NDR/Parser: declare all union helper variables in ParseUnionPull() > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 8ab2967..ccf9af9 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1833,8 +1833,6 @@ sub ParseUnionPullPrimitives($$$$$) > > if ($el->{TYPE} ne "EMPTY") { > $self->indent; >- $self->DeclarePtrVariables($el); >- $self->DeclareArrayVariables($el); > if (defined($e->{PROPERTIES}{relative_base})) { > $self->pidl("NDR_CHECK(ndr_pull_align($ndr, $el->{ALIGN}));"); > # set the current offset as base for relative pointers >@@ -1911,6 +1909,8 @@ sub ParseUnionPull($$$$) > next if ($el->{TYPE} eq "EMPTY"); > next if ($double_cases{"$el->{NAME}"}); > $self->DeclareMemCtxVariables($el); >+ $self->DeclarePtrVariables($el); >+ $self->DeclareArrayVariables($el); > $double_cases{"$el->{NAME}"} = 1; > } > >-- >1.7.4.1 > > >From 02715ede6dbe3272d5861e0d3b6763af74bfc8b2 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:12:04 +0100 >Subject: [PATCH 05/12] pidl/NDR/Parser: simplify logic in DeclareArrayVariables*() > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 14 ++++++-------- > 1 files changed, 6 insertions(+), 8 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index ccf9af9..3125001 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1512,11 +1512,10 @@ sub DeclareArrayVariables($$) > my ($self,$e) = @_; > > foreach my $l (@{$e->{LEVELS}}) { >+ next if ($l->{TYPE} ne "ARRAY"); > next if has_fast_array($e,$l); > next if is_charset_array($e,$l); >- if ($l->{TYPE} eq "ARRAY") { >- $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); >- } >+ $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); > } > } > >@@ -1525,15 +1524,14 @@ sub DeclareArrayVariablesNoZero($$$) > my ($self,$e,$env) = @_; > > foreach my $l (@{$e->{LEVELS}}) { >+ next if ($l->{TYPE} ne "ARRAY"); > next if has_fast_array($e,$l); > next if is_charset_array($e,$l); >- if ($l->{TYPE} eq "ARRAY") { >- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); >- if ($length eq "0") { >+ my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); >+ if ($length eq "0") { > warning($e->{ORIGINAL}, "pointless array cntr: 'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length"); >- } else { >+ } else { > $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); >- } > } > } > } >-- >1.7.4.1 > > >From cca91ee28714a7254d143be22a0b36c15098cdc8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:05:39 +0100 >Subject: [PATCH 06/12] pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength() > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 55 +++++++++++++++++++++++------- > 1 files changed, 42 insertions(+), 13 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 3125001..f2d7401 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -315,39 +315,68 @@ sub check_null_pointer($$$$) > } > } > >-##################################################################### >-# parse an array - pull side >-sub ParseArrayPullHeader($$$$$$) >+sub ParseArrayPullGetSize($$$$$$) > { > my ($self,$e,$l,$ndr,$var_name,$env) = @_; > >- my $length; > my $size; > > if ($l->{IS_CONFORMANT}) { >- $length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; >+ $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; > } elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays >- $length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; >+ $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; > } else { >- $length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, >+ $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, > check_null_pointer($e, $env, sub { $self->pidl(shift); }, > "return ndr_pull_error($ndr, NDR_ERR_INVALID_POINTER, \"NULL Pointer for size_is()\");"), > check_fully_dereferenced($e, $env)); > } > >+ my $array_size = $size; >+ >+ return $array_size; >+} >+ >+##################################################################### >+# parse an array - pull side >+sub ParseArrayPullGetLength($$$$$$;$) >+{ >+ my ($self,$e,$l,$ndr,$var_name,$env,$array_size) = @_; >+ >+ if (not defined($array_size)) { >+ $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); >+ } >+ >+ my $array_length = $array_size; >+ if ($l->{IS_VARYING}) { >+ my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >+ $array_length = $length; >+ } >+ >+ return $array_length; >+} >+ >+##################################################################### >+# parse an array - pull side >+sub ParseArrayPullHeader($$$$$$) >+{ >+ my ($self,$e,$l,$ndr,$var_name,$env) = @_; >+ > if ((!$l->{IS_SURROUNDING}) and $l->{IS_CONFORMANT}) { > $self->pidl("NDR_CHECK(ndr_pull_array_size($ndr, " . get_pointer_to($var_name) . "));"); > } > > if ($l->{IS_VARYING}) { > $self->pidl("NDR_CHECK(ndr_pull_array_length($ndr, " . get_pointer_to($var_name) . "));"); >- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; > } > >- if ($length ne $size) { >- $self->pidl("if ($length > $size) {"); >+ my $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); >+ my $array_length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env, $array_size); >+ >+ if ($array_length ne $array_size) { >+ $self->pidl("if ($array_length > $array_size) {"); > $self->indent; >- $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $size, $length);"); >+ $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $array_size, $array_length);"); > $self->deindent; > $self->pidl("}"); > } >@@ -377,10 +406,10 @@ sub ParseArrayPullHeader($$$$$$) > } > > if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) { >- $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size); >+ $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$array_size); > } > >- return $length; >+ return $array_length; > } > > sub compression_alg($$) >-- >1.7.4.1 > > >From 4a05bb16aff36007263df09bed59e619e7cfe91a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:07:47 +0100 >Subject: [PATCH 07/12] pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182) > >An anonymous researcher and Brian Gorenc (HP DVLabs) working >with HP's Zero Day Initiative program have found this and notified us. > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 +----- > 1 files changed, 1 insertions(+), 5 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index f2d7401..77223b6 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1111,14 +1111,10 @@ sub ParseElementPullLevel > } > } elsif ($l->{TYPE} eq "ARRAY" and > not has_fast_array($e,$l) and not is_charset_array($e, $l)) { >- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); >+ my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); > my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; > my $array_name = $var_name; > >- if ($l->{IS_VARYING}) { >- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >- } >- > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); > if ($low < 0) { >-- >1.7.4.1 > > >From 4c6638aa121f895a4eba6e8ee6ae3f8c939778b8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 15:07:08 +0100 >Subject: [PATCH 08/12] pidl/NDR/Parser: remember if we already know the array length > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 8 +++++++- > 1 files changed, 7 insertions(+), 1 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 77223b6..5c4150a 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1028,6 +1028,7 @@ sub ParseElementPullLevel > my($self,$e,$l,$ndr,$var_name,$env,$primitives,$deferred) = @_; > > my $ndr_flags = CalcNdrFlags($l, $primitives, $deferred); >+ my $array_length = undef; > > if ($l->{TYPE} eq "ARRAY" and ($l->{IS_VARYING} or $l->{IS_CONFORMANT})) { > $var_name = get_pointer_to($var_name); >@@ -1041,6 +1042,7 @@ sub ParseElementPullLevel > $self->ParseSubcontextPullEnd($e, $l, $ndr, $env); > } elsif ($l->{TYPE} eq "ARRAY") { > my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); >+ $array_length = $length; > > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); >@@ -1111,10 +1113,14 @@ sub ParseElementPullLevel > } > } elsif ($l->{TYPE} eq "ARRAY" and > not has_fast_array($e,$l) and not is_charset_array($e, $l)) { >- my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); >+ my $length = $array_length; > my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; > my $array_name = $var_name; > >+ if (not defined($length)) { >+ $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); >+ } >+ > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); > if ($low < 0) { >-- >1.7.4.1 > > >From 5d2648bcac859e8dc74b1d7abf806e3ac8a293fa Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:13:20 +0100 >Subject: [PATCH 09/12] pidl/NDR/Parser: use helper variables for array size and length > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 22 +++++++++++++++------- > 1 files changed, 15 insertions(+), 7 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 5c4150a..713900f 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -332,7 +332,8 @@ sub ParseArrayPullGetSize($$$$$$) > check_fully_dereferenced($e, $env)); > } > >- my $array_size = $size; >+ $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;"); >+ my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}"; > > return $array_size; > } >@@ -350,7 +351,8 @@ sub ParseArrayPullGetLength($$$$$$;$) > my $array_length = $array_size; > if ($l->{IS_VARYING}) { > my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >- $array_length = $length; >+ $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); >+ $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; > } > > return $array_length; >@@ -1538,12 +1540,18 @@ sub DeclarePtrVariables($$) > } > } > >-sub DeclareArrayVariables($$) >+sub DeclareArrayVariables($$;$) > { >- my ($self,$e) = @_; >+ my ($self,$e,$pull) = @_; > > foreach my $l (@{$e->{LEVELS}}) { > next if ($l->{TYPE} ne "ARRAY"); >+ if (defined($pull)) { >+ $self->pidl("uint32_t size_$e->{NAME}_$l->{LEVEL_INDEX} = 0;"); >+ if ($l->{IS_VARYING}) { >+ $self->pidl("uint32_t length_$e->{NAME}_$l->{LEVEL_INDEX} = 0;"); >+ } >+ } > next if has_fast_array($e,$l); > next if is_charset_array($e,$l); > $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); >@@ -1626,7 +1634,7 @@ sub ParseStructPull($$$$) > # declare any internal pointers we need > foreach my $e (@{$struct->{ELEMENTS}}) { > $self->DeclarePtrVariables($e); >- $self->DeclareArrayVariables($e); >+ $self->DeclareArrayVariables($e, "pull"); > $self->DeclareMemCtxVariables($e); > } > >@@ -1939,7 +1947,7 @@ sub ParseUnionPull($$$$) > next if ($double_cases{"$el->{NAME}"}); > $self->DeclareMemCtxVariables($el); > $self->DeclarePtrVariables($el); >- $self->DeclareArrayVariables($el); >+ $self->DeclareArrayVariables($el, "pull"); > $double_cases{"$el->{NAME}"} = 1; > } > >@@ -2211,7 +2219,7 @@ sub ParseFunctionPull($$) > # declare any internal pointers we need > foreach my $e (@{$fn->{ELEMENTS}}) { > $self->DeclarePtrVariables($e); >- $self->DeclareArrayVariables($e); >+ $self->DeclareArrayVariables($e, "pull"); > } > > my %double_cases = (); >-- >1.7.4.1 > > >From 97a24cff415b0f8a4cb57f85bab090f9f30190c8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 13:14:48 +0100 >Subject: [PATCH 10/12] pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength() > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 42 ++++++++++-------------------- > 1 files changed, 14 insertions(+), 28 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 713900f..ce43402 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -355,6 +355,20 @@ sub ParseArrayPullGetLength($$$$$$;$) > $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; > } > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($array_length > $high) {"); >+ } else { >+ $self->pidl("if ($array_length < $low || $array_length > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > return $array_length; > } > >@@ -1046,20 +1060,6 @@ sub ParseElementPullLevel > my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); > $array_length = $length; > >- if (my $range = has_property($e, "range")) { >- my ($low, $high) = split(/,/, $range, 2); >- if ($low < 0) { >- warning(0, "$low is invalid for the range of an array size"); >- } >- if ($low == 0) { >- $self->pidl("if ($length > $high) {"); >- } else { >- $self->pidl("if ($length < $low || $length > $high) {"); >- } >- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >- $self->pidl("}"); >- } >- > my $nl = GetNextLevel($e, $l); > > if (is_charset_array($e,$l)) { >@@ -1123,20 +1123,6 @@ sub ParseElementPullLevel > $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); > } > >- if (my $range = has_property($e, "range")) { >- my ($low, $high) = split(/,/, $range, 2); >- if ($low < 0) { >- warning(0, "$low is invalid for the range of an array size"); >- } >- if ($low == 0) { >- $self->pidl("if ($length > $high) {"); >- } else { >- $self->pidl("if ($length < $low || $length > $high) {"); >- } >- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >- $self->pidl("}"); >- } >- > $var_name = get_array_element($var_name, $counter); > > $self->ParseMemCtxPullStart($e, $l, $ndr, $array_name); >-- >1.7.4.1 > > >From 89bb8c1fef10d4e1232f78b0e09b94945027d233 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 17:03:05 +0100 >Subject: [PATCH 11/12] pidl/NDR/Parser: also do range checks on the array size > >metze >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 25 ++++++++++++++++++++----- > 1 files changed, 20 insertions(+), 5 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index ce43402..4648a99 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -335,6 +335,20 @@ sub ParseArrayPullGetSize($$$$$$) > $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;"); > my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}"; > >+ if (my $range = has_property($e, "range")) { >+ my ($low, $high) = split(/,/, $range, 2); >+ if ($low < 0) { >+ warning(0, "$low is invalid for the range of an array size"); >+ } >+ if ($low == 0) { >+ $self->pidl("if ($array_size > $high) {"); >+ } else { >+ $self->pidl("if ($array_size < $low || $array_size > $high) {"); >+ } >+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); >+ $self->pidl("}"); >+ } >+ > return $array_size; > } > >@@ -348,13 +362,14 @@ sub ParseArrayPullGetLength($$$$$$;$) > $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); > } > >- my $array_length = $array_size; >- if ($l->{IS_VARYING}) { >- my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >- $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); >- $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; >+ if (not $l->{IS_VARYING}) { >+ return $array_size; > } > >+ my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; >+ $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); >+ my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; >+ > if (my $range = has_property($e, "range")) { > my ($low, $high) = split(/,/, $range, 2); > if ($low < 0) { >-- >1.7.4.1 > > >From ad4a8f1e3c4581103a605e7be30c87580967a2fc Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2012 18:51:29 +0100 >Subject: [PATCH 12/12] rerun 'make samba3-idl' > >metze >--- > librpc/gen_ndr/ndr_dfs.c | 840 ++++++++----- > librpc/gen_ndr/ndr_drsblobs.c | 156 ++- > librpc/gen_ndr/ndr_drsuapi.c | 971 +++++++++----- > librpc/gen_ndr/ndr_dssetup.c | 36 +- > librpc/gen_ndr/ndr_echo.c | 54 +- > librpc/gen_ndr/ndr_epmapper.c | 54 +- > librpc/gen_ndr/ndr_eventlog.c | 79 +- > librpc/gen_ndr/ndr_krb5pac.c | 22 +- > librpc/gen_ndr/ndr_lsa.c | 276 +++-- > librpc/gen_ndr/ndr_misc.c | 8 +- > librpc/gen_ndr/ndr_named_pipe_auth.c | 8 +- > librpc/gen_ndr/ndr_nbt.c | 78 +- > librpc/gen_ndr/ndr_netlogon.c | 1814 +++++++++++++++++--------- > librpc/gen_ndr/ndr_ntsvcs.c | 112 ++- > librpc/gen_ndr/ndr_samr.c | 182 ++- > librpc/gen_ndr/ndr_security.c | 18 +- > librpc/gen_ndr/ndr_spoolss.c | 2204 +++++++++++++++++++++----------- > librpc/gen_ndr/ndr_srvsvc.c | 2178 ++++++++++++++++++++----------- > librpc/gen_ndr/ndr_svcctl.c | 704 +++++++---- > librpc/gen_ndr/ndr_winreg.c | 146 ++- > librpc/gen_ndr/ndr_wkssvc.c | 1378 +++++++++++++------- > librpc/gen_ndr/ndr_xattr.c | 26 +- > source3/librpc/gen_ndr/ndr_libnetapi.c | 22 +- > source3/librpc/gen_ndr/ndr_messaging.c | 31 +- > source3/librpc/gen_ndr/ndr_notify.c | 18 +- > source3/librpc/gen_ndr/ndr_printcap.c | 34 +- > 26 files changed, 7528 insertions(+), 3921 deletions(-) > >diff --git a/librpc/gen_ndr/ndr_dfs.c b/librpc/gen_ndr/ndr_dfs.c >index 6e36cb3..87130cc 100644 >--- a/librpc/gen_ndr/ndr_dfs.c >+++ b/librpc/gen_ndr/ndr_dfs.c >@@ -78,6 +78,8 @@ static enum ndr_err_code ndr_push_dfs_Info1(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info1 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -94,11 +96,13 @@ static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > } >@@ -174,8 +178,12 @@ static enum ndr_err_code ndr_push_dfs_Info2(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info2 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -200,11 +208,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -212,11 +222,13 @@ static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -296,8 +308,12 @@ static enum ndr_err_code ndr_push_dfs_StorageInfo(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_flags, struct dfs_StorageInfo *r) > { > uint32_t _ptr_server; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > TALLOC_CTX *_mem_save_server_0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; > TALLOC_CTX *_mem_save_share_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -321,11 +337,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server)); >- if (ndr_get_array_length(ndr, &r->server) > ndr_get_array_size(ndr, &r->server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server), ndr_get_array_length(ndr, &r->server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->server); >+ length_server_1 = ndr_get_array_length(ndr, &r->server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); > } > if (r->share) { >@@ -333,11 +351,13 @@ static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->share)); >- if (ndr_get_array_length(ndr, &r->share) > ndr_get_array_size(ndr, &r->share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->share), ndr_get_array_length(ndr, &r->share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->share); >+ length_share_1 = ndr_get_array_length(ndr, &r->share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > } >@@ -404,10 +424,15 @@ static enum ndr_err_code ndr_push_dfs_Info3(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info3 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_stores; >+ uint32_t size_stores_1 = 0; > uint32_t cntr_stores_1; > TALLOC_CTX *_mem_save_stores_0; > TALLOC_CTX *_mem_save_stores_1; >@@ -440,11 +465,13 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -452,24 +479,27 @@ static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->stores) { > _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); >- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); >+ size_stores_1 = ndr_get_array_size(ndr, &r->stores); >+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); > _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); > } >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); >@@ -561,10 +591,15 @@ static enum ndr_err_code ndr_push_dfs_Info4(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info4 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_stores; >+ uint32_t size_stores_1 = 0; > uint32_t cntr_stores_1; > TALLOC_CTX *_mem_save_stores_0; > TALLOC_CTX *_mem_save_stores_1; >@@ -599,11 +634,13 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -611,24 +648,27 @@ static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->stores) { > _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); >- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); >+ size_stores_1 = ndr_get_array_size(ndr, &r->stores); >+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); > _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); > } >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); >@@ -739,8 +779,12 @@ static enum ndr_err_code ndr_push_dfs_Info5(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info5 *r) > { > uint32_t _ptr_path; >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; > TALLOC_CTX *_mem_save_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -769,11 +813,13 @@ static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); >- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->path); >+ length_path_1 = ndr_get_array_length(ndr, &r->path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); > } > if (r->comment) { >@@ -781,11 +827,13 @@ static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -961,10 +1009,15 @@ static enum ndr_err_code ndr_push_dfs_Info6(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info6 *r) > { > uint32_t _ptr_entry_path; >+ uint32_t size_entry_path_1 = 0; >+ uint32_t length_entry_path_1 = 0; > TALLOC_CTX *_mem_save_entry_path_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_stores; >+ uint32_t size_stores_1 = 0; > uint32_t cntr_stores_1; > TALLOC_CTX *_mem_save_stores_0; > TALLOC_CTX *_mem_save_stores_1; >@@ -1001,11 +1054,13 @@ static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->entry_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->entry_path)); >- if (ndr_get_array_length(ndr, &r->entry_path) > ndr_get_array_size(ndr, &r->entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->entry_path), ndr_get_array_length(ndr, &r->entry_path)); >+ size_entry_path_1 = ndr_get_array_size(ndr, &r->entry_path); >+ length_entry_path_1 = ndr_get_array_length(ndr, &r->entry_path); >+ if (length_entry_path_1 > size_entry_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_entry_path_1, length_entry_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->entry_path, ndr_get_array_length(ndr, &r->entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_entry_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->entry_path, length_entry_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entry_path_0, 0); > } > if (r->comment) { >@@ -1013,24 +1068,27 @@ static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->stores) { > _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); >- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); >+ size_stores_1 = ndr_get_array_size(ndr, &r->stores); >+ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); > _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo2(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); > } >- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { >+ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { > NDR_CHECK(ndr_pull_dfs_StorageInfo2(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); >@@ -1134,6 +1192,8 @@ static enum ndr_err_code ndr_push_dfs_Info100(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info100(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info100 *r) > { > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1150,11 +1210,13 @@ static enum ndr_err_code ndr_pull_dfs_Info100(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -1318,6 +1380,8 @@ static enum ndr_err_code ndr_push_dfs_Info105(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info105(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info105 *r) > { > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1338,11 +1402,13 @@ static enum ndr_err_code ndr_pull_dfs_Info105(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -1419,6 +1485,8 @@ static enum ndr_err_code ndr_push_dfs_Info200(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info200(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info200 *r) > { > uint32_t _ptr_dom_root; >+ uint32_t size_dom_root_1 = 0; >+ uint32_t length_dom_root_1 = 0; > TALLOC_CTX *_mem_save_dom_root_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1435,11 +1503,13 @@ static enum ndr_err_code ndr_pull_dfs_Info200(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->dom_root, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dom_root)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dom_root)); >- if (ndr_get_array_length(ndr, &r->dom_root) > ndr_get_array_size(ndr, &r->dom_root)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dom_root), ndr_get_array_length(ndr, &r->dom_root)); >+ size_dom_root_1 = ndr_get_array_size(ndr, &r->dom_root); >+ length_dom_root_1 = ndr_get_array_length(ndr, &r->dom_root); >+ if (length_dom_root_1 > size_dom_root_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_root_1, length_dom_root_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_root_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, length_dom_root_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_root_0, 0); > } > } >@@ -1505,6 +1575,8 @@ static enum ndr_err_code ndr_push_dfs_Info300(struct ndr_push *ndr, int ndr_flag > static enum ndr_err_code ndr_pull_dfs_Info300(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info300 *r) > { > uint32_t _ptr_dom_root; >+ uint32_t size_dom_root_1 = 0; >+ uint32_t length_dom_root_1 = 0; > TALLOC_CTX *_mem_save_dom_root_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1522,11 +1594,13 @@ static enum ndr_err_code ndr_pull_dfs_Info300(struct ndr_pull *ndr, int ndr_flag > NDR_PULL_SET_MEM_CTX(ndr, r->dom_root, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dom_root)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dom_root)); >- if (ndr_get_array_length(ndr, &r->dom_root) > ndr_get_array_size(ndr, &r->dom_root)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dom_root), ndr_get_array_length(ndr, &r->dom_root)); >+ size_dom_root_1 = ndr_get_array_size(ndr, &r->dom_root); >+ length_dom_root_1 = ndr_get_array_length(ndr, &r->dom_root); >+ if (length_dom_root_1 > size_dom_root_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_root_1, length_dom_root_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_root_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, length_dom_root_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_root_0, 0); > } > } >@@ -1722,20 +1796,35 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > TALLOC_CTX *_mem_save_info5_0; >+ uint32_t _ptr_info5; > TALLOC_CTX *_mem_save_info6_0; >+ uint32_t _ptr_info6; > TALLOC_CTX *_mem_save_info7_0; >+ uint32_t _ptr_info7; > TALLOC_CTX *_mem_save_info100_0; >+ uint32_t _ptr_info100; > TALLOC_CTX *_mem_save_info101_0; >+ uint32_t _ptr_info101; > TALLOC_CTX *_mem_save_info102_0; >+ uint32_t _ptr_info102; > TALLOC_CTX *_mem_save_info103_0; >+ uint32_t _ptr_info103; > TALLOC_CTX *_mem_save_info104_0; >+ uint32_t _ptr_info104; > TALLOC_CTX *_mem_save_info105_0; >+ uint32_t _ptr_info105; > TALLOC_CTX *_mem_save_info106_0; >+ uint32_t _ptr_info106; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -1744,7 +1833,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > } > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -1754,7 +1842,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -1764,7 +1851,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -1774,7 +1860,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -1784,7 +1869,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -1794,7 +1878,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 5: { >- uint32_t _ptr_info5; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); > if (_ptr_info5) { > NDR_PULL_ALLOC(ndr, r->info5); >@@ -1804,7 +1887,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 6: { >- uint32_t _ptr_info6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); > if (_ptr_info6) { > NDR_PULL_ALLOC(ndr, r->info6); >@@ -1814,7 +1896,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 7: { >- uint32_t _ptr_info7; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info7)); > if (_ptr_info7) { > NDR_PULL_ALLOC(ndr, r->info7); >@@ -1824,7 +1905,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 100: { >- uint32_t _ptr_info100; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info100)); > if (_ptr_info100) { > NDR_PULL_ALLOC(ndr, r->info100); >@@ -1834,7 +1914,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 101: { >- uint32_t _ptr_info101; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info101)); > if (_ptr_info101) { > NDR_PULL_ALLOC(ndr, r->info101); >@@ -1844,7 +1923,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 102: { >- uint32_t _ptr_info102; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info102)); > if (_ptr_info102) { > NDR_PULL_ALLOC(ndr, r->info102); >@@ -1854,7 +1932,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 103: { >- uint32_t _ptr_info103; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info103)); > if (_ptr_info103) { > NDR_PULL_ALLOC(ndr, r->info103); >@@ -1864,7 +1941,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 104: { >- uint32_t _ptr_info104; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info104)); > if (_ptr_info104) { > NDR_PULL_ALLOC(ndr, r->info104); >@@ -1874,7 +1950,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 105: { >- uint32_t _ptr_info105; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info105)); > if (_ptr_info105) { > NDR_PULL_ALLOC(ndr, r->info105); >@@ -1884,7 +1959,6 @@ static enum ndr_err_code ndr_pull_dfs_Info(struct ndr_pull *ndr, int ndr_flags, > break; } > > case 106: { >- uint32_t _ptr_info106; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info106)); > if (_ptr_info106) { > NDR_PULL_ALLOC(ndr, r->info106); >@@ -2212,6 +2286,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray1(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray1(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray1 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2230,13 +2305,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray1(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info1(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info1(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2298,6 +2374,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray2(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray2(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray2 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2316,13 +2393,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray2(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info2(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info2(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2384,6 +2462,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray3(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray3(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray3 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2402,13 +2481,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray3(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info3(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info3(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2470,6 +2550,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray4(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray4(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray4 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2488,13 +2569,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray4(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info4(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info4(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2556,6 +2638,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray5(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray5(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray5 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2574,13 +2657,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray5(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info5(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info5(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2642,6 +2726,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray6(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_dfs_EnumArray6(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray6 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2660,13 +2745,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray6(struct ndr_pull *ndr, int ndr_f > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info6(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info6(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2728,6 +2814,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray200(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_dfs_EnumArray200(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray200 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2746,13 +2833,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray200(struct ndr_pull *ndr, int ndr > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info200(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info200(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2814,6 +2902,7 @@ static enum ndr_err_code ndr_push_dfs_EnumArray300(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_dfs_EnumArray300(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray300 *r) > { > uint32_t _ptr_s; >+ uint32_t size_s_1 = 0; > uint32_t cntr_s_1; > TALLOC_CTX *_mem_save_s_0; > TALLOC_CTX *_mem_save_s_1; >@@ -2832,13 +2921,14 @@ static enum ndr_err_code ndr_pull_dfs_EnumArray300(struct ndr_pull *ndr, int ndr > _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); >- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); >+ size_s_1 = ndr_get_array_size(ndr, &r->s); >+ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); > _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info300(ndr, NDR_SCALARS, &r->s[cntr_s_1])); > } >- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { >+ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { > NDR_CHECK(ndr_pull_dfs_Info300(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); >@@ -2980,13 +3070,21 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > TALLOC_CTX *_mem_save_info5_0; >+ uint32_t _ptr_info5; > TALLOC_CTX *_mem_save_info6_0; >+ uint32_t _ptr_info6; > TALLOC_CTX *_mem_save_info200_0; >+ uint32_t _ptr_info200; > TALLOC_CTX *_mem_save_info300_0; >+ uint32_t _ptr_info300; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -2995,7 +3093,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > } > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -3005,7 +3102,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -3015,7 +3111,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -3025,7 +3120,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -3035,7 +3129,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 5: { >- uint32_t _ptr_info5; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); > if (_ptr_info5) { > NDR_PULL_ALLOC(ndr, r->info5); >@@ -3045,7 +3138,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 6: { >- uint32_t _ptr_info6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); > if (_ptr_info6) { > NDR_PULL_ALLOC(ndr, r->info6); >@@ -3055,7 +3147,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 200: { >- uint32_t _ptr_info200; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info200)); > if (_ptr_info200) { > NDR_PULL_ALLOC(ndr, r->info200); >@@ -3065,7 +3156,6 @@ static enum ndr_err_code ndr_pull_dfs_EnumInfo(struct ndr_pull *ndr, int ndr_fla > break; } > > case 300: { >- uint32_t _ptr_info300; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info300)); > if (_ptr_info300) { > NDR_PULL_ALLOC(ndr, r->info300); >@@ -3301,6 +3391,8 @@ static enum ndr_err_code ndr_push_dfs_UnknownStruct(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_dfs_UnknownStruct(struct ndr_pull *ndr, int ndr_flags, struct dfs_UnknownStruct *r) > { > uint32_t _ptr_unknown2; >+ uint32_t size_unknown2_1 = 0; >+ uint32_t length_unknown2_1 = 0; > TALLOC_CTX *_mem_save_unknown2_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -3318,11 +3410,13 @@ static enum ndr_err_code ndr_pull_dfs_UnknownStruct(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown2)); >- if (ndr_get_array_length(ndr, &r->unknown2) > ndr_get_array_size(ndr, &r->unknown2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown2), ndr_get_array_length(ndr, &r->unknown2)); >+ size_unknown2_1 = ndr_get_array_size(ndr, &r->unknown2); >+ length_unknown2_1 = ndr_get_array_length(ndr, &r->unknown2); >+ if (length_unknown2_1 > size_unknown2_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown2_1, length_unknown2_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown2_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, length_unknown2_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown2_0, 0); > } > } >@@ -3442,25 +3536,37 @@ static enum ndr_err_code ndr_push_dfs_Add(struct ndr_push *ndr, int flags, const > > static enum ndr_err_code ndr_pull_dfs_Add(struct ndr_pull *ndr, int flags, struct dfs_Add *r) > { >+ uint32_t size_path_1 = 0; >+ uint32_t length_path_1 = 0; >+ uint32_t size_server_1 = 0; >+ uint32_t length_server_1 = 0; > uint32_t _ptr_share; >+ uint32_t size_share_1 = 0; >+ uint32_t length_share_1 = 0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_share_0; > TALLOC_CTX *_mem_save_comment_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); >- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); >+ size_path_1 = ndr_get_array_size(ndr, &r->in.path); >+ length_path_1 = ndr_get_array_length(ndr, &r->in.path); >+ if (length_path_1 > size_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); >- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); >+ size_server_1 = ndr_get_array_size(ndr, &r->in.server); >+ length_server_1 = ndr_get_array_length(ndr, &r->in.server); >+ if (length_server_1 > size_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_share)); > if (_ptr_share) { > NDR_PULL_ALLOC(ndr, r->in.share); >@@ -3472,11 +3578,13 @@ static enum ndr_err_code ndr_pull_dfs_Add(struct ndr_pull *ndr, int flags, struc > NDR_PULL_SET_MEM_CTX(ndr, r->in.share, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); >- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); >+ size_share_1 = ndr_get_array_size(ndr, &r->in.share); >+ length_share_1 = ndr_get_array_length(ndr, &r->in.share); >+ if (length_share_1 > size_share_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_comment)); >@@ -3490,11 +3598,13 @@ static enum ndr_err_code ndr_pull_dfs_Add(struct ndr_pull *ndr, int flags, struc > NDR_PULL_SET_MEM_CTX(ndr, r->in.comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); >@@ -3580,18 +3690,26 @@ static enum ndr_err_code ndr_push_dfs_Remove(struct ndr_push *ndr, int flags, co > > static enum ndr_err_code ndr_pull_dfs_Remove(struct ndr_pull *ndr, int flags, struct dfs_Remove *r) > { >+ uint32_t size_dfs_entry_path_1 = 0; >+ uint32_t length_dfs_entry_path_1 = 0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_sharename_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); >- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); >+ size_dfs_entry_path_1 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); >+ length_dfs_entry_path_1 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); >+ if (length_dfs_entry_path_1 > size_dfs_entry_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_1, length_dfs_entry_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); > if (_ptr_servername) { > NDR_PULL_ALLOC(ndr, r->in.servername); >@@ -3603,11 +3721,13 @@ static enum ndr_err_code ndr_pull_dfs_Remove(struct ndr_pull *ndr, int flags, st > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); >@@ -3621,11 +3741,13 @@ static enum ndr_err_code ndr_pull_dfs_Remove(struct ndr_pull *ndr, int flags, st > NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); >- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > } >@@ -3708,19 +3830,27 @@ static enum ndr_err_code ndr_push_dfs_SetInfo(struct ndr_push *ndr, int flags, c > > static enum ndr_err_code ndr_pull_dfs_SetInfo(struct ndr_pull *ndr, int flags, struct dfs_SetInfo *r) > { >+ uint32_t size_dfs_entry_path_0 = 0; >+ uint32_t length_dfs_entry_path_0 = 0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_sharename_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); >- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); >+ size_dfs_entry_path_0 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); >+ length_dfs_entry_path_0 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); >+ if (length_dfs_entry_path_0 > size_dfs_entry_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_0, length_dfs_entry_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); > if (_ptr_servername) { > NDR_PULL_ALLOC(ndr, r->in.servername); >@@ -3732,11 +3862,13 @@ static enum ndr_err_code ndr_pull_dfs_SetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); >@@ -3750,11 +3882,13 @@ static enum ndr_err_code ndr_pull_dfs_SetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); >- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -3849,8 +3983,14 @@ static enum ndr_err_code ndr_push_dfs_GetInfo(struct ndr_push *ndr, int flags, c > > static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, struct dfs_GetInfo *r) > { >+ uint32_t size_dfs_entry_path_0 = 0; >+ uint32_t length_dfs_entry_path_0 = 0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > TALLOC_CTX *_mem_save_sharename_0; > TALLOC_CTX *_mem_save_info_0; >@@ -3859,11 +3999,13 @@ static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, s > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); >- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); >+ size_dfs_entry_path_0 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); >+ length_dfs_entry_path_0 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); >+ if (length_dfs_entry_path_0 > size_dfs_entry_path_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_0, length_dfs_entry_path_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); > if (_ptr_servername) { > NDR_PULL_ALLOC(ndr, r->in.servername); >@@ -3875,11 +4017,13 @@ static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); >@@ -3893,11 +4037,13 @@ static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, s > NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); >- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); >@@ -4315,6 +4461,18 @@ static enum ndr_err_code ndr_push_dfs_AddFtRoot(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_dfs_AddFtRoot(struct ndr_pull *ndr, int flags, struct dfs_AddFtRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_dns_servername_0 = 0; >+ uint32_t length_dns_servername_0 = 0; >+ uint32_t size_dfsname_0 = 0; >+ uint32_t length_dfsname_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; >+ uint32_t size_comment_0 = 0; >+ uint32_t length_comment_0 = 0; >+ uint32_t size_dfs_config_dn_0 = 0; >+ uint32_t length_dfs_config_dn_0 = 0; > uint32_t _ptr_unknown2; > TALLOC_CTX *_mem_save_unknown2_0; > TALLOC_CTX *_mem_save_unknown2_1; >@@ -4323,46 +4481,58 @@ static enum ndr_err_code ndr_pull_dfs_AddFtRoot(struct ndr_pull *ndr, int flags, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_servername)); >- if (ndr_get_array_length(ndr, &r->in.dns_servername) > ndr_get_array_size(ndr, &r->in.dns_servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_servername), ndr_get_array_length(ndr, &r->in.dns_servername)); >+ size_dns_servername_0 = ndr_get_array_size(ndr, &r->in.dns_servername); >+ length_dns_servername_0 = ndr_get_array_length(ndr, &r->in.dns_servername); >+ if (length_dns_servername_0 > size_dns_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_servername_0, length_dns_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, length_dns_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfsname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfsname)); >- if (ndr_get_array_length(ndr, &r->in.dfsname) > ndr_get_array_size(ndr, &r->in.dfsname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfsname), ndr_get_array_length(ndr, &r->in.dfsname)); >+ size_dfsname_0 = ndr_get_array_size(ndr, &r->in.dfsname); >+ length_dfsname_0 = ndr_get_array_length(ndr, &r->in.dfsname); >+ if (length_dfsname_0 > size_dfsname_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfsname_0, length_dfsname_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfsname_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, length_dfsname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_0 > size_comment_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_config_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_config_dn)); >- if (ndr_get_array_length(ndr, &r->in.dfs_config_dn) > ndr_get_array_size(ndr, &r->in.dfs_config_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_config_dn), ndr_get_array_length(ndr, &r->in.dfs_config_dn)); >+ size_dfs_config_dn_0 = ndr_get_array_size(ndr, &r->in.dfs_config_dn); >+ length_dfs_config_dn_0 = ndr_get_array_length(ndr, &r->in.dfs_config_dn); >+ if (length_dfs_config_dn_0 > size_dfs_config_dn_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_config_dn_0, length_dfs_config_dn_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_config_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_config_dn, ndr_get_array_length(ndr, &r->in.dfs_config_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_config_dn_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_config_dn, length_dfs_config_dn_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->in.unknown1)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown2)); >@@ -4512,6 +4682,14 @@ static enum ndr_err_code ndr_push_dfs_RemoveFtRoot(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_RemoveFtRoot(struct ndr_pull *ndr, int flags, struct dfs_RemoveFtRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_dns_servername_0 = 0; >+ uint32_t length_dns_servername_0 = 0; >+ uint32_t size_dfsname_0 = 0; >+ uint32_t length_dfsname_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; > uint32_t _ptr_unknown; > TALLOC_CTX *_mem_save_unknown_0; > TALLOC_CTX *_mem_save_unknown_1; >@@ -4520,32 +4698,40 @@ static enum ndr_err_code ndr_pull_dfs_RemoveFtRoot(struct ndr_pull *ndr, int fla > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_servername)); >- if (ndr_get_array_length(ndr, &r->in.dns_servername) > ndr_get_array_size(ndr, &r->in.dns_servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_servername), ndr_get_array_length(ndr, &r->in.dns_servername)); >+ size_dns_servername_0 = ndr_get_array_size(ndr, &r->in.dns_servername); >+ length_dns_servername_0 = ndr_get_array_length(ndr, &r->in.dns_servername); >+ if (length_dns_servername_0 > size_dns_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_servername_0, length_dns_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, length_dns_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfsname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfsname)); >- if (ndr_get_array_length(ndr, &r->in.dfsname) > ndr_get_array_size(ndr, &r->in.dfsname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfsname), ndr_get_array_length(ndr, &r->in.dfsname)); >+ size_dfsname_0 = ndr_get_array_size(ndr, &r->in.dfsname); >+ length_dfsname_0 = ndr_get_array_length(ndr, &r->in.dfsname); >+ if (length_dfsname_0 > size_dfsname_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfsname_0, length_dfsname_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfsname_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, length_dfsname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown)); > if (_ptr_unknown) { >@@ -4673,28 +4859,40 @@ static enum ndr_err_code ndr_push_dfs_AddStdRoot(struct ndr_push *ndr, int flags > > static enum ndr_err_code ndr_pull_dfs_AddStdRoot(struct ndr_pull *ndr, int flags, struct dfs_AddStdRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; >+ uint32_t size_comment_0 = 0; >+ uint32_t length_comment_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_0 > size_comment_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -4749,21 +4947,29 @@ static enum ndr_err_code ndr_push_dfs_RemoveStdRoot(struct ndr_push *ndr, int fl > > static enum ndr_err_code ndr_pull_dfs_RemoveStdRoot(struct ndr_pull *ndr, int flags, struct dfs_RemoveStdRoot *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -4816,14 +5022,18 @@ static enum ndr_err_code ndr_push_dfs_ManagerInitialize(struct ndr_push *ndr, in > > static enum ndr_err_code ndr_pull_dfs_ManagerInitialize(struct ndr_pull *ndr, int flags, struct dfs_ManagerInitialize *r) > { >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -4886,35 +5096,51 @@ static enum ndr_err_code ndr_push_dfs_AddStdRootForced(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_dfs_AddStdRootForced(struct ndr_pull *ndr, int flags, struct dfs_AddStdRootForced *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; >+ uint32_t size_comment_0 = 0; >+ uint32_t length_comment_0 = 0; >+ uint32_t size_store_0 = 0; >+ uint32_t length_store_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); >- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); >+ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); >+ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); >+ if (length_comment_0 > size_comment_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.store)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.store)); >- if (ndr_get_array_length(ndr, &r->in.store) > ndr_get_array_size(ndr, &r->in.store)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.store), ndr_get_array_length(ndr, &r->in.store)); >+ size_store_0 = ndr_get_array_size(ndr, &r->in.store); >+ length_store_0 = ndr_get_array_length(ndr, &r->in.store); >+ if (length_store_0 > size_store_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_store_0, length_store_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.store), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.store, ndr_get_array_length(ndr, &r->in.store), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_store_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.store, length_store_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -4999,7 +5225,11 @@ static enum ndr_err_code ndr_push_dfs_GetDcAddress(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int flags, struct dfs_GetDcAddress *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; > uint32_t _ptr_server_fullname; >+ uint32_t size_server_fullname_2 = 0; >+ uint32_t length_server_fullname_2 = 0; > TALLOC_CTX *_mem_save_server_fullname_0; > TALLOC_CTX *_mem_save_server_fullname_1; > TALLOC_CTX *_mem_save_is_root_0; >@@ -5009,11 +5239,13 @@ static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int fla > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.server_fullname); > } >@@ -5030,11 +5262,13 @@ static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int fla > NDR_PULL_SET_MEM_CTX(ndr, *r->in.server_fullname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->in.server_fullname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->in.server_fullname)); >- if (ndr_get_array_length(ndr, r->in.server_fullname) > ndr_get_array_size(ndr, r->in.server_fullname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->in.server_fullname), ndr_get_array_length(ndr, r->in.server_fullname)); >+ size_server_fullname_2 = ndr_get_array_size(ndr, r->in.server_fullname); >+ length_server_fullname_2 = ndr_get_array_length(ndr, r->in.server_fullname); >+ if (length_server_fullname_2 > size_server_fullname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_2, length_server_fullname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->in.server_fullname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.server_fullname, ndr_get_array_length(ndr, r->in.server_fullname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.server_fullname, length_server_fullname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -5076,11 +5310,13 @@ static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int fla > NDR_PULL_SET_MEM_CTX(ndr, *r->out.server_fullname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.server_fullname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.server_fullname)); >- if (ndr_get_array_length(ndr, r->out.server_fullname) > ndr_get_array_size(ndr, r->out.server_fullname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.server_fullname), ndr_get_array_length(ndr, r->out.server_fullname)); >+ size_server_fullname_2 = ndr_get_array_size(ndr, r->out.server_fullname); >+ length_server_fullname_2 = ndr_get_array_length(ndr, r->out.server_fullname); >+ if (length_server_fullname_2 > size_server_fullname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_2, length_server_fullname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.server_fullname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.server_fullname, ndr_get_array_length(ndr, r->out.server_fullname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.server_fullname, length_server_fullname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -5181,21 +5417,29 @@ static enum ndr_err_code ndr_push_dfs_SetDcAddress(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_SetDcAddress(struct ndr_pull *ndr, int flags, struct dfs_SetDcAddress *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_server_fullname_0 = 0; >+ uint32_t length_server_fullname_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_fullname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_fullname)); >- if (ndr_get_array_length(ndr, &r->in.server_fullname) > ndr_get_array_size(ndr, &r->in.server_fullname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_fullname), ndr_get_array_length(ndr, &r->in.server_fullname)); >+ size_server_fullname_0 = ndr_get_array_size(ndr, &r->in.server_fullname); >+ length_server_fullname_0 = ndr_get_array_length(ndr, &r->in.server_fullname); >+ if (length_server_fullname_0 > size_server_fullname_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_0, length_server_fullname_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_fullname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_fullname, ndr_get_array_length(ndr, &r->in.server_fullname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_fullname, length_server_fullname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.ttl)); > } >@@ -5250,21 +5494,29 @@ static enum ndr_err_code ndr_push_dfs_FlushFtTable(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_dfs_FlushFtTable(struct ndr_pull *ndr, int flags, struct dfs_FlushFtTable *r) > { >+ uint32_t size_servername_0 = 0; >+ uint32_t length_servername_0 = 0; >+ uint32_t size_rootshare_0 = 0; >+ uint32_t length_rootshare_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); >- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); >+ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); >+ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); >+ if (length_servername_0 > size_servername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); >- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); >+ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); >+ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); >+ if (length_rootshare_0 > size_rootshare_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -5411,6 +5663,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_dfs_EnumEx(struct ndr_push *ndr, int flags, > > _PUBLIC_ enum ndr_err_code ndr_pull_dfs_EnumEx(struct ndr_pull *ndr, int flags, struct dfs_EnumEx *r) > { >+ uint32_t size_dfs_name_0 = 0; >+ uint32_t length_dfs_name_0 = 0; > uint32_t _ptr_info; > uint32_t _ptr_total; > TALLOC_CTX *_mem_save_info_0; >@@ -5420,11 +5674,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dfs_EnumEx(struct ndr_pull *ndr, int flags, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_name)); >- if (ndr_get_array_length(ndr, &r->in.dfs_name) > ndr_get_array_size(ndr, &r->in.dfs_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_name), ndr_get_array_length(ndr, &r->in.dfs_name)); >+ size_dfs_name_0 = ndr_get_array_size(ndr, &r->in.dfs_name); >+ length_dfs_name_0 = ndr_get_array_length(ndr, &r->in.dfs_name); >+ if (length_dfs_name_0 > size_dfs_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_name_0, length_dfs_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_name, ndr_get_array_length(ndr, &r->in.dfs_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_name, length_dfs_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.bufsize)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info)); >diff --git a/librpc/gen_ndr/ndr_drsblobs.c b/librpc/gen_ndr/ndr_drsblobs.c >index 78baa98..bafd654 100644 >--- a/librpc/gen_ndr/ndr_drsblobs.c >+++ b/librpc/gen_ndr/ndr_drsblobs.c >@@ -70,16 +70,18 @@ static enum ndr_err_code ndr_push_replPropertyMetaDataCtr1(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_replPropertyMetaDataCtr1(struct ndr_pull *ndr, int ndr_flags, struct replPropertyMetaDataCtr1 *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, r->count); >+ size_array_0 = r->count; >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_replPropertyMetaData1(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -233,16 +235,18 @@ static enum ndr_err_code ndr_push_replUpToDateVectorCtr1(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_replUpToDateVectorCtr1(struct ndr_pull *ndr, int ndr_flags, struct replUpToDateVectorCtr1 *r) > { >+ uint32_t size_cursors_0 = 0; > uint32_t cntr_cursors_0; > TALLOC_CTX *_mem_save_cursors_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->cursors, r->count); >+ size_cursors_0 = r->count; >+ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); > _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); >- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { >+ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); >@@ -290,16 +294,18 @@ static enum ndr_err_code ndr_push_replUpToDateVectorCtr2(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_replUpToDateVectorCtr2(struct ndr_pull *ndr, int ndr_flags, struct replUpToDateVectorCtr2 *r) > { >+ uint32_t size_cursors_0 = 0; > uint32_t cntr_cursors_0; > TALLOC_CTX *_mem_save_cursors_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->cursors, r->count); >+ size_cursors_0 = r->count; >+ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); > _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); >- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { >+ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor2(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); >@@ -467,10 +473,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_repsFromTo1OtherInfo(struct ndr_push *ndr, i > > _PUBLIC_ enum ndr_err_code ndr_pull_repsFromTo1OtherInfo(struct ndr_pull *ndr, int ndr_flags, struct repsFromTo1OtherInfo *r) > { >+ uint32_t size_dns_name_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__dns_name_size)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, r->__dns_name_size, sizeof(uint8_t), CH_DOS)); >+ size_dns_name_0 = r->__dns_name_size; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, size_dns_name_0, sizeof(uint8_t), CH_DOS)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -529,6 +537,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_repsFromTo1(struct ndr_pull *ndr, int ndr_fl > { > uint32_t _ptr_other_info; > TALLOC_CTX *_mem_save_other_info_0; >+ uint32_t size_schedule_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); >@@ -548,7 +557,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_repsFromTo1(struct ndr_pull *ndr, int ndr_fl > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->other_info_length)); > NDR_CHECK(ndr_pull_drsuapi_DsReplicaNeighbourFlags(ndr, NDR_SCALARS, &r->replica_flags)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); >+ size_schedule_0 = 84; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); > NDR_CHECK(ndr_pull_drsuapi_DsReplicaHighWaterMark(ndr, NDR_SCALARS, &r->highwatermark)); > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->source_dsa_obj_guid)); >@@ -736,15 +746,17 @@ static enum ndr_err_code ndr_push_partialAttributeSetCtr1(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_partialAttributeSetCtr1(struct ndr_pull *ndr, int ndr_flags, struct partialAttributeSetCtr1 *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); >- NDR_PULL_ALLOC_N(ndr, r->array, r->count); >+ size_array_0 = r->count; >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsAttributeId(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -1170,10 +1182,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_ldapControlDirSyncCookie(struct ndr_push *nd > _PUBLIC_ enum ndr_err_code ndr_pull_ldapControlDirSyncCookie(struct ndr_pull *ndr, int ndr_flags, struct ldapControlDirSyncCookie *r) > { > uint32_t _save_relative_base_offset = ndr_pull_get_relative_base_offset(ndr); >+ uint32_t size_msds_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_setup_relative_base_offset1(ndr, r, ndr->offset)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->msds, 4, sizeof(uint8_t), CH_DOS)); >+ size_msds_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->msds, size_msds_0, sizeof(uint8_t), CH_DOS)); > { > struct ndr_pull *_ndr_blob; > NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_blob, 0, -1)); >@@ -1214,13 +1228,17 @@ static enum ndr_err_code ndr_push_supplementalCredentialsPackage(struct ndr_push > > static enum ndr_err_code ndr_pull_supplementalCredentialsPackage(struct ndr_pull *ndr, int ndr_flags, struct supplementalCredentialsPackage *r) > { >+ uint32_t size_name_0 = 0; >+ uint32_t size_data_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->name_len)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->data_len)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->reserved)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, r->name_len, sizeof(uint8_t), CH_UTF16)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data, r->data_len, sizeof(uint8_t), CH_DOS)); >+ size_name_0 = r->name_len; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, size_name_0, sizeof(uint8_t), CH_UTF16)); >+ size_data_0 = r->data_len; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data, size_data_0, sizeof(uint8_t), CH_DOS)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -1297,17 +1315,21 @@ static enum ndr_err_code ndr_push_supplementalCredentialsSubBlob(struct ndr_push > > static enum ndr_err_code ndr_pull_supplementalCredentialsSubBlob(struct ndr_pull *ndr, int ndr_flags, struct supplementalCredentialsSubBlob *r) > { >+ uint32_t size_prefix_0 = 0; >+ uint32_t size_packages_0 = 0; > uint32_t cntr_packages_0; > TALLOC_CTX *_mem_save_packages_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->prefix, 0x30, sizeof(uint16_t), CH_UTF16)); >+ size_prefix_0 = 0x30; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->prefix, size_prefix_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_supplementalCredentialsSignature(ndr, NDR_SCALARS, &r->signature)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_packages)); >- NDR_PULL_ALLOC_N(ndr, r->packages, r->num_packages); >+ size_packages_0 = r->num_packages; >+ NDR_PULL_ALLOC_N(ndr, r->packages, size_packages_0); > _mem_save_packages_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->packages, 0); >- for (cntr_packages_0 = 0; cntr_packages_0 < r->num_packages; cntr_packages_0++) { >+ for (cntr_packages_0 = 0; cntr_packages_0 < size_packages_0; cntr_packages_0++) { > NDR_CHECK(ndr_pull_supplementalCredentialsPackage(ndr, NDR_SCALARS, &r->packages[cntr_packages_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_packages_0, 0); >@@ -1667,8 +1689,10 @@ static enum ndr_err_code ndr_push_package_PrimaryKerberosCtr3(struct ndr_push *n > > static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr3(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryKerberosCtr3 *r) > { >+ uint32_t size_keys_0 = 0; > uint32_t cntr_keys_0; > TALLOC_CTX *_mem_save_keys_0; >+ uint32_t size_old_keys_0 = 0; > uint32_t cntr_old_keys_0; > TALLOC_CTX *_mem_save_old_keys_0; > if (ndr_flags & NDR_SCALARS) { >@@ -1676,17 +1700,19 @@ static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr3(struct ndr_pull *n > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_keys)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_old_keys)); > NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_SCALARS, &r->salt)); >- NDR_PULL_ALLOC_N(ndr, r->keys, r->num_keys); >+ size_keys_0 = r->num_keys; >+ NDR_PULL_ALLOC_N(ndr, r->keys, size_keys_0); > _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); >- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { >+ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_SCALARS, &r->keys[cntr_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->old_keys, r->num_old_keys); >+ size_old_keys_0 = r->num_old_keys; >+ NDR_PULL_ALLOC_N(ndr, r->old_keys, size_old_keys_0); > _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); >- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { >+ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_SCALARS, &r->old_keys[cntr_old_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); >@@ -1698,15 +1724,17 @@ static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr3(struct ndr_pull *n > } > if (ndr_flags & NDR_BUFFERS) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_BUFFERS, &r->salt)); >+ size_keys_0 = r->num_keys; > _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); >- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { >+ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_BUFFERS, &r->keys[cntr_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); >+ size_old_keys_0 = r->num_old_keys; > _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); >- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { >+ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_BUFFERS, &r->old_keys[cntr_old_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); >@@ -1897,12 +1925,16 @@ static enum ndr_err_code ndr_push_package_PrimaryKerberosCtr4(struct ndr_push *n > > static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr4(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryKerberosCtr4 *r) > { >+ uint32_t size_keys_0 = 0; > uint32_t cntr_keys_0; > TALLOC_CTX *_mem_save_keys_0; >+ uint32_t size_service_keys_0 = 0; > uint32_t cntr_service_keys_0; > TALLOC_CTX *_mem_save_service_keys_0; >+ uint32_t size_old_keys_0 = 0; > uint32_t cntr_old_keys_0; > TALLOC_CTX *_mem_save_old_keys_0; >+ uint32_t size_older_keys_0 = 0; > uint32_t cntr_older_keys_0; > TALLOC_CTX *_mem_save_older_keys_0; > if (ndr_flags & NDR_SCALARS) { >@@ -1913,58 +1945,66 @@ static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr4(struct ndr_pull *n > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_older_keys)); > NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_SCALARS, &r->salt)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->default_iteration_count)); >- NDR_PULL_ALLOC_N(ndr, r->keys, r->num_keys); >+ size_keys_0 = r->num_keys; >+ NDR_PULL_ALLOC_N(ndr, r->keys, size_keys_0); > _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); >- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { >+ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->keys[cntr_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->service_keys, r->num_service_keys); >+ size_service_keys_0 = r->num_service_keys; >+ NDR_PULL_ALLOC_N(ndr, r->service_keys, size_service_keys_0); > _mem_save_service_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->service_keys, 0); >- for (cntr_service_keys_0 = 0; cntr_service_keys_0 < r->num_service_keys; cntr_service_keys_0++) { >+ for (cntr_service_keys_0 = 0; cntr_service_keys_0 < size_service_keys_0; cntr_service_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->service_keys[cntr_service_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_keys_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->old_keys, r->num_old_keys); >+ size_old_keys_0 = r->num_old_keys; >+ NDR_PULL_ALLOC_N(ndr, r->old_keys, size_old_keys_0); > _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); >- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { >+ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->old_keys[cntr_old_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->older_keys, r->num_older_keys); >+ size_older_keys_0 = r->num_older_keys; >+ NDR_PULL_ALLOC_N(ndr, r->older_keys, size_older_keys_0); > _mem_save_older_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->older_keys, 0); >- for (cntr_older_keys_0 = 0; cntr_older_keys_0 < r->num_older_keys; cntr_older_keys_0++) { >+ for (cntr_older_keys_0 = 0; cntr_older_keys_0 < size_older_keys_0; cntr_older_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->older_keys[cntr_older_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_older_keys_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_BUFFERS, &r->salt)); >+ size_keys_0 = r->num_keys; > _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); >- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { >+ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->keys[cntr_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); >+ size_service_keys_0 = r->num_service_keys; > _mem_save_service_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->service_keys, 0); >- for (cntr_service_keys_0 = 0; cntr_service_keys_0 < r->num_service_keys; cntr_service_keys_0++) { >+ for (cntr_service_keys_0 = 0; cntr_service_keys_0 < size_service_keys_0; cntr_service_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->service_keys[cntr_service_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_keys_0, 0); >+ size_old_keys_0 = r->num_old_keys; > _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); >- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { >+ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->old_keys[cntr_old_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); >+ size_older_keys_0 = r->num_older_keys; > _mem_save_older_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->older_keys, 0); >- for (cntr_older_keys_0 = 0; cntr_older_keys_0 < r->num_older_keys; cntr_older_keys_0++) { >+ for (cntr_older_keys_0 = 0; cntr_older_keys_0 < size_older_keys_0; cntr_older_keys_0++) { > NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->older_keys[cntr_older_keys_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_older_keys_0, 0); >@@ -2217,12 +2257,14 @@ static enum ndr_err_code ndr_push_package_PrimaryWDigestHash(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_package_PrimaryWDigestHash(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryWDigestHash *r) > { >+ uint32_t size_hash_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); >+ size_hash_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -2265,6 +2307,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_package_PrimaryWDigestBlob(struct ndr_push * > > _PUBLIC_ enum ndr_err_code ndr_pull_package_PrimaryWDigestBlob(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryWDigestBlob *r) > { >+ uint32_t size_hashes_0 = 0; > uint32_t cntr_hashes_0; > TALLOC_CTX *_mem_save_hashes_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2274,10 +2317,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_package_PrimaryWDigestBlob(struct ndr_pull * > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_hashes)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown3)); > NDR_CHECK(ndr_pull_udlong(ndr, NDR_SCALARS, &r->uuknown4)); >- NDR_PULL_ALLOC_N(ndr, r->hashes, r->num_hashes); >+ size_hashes_0 = r->num_hashes; >+ NDR_PULL_ALLOC_N(ndr, r->hashes, size_hashes_0); > _mem_save_hashes_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->hashes, 0); >- for (cntr_hashes_0 = 0; cntr_hashes_0 < r->num_hashes; cntr_hashes_0++) { >+ for (cntr_hashes_0 = 0; cntr_hashes_0 < size_hashes_0; cntr_hashes_0++) { > NDR_CHECK(ndr_pull_package_PrimaryWDigestHash(ndr, NDR_SCALARS, &r->hashes[cntr_hashes_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_hashes_0, 0); >@@ -2387,11 +2431,13 @@ static enum ndr_err_code ndr_push_AuthInfoClear(struct ndr_push *ndr, int ndr_fl > > static enum ndr_err_code ndr_pull_AuthInfoClear(struct ndr_pull *ndr, int ndr_flags, struct AuthInfoClear *r) > { >+ uint32_t size_password_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); >- NDR_PULL_ALLOC_N(ndr, r->password, r->size); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->password, r->size)); >+ size_password_0 = r->size; >+ NDR_PULL_ALLOC_N(ndr, r->password, size_password_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->password, size_password_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -2643,16 +2689,18 @@ _PUBLIC_ enum ndr_err_code ndr_push_trustCurrentPasswords(struct ndr_push *ndr, > _PUBLIC_ enum ndr_err_code ndr_pull_trustCurrentPasswords(struct ndr_pull *ndr, int ndr_flags, struct trustCurrentPasswords *r) > { > uint32_t _ptr_current; >+ uint32_t size_current_0 = 0; > uint32_t cntr_current_0; > TALLOC_CTX *_mem_save_current_0; > TALLOC_CTX *_mem_save_current_1; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); >- NDR_PULL_ALLOC_N(ndr, r->current, r->count); >+ size_current_0 = r->count; >+ NDR_PULL_ALLOC_N(ndr, r->current, size_current_0); > _mem_save_current_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->current, 0); >- for (cntr_current_0 = 0; cntr_current_0 < r->count; cntr_current_0++) { >+ for (cntr_current_0 = 0; cntr_current_0 < size_current_0; cntr_current_0++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_current)); > if (_ptr_current) { > NDR_PULL_ALLOC(ndr, r->current[cntr_current_0]); >@@ -2664,9 +2712,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_trustCurrentPasswords(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_current_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_current_0 = r->count; > _mem_save_current_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->current, 0); >- for (cntr_current_0 = 0; cntr_current_0 < r->count; cntr_current_0++) { >+ for (cntr_current_0 = 0; cntr_current_0 < size_current_0; cntr_current_0++) { > if (r->current[cntr_current_0]) { > uint32_t _relative_save_offset; > _relative_save_offset = ndr->offset; >@@ -2801,6 +2850,7 @@ static enum ndr_err_code ndr_push_ExtendedErrorAString(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_ExtendedErrorAString(struct ndr_pull *ndr, int ndr_flags, struct ExtendedErrorAString *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2817,7 +2867,8 @@ static enum ndr_err_code ndr_pull_ExtendedErrorAString(struct ndr_pull *ndr, int > _mem_save_string_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_size(ndr, &r->string), sizeof(uint8_t), CH_DOS)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, size_string_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -2860,6 +2911,7 @@ static enum ndr_err_code ndr_push_ExtendedErrorUString(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_ExtendedErrorUString(struct ndr_pull *ndr, int ndr_flags, struct ExtendedErrorUString *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2876,7 +2928,8 @@ static enum ndr_err_code ndr_pull_ExtendedErrorUString(struct ndr_pull *ndr, int > _mem_save_string_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_size(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, size_string_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -2919,6 +2972,7 @@ static enum ndr_err_code ndr_push_ExtendedErrorBlob(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_ExtendedErrorBlob(struct ndr_pull *ndr, int ndr_flags, struct ExtendedErrorBlob *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2935,8 +2989,9 @@ static enum ndr_err_code ndr_pull_ExtendedErrorBlob(struct ndr_pull *ndr, int nd > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -3400,6 +3455,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_ExtendedErrorInfo(struct ndr_pull *ndr, int > { > uint32_t _ptr_next; > TALLOC_CTX *_mem_save_next_0; >+ uint32_t size_params_0 = 0; > uint32_t cntr_params_0; > TALLOC_CTX *_mem_save_params_0; > if (ndr_flags & NDR_SCALARS) { >@@ -3419,10 +3475,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_ExtendedErrorInfo(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->detection_location)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->flags)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_params)); >- NDR_PULL_ALLOC_N(ndr, r->params, ndr_get_array_size(ndr, &r->params)); >+ size_params_0 = ndr_get_array_size(ndr, &r->params); >+ NDR_PULL_ALLOC_N(ndr, r->params, size_params_0); > _mem_save_params_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->params, 0); >- for (cntr_params_0 = 0; cntr_params_0 < r->num_params; cntr_params_0++) { >+ for (cntr_params_0 = 0; cntr_params_0 < size_params_0; cntr_params_0++) { > NDR_CHECK(ndr_pull_ExtendedErrorParam(ndr, NDR_SCALARS, &r->params[cntr_params_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_params_0, 0); >@@ -3438,9 +3495,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_ExtendedErrorInfo(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_next_0, 0); > } > NDR_CHECK(ndr_pull_ExtendedErrorComputerName(ndr, NDR_BUFFERS, &r->computer_name)); >+ size_params_0 = ndr_get_array_size(ndr, &r->params); > _mem_save_params_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->params, 0); >- for (cntr_params_0 = 0; cntr_params_0 < r->num_params; cntr_params_0++) { >+ for (cntr_params_0 = 0; cntr_params_0 < size_params_0; cntr_params_0++) { > NDR_CHECK(ndr_pull_ExtendedErrorParam(ndr, NDR_BUFFERS, &r->params[cntr_params_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_params_0, 0); >diff --git a/librpc/gen_ndr/ndr_drsuapi.c b/librpc/gen_ndr/ndr_drsuapi.c >index 336f56f..8ef414c 100644 >--- a/librpc/gen_ndr/ndr_drsuapi.c >+++ b/librpc/gen_ndr/ndr_drsuapi.c >@@ -455,6 +455,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_drsuapi_DsReplicaObjectIdentifier(struct ndr > > _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjectIdentifier *r) > { >+ uint32_t size_dn_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->dn)); > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -463,7 +464,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier(struct ndr > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->guid)); > NDR_CHECK(ndr_pull_dom_sid28(ndr, NDR_SCALARS, &r->sid)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_dn)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, ndr_get_array_size(ndr, &r->dn), sizeof(uint16_t), CH_UTF16)); >+ size_dn_0 = ndr_get_array_size(ndr, &r->dn); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, size_dn_0, sizeof(uint16_t), CH_UTF16)); > if (r->dn) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->dn, r->__ndr_size_dn + 1)); > } >@@ -803,6 +805,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursorCtrEx(struct ndr_push * > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursorCtrEx(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursorCtrEx *r) > { >+ uint32_t size_cursors_0 = 0; > uint32_t cntr_cursors_0; > TALLOC_CTX *_mem_save_cursors_0; > if (ndr_flags & NDR_SCALARS) { >@@ -815,10 +818,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursorCtrEx(struct ndr_pull * > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved2)); >- NDR_PULL_ALLOC_N(ndr, r->cursors, ndr_get_array_size(ndr, &r->cursors)); >+ size_cursors_0 = ndr_get_array_size(ndr, &r->cursors); >+ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); > _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); >- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { >+ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); >@@ -1160,6 +1164,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_drsuapi_DsReplicaOIDMapping_Ctr(struct ndr_p > _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaOIDMapping_Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaOIDMapping_Ctr *r) > { > uint32_t _ptr_mappings; >+ uint32_t size_mappings_1 = 0; > uint32_t cntr_mappings_1; > TALLOC_CTX *_mem_save_mappings_0; > TALLOC_CTX *_mem_save_mappings_1; >@@ -1181,13 +1186,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaOIDMapping_Ctr(struct ndr_p > _mem_save_mappings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->mappings, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->mappings)); >- NDR_PULL_ALLOC_N(ndr, r->mappings, ndr_get_array_size(ndr, &r->mappings)); >+ size_mappings_1 = ndr_get_array_size(ndr, &r->mappings); >+ NDR_PULL_ALLOC_N(ndr, r->mappings, size_mappings_1); > _mem_save_mappings_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->mappings, 0); >- for (cntr_mappings_1 = 0; cntr_mappings_1 < r->num_mappings; cntr_mappings_1++) { >+ for (cntr_mappings_1 = 0; cntr_mappings_1 < size_mappings_1; cntr_mappings_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaOIDMapping(ndr, NDR_SCALARS, &r->mappings[cntr_mappings_1])); > } >- for (cntr_mappings_1 = 0; cntr_mappings_1 < r->num_mappings; cntr_mappings_1++) { >+ for (cntr_mappings_1 = 0; cntr_mappings_1 < size_mappings_1; cntr_mappings_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaOIDMapping(ndr, NDR_BUFFERS, &r->mappings[cntr_mappings_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_mappings_1, 0); >@@ -1343,6 +1349,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsPartialAttributeSet(struct ndr_push > > static enum ndr_err_code ndr_pull_drsuapi_DsPartialAttributeSet(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsPartialAttributeSet *r) > { >+ uint32_t size_attids_0 = 0; > uint32_t cntr_attids_0; > TALLOC_CTX *_mem_save_attids_0; > if (ndr_flags & NDR_SCALARS) { >@@ -1354,10 +1361,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsPartialAttributeSet(struct ndr_pull > if (r->num_attids < 1 || r->num_attids > 0x100000) { > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } >- NDR_PULL_ALLOC_N(ndr, r->attids, ndr_get_array_size(ndr, &r->attids)); >+ size_attids_0 = ndr_get_array_size(ndr, &r->attids); >+ NDR_PULL_ALLOC_N(ndr, r->attids, size_attids_0); > _mem_save_attids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attids, 0); >- for (cntr_attids_0 = 0; cntr_attids_0 < r->num_attids; cntr_attids_0++) { >+ for (cntr_attids_0 = 0; cntr_attids_0 < size_attids_0; cntr_attids_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsAttributeId(ndr, NDR_SCALARS, &r->attids[cntr_attids_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attids_0, 0); >@@ -1692,6 +1700,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursor2CtrEx(struct ndr_push > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor2CtrEx(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor2CtrEx *r) > { >+ uint32_t size_cursors_0 = 0; > uint32_t cntr_cursors_0; > TALLOC_CTX *_mem_save_cursors_0; > if (ndr_flags & NDR_SCALARS) { >@@ -1704,10 +1713,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor2CtrEx(struct ndr_pull > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved2)); >- NDR_PULL_ALLOC_N(ndr, r->cursors, ndr_get_array_size(ndr, &r->cursors)); >+ size_cursors_0 = ndr_get_array_size(ndr, &r->cursors); >+ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); > _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); >- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { >+ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor2(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); >@@ -1824,6 +1834,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsAttributeValueCtr(struct ndr_push *n > static enum ndr_err_code ndr_pull_drsuapi_DsAttributeValueCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsAttributeValueCtr *r) > { > uint32_t _ptr_values; >+ uint32_t size_values_1 = 0; > uint32_t cntr_values_1; > TALLOC_CTX *_mem_save_values_0; > TALLOC_CTX *_mem_save_values_1; >@@ -1845,13 +1856,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAttributeValueCtr(struct ndr_pull *n > _mem_save_values_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->values, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->values)); >- NDR_PULL_ALLOC_N(ndr, r->values, ndr_get_array_size(ndr, &r->values)); >+ size_values_1 = ndr_get_array_size(ndr, &r->values); >+ NDR_PULL_ALLOC_N(ndr, r->values, size_values_1); > _mem_save_values_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->values, 0); >- for (cntr_values_1 = 0; cntr_values_1 < r->num_values; cntr_values_1++) { >+ for (cntr_values_1 = 0; cntr_values_1 < size_values_1; cntr_values_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsAttributeValue(ndr, NDR_SCALARS, &r->values[cntr_values_1])); > } >- for (cntr_values_1 = 0; cntr_values_1 < r->num_values; cntr_values_1++) { >+ for (cntr_values_1 = 0; cntr_values_1 < size_values_1; cntr_values_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsAttributeValue(ndr, NDR_BUFFERS, &r->values[cntr_values_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_values_1, 0); >@@ -1907,6 +1919,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_drsuapi_DsReplicaObjectIdentifier3(struct nd > > _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjectIdentifier3 *r) > { >+ uint32_t size_dn_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size)); >@@ -1914,7 +1927,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier3(struct nd > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->guid)); > NDR_CHECK(ndr_pull_dom_sid28(ndr, NDR_SCALARS, &r->sid)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_dn)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, r->__ndr_size_dn + 1, sizeof(uint16_t), CH_UTF16)); >+ size_dn_0 = r->__ndr_size_dn + 1; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, size_dn_0, sizeof(uint16_t), CH_UTF16)); > } > if (ndr_flags & NDR_BUFFERS) { > NDR_CHECK(ndr_pull_dom_sid28(ndr, NDR_BUFFERS, &r->sid)); >@@ -1966,6 +1980,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_drsuapi_DsReplicaObjectIdentifier3Binary(str > > _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier3Binary(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjectIdentifier3Binary *r) > { >+ uint32_t size_dn_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size)); >@@ -1973,7 +1988,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier3Binary(str > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->guid)); > NDR_CHECK(ndr_pull_dom_sid28(ndr, NDR_SCALARS, &r->sid)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_dn)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, r->__ndr_size_dn + 1, sizeof(uint16_t), CH_UTF16)); >+ size_dn_0 = r->__ndr_size_dn + 1; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, size_dn_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_binary)); > { > uint32_t _flags_save_DATA_BLOB = ndr->flags; >@@ -2068,6 +2084,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaAttributeCtr(struct ndr_push > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttributeCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttributeCtr *r) > { > uint32_t _ptr_attributes; >+ uint32_t size_attributes_1 = 0; > uint32_t cntr_attributes_1; > TALLOC_CTX *_mem_save_attributes_0; > TALLOC_CTX *_mem_save_attributes_1; >@@ -2089,13 +2106,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttributeCtr(struct ndr_pull > _mem_save_attributes_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attributes, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attributes)); >- NDR_PULL_ALLOC_N(ndr, r->attributes, ndr_get_array_size(ndr, &r->attributes)); >+ size_attributes_1 = ndr_get_array_size(ndr, &r->attributes); >+ NDR_PULL_ALLOC_N(ndr, r->attributes, size_attributes_1); > _mem_save_attributes_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attributes, 0); >- for (cntr_attributes_1 = 0; cntr_attributes_1 < r->num_attributes; cntr_attributes_1++) { >+ for (cntr_attributes_1 = 0; cntr_attributes_1 < size_attributes_1; cntr_attributes_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttribute(ndr, NDR_SCALARS, &r->attributes[cntr_attributes_1])); > } >- for (cntr_attributes_1 = 0; cntr_attributes_1 < r->num_attributes; cntr_attributes_1++) { >+ for (cntr_attributes_1 = 0; cntr_attributes_1 < size_attributes_1; cntr_attributes_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttribute(ndr, NDR_BUFFERS, &r->attributes[cntr_attributes_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attributes_1, 0); >@@ -2272,6 +2290,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_drsuapi_DsReplicaMetaDataCtr(struct ndr_push > > _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaMetaDataCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaMetaDataCtr *r) > { >+ uint32_t size_meta_data_0 = 0; > uint32_t cntr_meta_data_0; > TALLOC_CTX *_mem_save_meta_data_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2281,10 +2300,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaMetaDataCtr(struct ndr_pull > if (r->count > 1048576) { > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } >- NDR_PULL_ALLOC_N(ndr, r->meta_data, ndr_get_array_size(ndr, &r->meta_data)); >+ size_meta_data_0 = ndr_get_array_size(ndr, &r->meta_data); >+ NDR_PULL_ALLOC_N(ndr, r->meta_data, size_meta_data_0); > _mem_save_meta_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->meta_data, 0); >- for (cntr_meta_data_0 = 0; cntr_meta_data_0 < r->count; cntr_meta_data_0++) { >+ for (cntr_meta_data_0 = 0; cntr_meta_data_0 < size_meta_data_0; cntr_meta_data_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaMetaData(ndr, NDR_SCALARS, &r->meta_data[cntr_meta_data_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_meta_data_0, 0); >@@ -2675,6 +2695,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsGetNCChangesCtr6(struct ndr_pull * > uint32_t _ptr_first_object; > TALLOC_CTX *_mem_save_first_object_0; > uint32_t _ptr_linked_attributes; >+ uint32_t size_linked_attributes_1 = 0; > uint32_t cntr_linked_attributes_1; > TALLOC_CTX *_mem_save_linked_attributes_0; > TALLOC_CTX *_mem_save_linked_attributes_1; >@@ -2745,13 +2766,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsGetNCChangesCtr6(struct ndr_pull * > _mem_save_linked_attributes_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->linked_attributes, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->linked_attributes)); >- NDR_PULL_ALLOC_N(ndr, r->linked_attributes, ndr_get_array_size(ndr, &r->linked_attributes)); >+ size_linked_attributes_1 = ndr_get_array_size(ndr, &r->linked_attributes); >+ NDR_PULL_ALLOC_N(ndr, r->linked_attributes, size_linked_attributes_1); > _mem_save_linked_attributes_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->linked_attributes, 0); >- for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < r->linked_attributes_count; cntr_linked_attributes_1++) { >+ for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < size_linked_attributes_1; cntr_linked_attributes_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaLinkedAttribute(ndr, NDR_SCALARS, &r->linked_attributes[cntr_linked_attributes_1])); > } >- for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < r->linked_attributes_count; cntr_linked_attributes_1++) { >+ for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < size_linked_attributes_1; cntr_linked_attributes_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaLinkedAttribute(ndr, NDR_BUFFERS, &r->linked_attributes[cntr_linked_attributes_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_linked_attributes_1, 0); >@@ -3546,6 +3568,8 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaUpdateRefsRequest1(struct ndr > uint32_t _ptr_naming_context; > TALLOC_CTX *_mem_save_naming_context_0; > uint32_t _ptr_dest_dsa_dns_name; >+ uint32_t size_dest_dsa_dns_name_1 = 0; >+ uint32_t length_dest_dsa_dns_name_1 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_ref_ptr(ndr, &_ptr_naming_context)); >@@ -3570,11 +3594,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaUpdateRefsRequest1(struct ndr > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_naming_context_0, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dest_dsa_dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dest_dsa_dns_name)); >- if (ndr_get_array_length(ndr, &r->dest_dsa_dns_name) > ndr_get_array_size(ndr, &r->dest_dsa_dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dest_dsa_dns_name), ndr_get_array_length(ndr, &r->dest_dsa_dns_name)); >+ size_dest_dsa_dns_name_1 = ndr_get_array_size(ndr, &r->dest_dsa_dns_name); >+ length_dest_dsa_dns_name_1 = ndr_get_array_length(ndr, &r->dest_dsa_dns_name); >+ if (length_dest_dsa_dns_name_1 > size_dest_dsa_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dest_dsa_dns_name_1, length_dest_dsa_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dest_dsa_dns_name), sizeof(uint8_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dest_dsa_dns_name, ndr_get_array_length(ndr, &r->dest_dsa_dns_name), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dest_dsa_dns_name_1, sizeof(uint8_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dest_dsa_dns_name, length_dest_dsa_dns_name_1, sizeof(uint8_t), CH_DOS)); > } > return NDR_ERR_SUCCESS; > } >@@ -3820,15 +3846,18 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetMembershipsCtr1(struct ndr_push * > static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetMembershipsCtr1 *r) > { > uint32_t _ptr_info_array; >+ uint32_t size_info_array_1 = 0; > uint32_t cntr_info_array_1; > TALLOC_CTX *_mem_save_info_array_0; > TALLOC_CTX *_mem_save_info_array_1; > TALLOC_CTX *_mem_save_info_array_2; > uint32_t _ptr_group_attrs; >+ uint32_t size_group_attrs_1 = 0; > uint32_t cntr_group_attrs_1; > TALLOC_CTX *_mem_save_group_attrs_0; > TALLOC_CTX *_mem_save_group_attrs_1; > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -3868,10 +3897,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull * > _mem_save_info_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->info_array)); >- NDR_PULL_ALLOC_N(ndr, r->info_array, ndr_get_array_size(ndr, &r->info_array)); >+ size_info_array_1 = ndr_get_array_size(ndr, &r->info_array); >+ NDR_PULL_ALLOC_N(ndr, r->info_array, size_info_array_1); > _mem_save_info_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); >- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->num_memberships; cntr_info_array_1++) { >+ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info_array)); > if (_ptr_info_array) { > NDR_PULL_ALLOC(ndr, r->info_array[cntr_info_array_1]); >@@ -3879,7 +3909,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull * > r->info_array[cntr_info_array_1] = NULL; > } > } >- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->num_memberships; cntr_info_array_1++) { >+ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { > if (r->info_array[cntr_info_array_1]) { > _mem_save_info_array_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array[cntr_info_array_1], 0); >@@ -3894,10 +3924,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull * > _mem_save_group_attrs_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->group_attrs, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->group_attrs)); >- NDR_PULL_ALLOC_N(ndr, r->group_attrs, ndr_get_array_size(ndr, &r->group_attrs)); >+ size_group_attrs_1 = ndr_get_array_size(ndr, &r->group_attrs); >+ NDR_PULL_ALLOC_N(ndr, r->group_attrs, size_group_attrs_1); > _mem_save_group_attrs_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->group_attrs, 0); >- for (cntr_group_attrs_1 = 0; cntr_group_attrs_1 < r->num_memberships; cntr_group_attrs_1++) { >+ for (cntr_group_attrs_1 = 0; cntr_group_attrs_1 < size_group_attrs_1; cntr_group_attrs_1++) { > NDR_CHECK(ndr_pull_samr_GroupAttrs(ndr, NDR_SCALARS, &r->group_attrs[cntr_group_attrs_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_attrs_1, 0); >@@ -3907,10 +3938,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull * > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sids)); > if (_ptr_sids) { > NDR_PULL_ALLOC(ndr, r->sids[cntr_sids_1]); >@@ -3918,7 +3950,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull * > r->sids[cntr_sids_1] = NULL; > } > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > if (r->sids[cntr_sids_1]) { > _mem_save_sids_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids[cntr_sids_1], 0); >@@ -4118,6 +4150,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetMembershipsRequest1(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetMembershipsRequest1 *r) > { > uint32_t _ptr_info_array; >+ uint32_t size_info_array_1 = 0; > uint32_t cntr_info_array_1; > TALLOC_CTX *_mem_save_info_array_0; > TALLOC_CTX *_mem_save_info_array_1; >@@ -4150,10 +4183,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsRequest1(struct ndr_pu > _mem_save_info_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->info_array)); >- NDR_PULL_ALLOC_N(ndr, r->info_array, ndr_get_array_size(ndr, &r->info_array)); >+ size_info_array_1 = ndr_get_array_size(ndr, &r->info_array); >+ NDR_PULL_ALLOC_N(ndr, r->info_array, size_info_array_1); > _mem_save_info_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); >- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->count; cntr_info_array_1++) { >+ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info_array)); > if (_ptr_info_array) { > NDR_PULL_ALLOC(ndr, r->info_array[cntr_info_array_1]); >@@ -4161,7 +4195,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsRequest1(struct ndr_pu > r->info_array[cntr_info_array_1] = NULL; > } > } >- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->count; cntr_info_array_1++) { >+ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { > if (r->info_array[cntr_info_array_1]) { > _mem_save_info_array_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info_array[cntr_info_array_1], 0); >@@ -4318,6 +4352,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetNT4ChangeLogRequest1(struct ndr_p > static enum ndr_err_code ndr_pull_drsuapi_DsGetNT4ChangeLogRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetNT4ChangeLogRequest1 *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4339,8 +4374,9 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetNT4ChangeLogRequest1(struct ndr_p > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -4473,8 +4509,10 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetNT4ChangeLogInfo1(struct ndr_push > static enum ndr_err_code ndr_pull_drsuapi_DsGetNT4ChangeLogInfo1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetNT4ChangeLogInfo1 *r) > { > uint32_t _ptr_data1; >+ uint32_t size_data1_1 = 0; > TALLOC_CTX *_mem_save_data1_0; > uint32_t _ptr_data2; >+ uint32_t size_data2_1 = 0; > TALLOC_CTX *_mem_save_data2_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -4511,16 +4549,18 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetNT4ChangeLogInfo1(struct ndr_pull > _mem_save_data1_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data1)); >- NDR_PULL_ALLOC_N(ndr, r->data1, ndr_get_array_size(ndr, &r->data1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data1, ndr_get_array_size(ndr, &r->data1))); >+ size_data1_1 = ndr_get_array_size(ndr, &r->data1); >+ NDR_PULL_ALLOC_N(ndr, r->data1, size_data1_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data1, size_data1_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data1_0, 0); > } > if (r->data2) { > _mem_save_data2_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data2)); >- NDR_PULL_ALLOC_N(ndr, r->data2, ndr_get_array_size(ndr, &r->data2)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data2, ndr_get_array_size(ndr, &r->data2))); >+ size_data2_1 = ndr_get_array_size(ndr, &r->data2); >+ NDR_PULL_ALLOC_N(ndr, r->data2, size_data2_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data2, size_data2_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data2_0, 0); > } > if (r->data1) { >@@ -4749,6 +4789,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsNameString(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsNameString(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameString *r) > { > uint32_t _ptr_str; >+ uint32_t size_str_1 = 0; >+ uint32_t length_str_1 = 0; > TALLOC_CTX *_mem_save_str_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4765,11 +4807,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameString(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->str, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->str)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->str)); >- if (ndr_get_array_length(ndr, &r->str) > ndr_get_array_size(ndr, &r->str)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->str), ndr_get_array_length(ndr, &r->str)); >+ size_str_1 = ndr_get_array_size(ndr, &r->str); >+ length_str_1 = ndr_get_array_length(ndr, &r->str); >+ if (length_str_1 > size_str_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_str_1, length_str_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->str), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str, ndr_get_array_length(ndr, &r->str), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_str_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str, length_str_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_str_0, 0); > } > } >@@ -4819,6 +4863,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsNameRequest1(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_drsuapi_DsNameRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameRequest1 *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -4845,13 +4890,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameRequest1(struct ndr_pull *ndr, i > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -4996,8 +5042,12 @@ static enum ndr_err_code ndr_push_drsuapi_DsNameInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsNameInfo1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameInfo1 *r) > { > uint32_t _ptr_dns_domain_name; >+ uint32_t size_dns_domain_name_1 = 0; >+ uint32_t length_dns_domain_name_1 = 0; > TALLOC_CTX *_mem_save_dns_domain_name_0; > uint32_t _ptr_result_name; >+ uint32_t size_result_name_1 = 0; >+ uint32_t length_result_name_1 = 0; > TALLOC_CTX *_mem_save_result_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -5021,11 +5071,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->dns_domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_domain_name)); >- if (ndr_get_array_length(ndr, &r->dns_domain_name) > ndr_get_array_size(ndr, &r->dns_domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_domain_name), ndr_get_array_length(ndr, &r->dns_domain_name)); >+ size_dns_domain_name_1 = ndr_get_array_size(ndr, &r->dns_domain_name); >+ length_dns_domain_name_1 = ndr_get_array_length(ndr, &r->dns_domain_name); >+ if (length_dns_domain_name_1 > size_dns_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_domain_name_1, length_dns_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain_name, ndr_get_array_length(ndr, &r->dns_domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain_name, length_dns_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_domain_name_0, 0); > } > if (r->result_name) { >@@ -5033,11 +5085,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->result_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->result_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->result_name)); >- if (ndr_get_array_length(ndr, &r->result_name) > ndr_get_array_size(ndr, &r->result_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->result_name), ndr_get_array_length(ndr, &r->result_name)); >+ size_result_name_1 = ndr_get_array_size(ndr, &r->result_name); >+ length_result_name_1 = ndr_get_array_length(ndr, &r->result_name); >+ if (length_result_name_1 > size_result_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_result_name_1, length_result_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->result_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->result_name, ndr_get_array_length(ndr, &r->result_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_result_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->result_name, length_result_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_result_name_0, 0); > } > } >@@ -5089,6 +5143,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsNameCtr1(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_drsuapi_DsNameCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -5107,13 +5162,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameCtr1(struct ndr_pull *ndr, int n > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -5185,6 +5241,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameCtr(struct ndr_pull *ndr, int nd > int level; > int32_t _level; > TALLOC_CTX *_mem_save_ctr1_0; >+ uint32_t _ptr_ctr1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &_level)); >@@ -5193,7 +5250,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsNameCtr(struct ndr_pull *ndr, int nd > } > switch (level) { > case 1: { >- uint32_t _ptr_ctr1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); > if (_ptr_ctr1) { > NDR_PULL_ALLOC(ndr, r->ctr1); >@@ -5304,8 +5360,11 @@ static enum ndr_err_code ndr_push_drsuapi_DsWriteAccountSpnRequest1(struct ndr_p > static enum ndr_err_code ndr_pull_drsuapi_DsWriteAccountSpnRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsWriteAccountSpnRequest1 *r) > { > uint32_t _ptr_object_dn; >+ uint32_t size_object_dn_1 = 0; >+ uint32_t length_object_dn_1 = 0; > TALLOC_CTX *_mem_save_object_dn_0; > uint32_t _ptr_spn_names; >+ uint32_t size_spn_names_1 = 0; > uint32_t cntr_spn_names_1; > TALLOC_CTX *_mem_save_spn_names_0; > TALLOC_CTX *_mem_save_spn_names_1; >@@ -5336,24 +5395,27 @@ static enum ndr_err_code ndr_pull_drsuapi_DsWriteAccountSpnRequest1(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); >- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); >+ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); >+ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); >+ if (length_object_dn_1 > size_object_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); > } > if (r->spn_names) { > _mem_save_spn_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->spn_names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->spn_names)); >- NDR_PULL_ALLOC_N(ndr, r->spn_names, ndr_get_array_size(ndr, &r->spn_names)); >+ size_spn_names_1 = ndr_get_array_size(ndr, &r->spn_names); >+ NDR_PULL_ALLOC_N(ndr, r->spn_names, size_spn_names_1); > _mem_save_spn_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->spn_names, 0); >- for (cntr_spn_names_1 = 0; cntr_spn_names_1 < r->count; cntr_spn_names_1++) { >+ for (cntr_spn_names_1 = 0; cntr_spn_names_1 < size_spn_names_1; cntr_spn_names_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_SCALARS, &r->spn_names[cntr_spn_names_1])); > } >- for (cntr_spn_names_1 = 0; cntr_spn_names_1 < r->count; cntr_spn_names_1++) { >+ for (cntr_spn_names_1 = 0; cntr_spn_names_1 < size_spn_names_1; cntr_spn_names_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_BUFFERS, &r->spn_names[cntr_spn_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_spn_names_1, 0); >@@ -5604,8 +5666,12 @@ static enum ndr_err_code ndr_push_drsuapi_DsRemoveDSServerRequest1(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_DsRemoveDSServerRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsRemoveDSServerRequest1 *r) > { > uint32_t _ptr_server_dn; >+ uint32_t size_server_dn_1 = 0; >+ uint32_t length_server_dn_1 = 0; > TALLOC_CTX *_mem_save_server_dn_0; > uint32_t _ptr_domain_dn; >+ uint32_t size_domain_dn_1 = 0; >+ uint32_t length_domain_dn_1 = 0; > TALLOC_CTX *_mem_save_domain_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -5629,11 +5695,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsRemoveDSServerRequest1(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); >- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); >+ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); >+ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); >+ if (length_server_dn_1 > size_server_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); > } > if (r->domain_dn) { >@@ -5641,11 +5709,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsRemoveDSServerRequest1(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->domain_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_dn)); >- if (ndr_get_array_length(ndr, &r->domain_dn) > ndr_get_array_size(ndr, &r->domain_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_dn), ndr_get_array_length(ndr, &r->domain_dn)); >+ size_domain_dn_1 = ndr_get_array_size(ndr, &r->domain_dn); >+ length_domain_dn_1 = ndr_get_array_length(ndr, &r->domain_dn); >+ if (length_domain_dn_1 > size_domain_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_dn_1, length_domain_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_dn, ndr_get_array_length(ndr, &r->domain_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_dn, length_domain_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_dn_0, 0); > } > } >@@ -5871,6 +5941,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfoRequest1(struct ndr_push *n > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoRequest1 *r) > { > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_domain_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -5888,11 +5960,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoRequest1(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); >- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > } >@@ -6038,14 +6112,24 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfo1 *r) > { > uint32_t _ptr_netbios_name; >+ uint32_t size_netbios_name_1 = 0; >+ uint32_t length_netbios_name_1 = 0; > TALLOC_CTX *_mem_save_netbios_name_0; > uint32_t _ptr_dns_name; >+ uint32_t size_dns_name_1 = 0; >+ uint32_t length_dns_name_1 = 0; > TALLOC_CTX *_mem_save_dns_name_0; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > TALLOC_CTX *_mem_save_site_name_0; > uint32_t _ptr_computer_dn; >+ uint32_t size_computer_dn_1 = 0; >+ uint32_t length_computer_dn_1 = 0; > TALLOC_CTX *_mem_save_computer_dn_0; > uint32_t _ptr_server_dn; >+ uint32_t size_server_dn_1 = 0; >+ uint32_t length_server_dn_1 = 0; > TALLOC_CTX *_mem_save_server_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6088,11 +6172,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); >- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); >+ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); >+ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); >+ if (length_netbios_name_1 > size_netbios_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); > } > if (r->dns_name) { >@@ -6100,11 +6186,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); >- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); >+ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); >+ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); >+ if (length_dns_name_1 > size_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); > } > if (r->site_name) { >@@ -6112,11 +6200,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_name)); >- if (ndr_get_array_length(ndr, &r->site_name) > ndr_get_array_size(ndr, &r->site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_name), ndr_get_array_length(ndr, &r->site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > if (r->computer_dn) { >@@ -6124,11 +6214,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->computer_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_dn)); >- if (ndr_get_array_length(ndr, &r->computer_dn) > ndr_get_array_size(ndr, &r->computer_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_dn), ndr_get_array_length(ndr, &r->computer_dn)); >+ size_computer_dn_1 = ndr_get_array_size(ndr, &r->computer_dn); >+ length_computer_dn_1 = ndr_get_array_length(ndr, &r->computer_dn); >+ if (length_computer_dn_1 > size_computer_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_dn_1, length_computer_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, length_computer_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_dn_0, 0); > } > if (r->server_dn) { >@@ -6136,11 +6228,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); >- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); >+ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); >+ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); >+ if (length_server_dn_1 > size_server_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); > } > } >@@ -6211,6 +6305,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfoCtr1(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoCtr1 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -6232,13 +6327,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr1(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -6344,18 +6440,32 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfo2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfo2 *r) > { > uint32_t _ptr_netbios_name; >+ uint32_t size_netbios_name_1 = 0; >+ uint32_t length_netbios_name_1 = 0; > TALLOC_CTX *_mem_save_netbios_name_0; > uint32_t _ptr_dns_name; >+ uint32_t size_dns_name_1 = 0; >+ uint32_t length_dns_name_1 = 0; > TALLOC_CTX *_mem_save_dns_name_0; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > TALLOC_CTX *_mem_save_site_name_0; > uint32_t _ptr_site_dn; >+ uint32_t size_site_dn_1 = 0; >+ uint32_t length_site_dn_1 = 0; > TALLOC_CTX *_mem_save_site_dn_0; > uint32_t _ptr_computer_dn; >+ uint32_t size_computer_dn_1 = 0; >+ uint32_t length_computer_dn_1 = 0; > TALLOC_CTX *_mem_save_computer_dn_0; > uint32_t _ptr_server_dn; >+ uint32_t size_server_dn_1 = 0; >+ uint32_t length_server_dn_1 = 0; > TALLOC_CTX *_mem_save_server_dn_0; > uint32_t _ptr_ntds_dn; >+ uint32_t size_ntds_dn_1 = 0; >+ uint32_t length_ntds_dn_1 = 0; > TALLOC_CTX *_mem_save_ntds_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6415,11 +6525,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); >- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); >+ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); >+ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); >+ if (length_netbios_name_1 > size_netbios_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); > } > if (r->dns_name) { >@@ -6427,11 +6539,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); >- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); >+ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); >+ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); >+ if (length_dns_name_1 > size_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); > } > if (r->site_name) { >@@ -6439,11 +6553,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_name)); >- if (ndr_get_array_length(ndr, &r->site_name) > ndr_get_array_size(ndr, &r->site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_name), ndr_get_array_length(ndr, &r->site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > if (r->site_dn) { >@@ -6451,11 +6567,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->site_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_dn)); >- if (ndr_get_array_length(ndr, &r->site_dn) > ndr_get_array_size(ndr, &r->site_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_dn), ndr_get_array_length(ndr, &r->site_dn)); >+ size_site_dn_1 = ndr_get_array_size(ndr, &r->site_dn); >+ length_site_dn_1 = ndr_get_array_length(ndr, &r->site_dn); >+ if (length_site_dn_1 > size_site_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_dn_1, length_site_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, length_site_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_dn_0, 0); > } > if (r->computer_dn) { >@@ -6463,11 +6581,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->computer_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_dn)); >- if (ndr_get_array_length(ndr, &r->computer_dn) > ndr_get_array_size(ndr, &r->computer_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_dn), ndr_get_array_length(ndr, &r->computer_dn)); >+ size_computer_dn_1 = ndr_get_array_size(ndr, &r->computer_dn); >+ length_computer_dn_1 = ndr_get_array_length(ndr, &r->computer_dn); >+ if (length_computer_dn_1 > size_computer_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_dn_1, length_computer_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, length_computer_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_dn_0, 0); > } > if (r->server_dn) { >@@ -6475,11 +6595,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); >- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); >+ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); >+ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); >+ if (length_server_dn_1 > size_server_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); > } > if (r->ntds_dn) { >@@ -6487,11 +6609,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->ntds_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->ntds_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->ntds_dn)); >- if (ndr_get_array_length(ndr, &r->ntds_dn) > ndr_get_array_size(ndr, &r->ntds_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->ntds_dn), ndr_get_array_length(ndr, &r->ntds_dn)); >+ size_ntds_dn_1 = ndr_get_array_size(ndr, &r->ntds_dn); >+ length_ntds_dn_1 = ndr_get_array_length(ndr, &r->ntds_dn); >+ if (length_ntds_dn_1 > size_ntds_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ntds_dn_1, length_ntds_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ntds_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, length_ntds_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ntds_dn_0, 0); > } > } >@@ -6579,6 +6703,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfoCtr2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoCtr2 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -6600,13 +6725,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr2(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -6713,18 +6839,32 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfo3(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfo3 *r) > { > uint32_t _ptr_netbios_name; >+ uint32_t size_netbios_name_1 = 0; >+ uint32_t length_netbios_name_1 = 0; > TALLOC_CTX *_mem_save_netbios_name_0; > uint32_t _ptr_dns_name; >+ uint32_t size_dns_name_1 = 0; >+ uint32_t length_dns_name_1 = 0; > TALLOC_CTX *_mem_save_dns_name_0; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > TALLOC_CTX *_mem_save_site_name_0; > uint32_t _ptr_site_dn; >+ uint32_t size_site_dn_1 = 0; >+ uint32_t length_site_dn_1 = 0; > TALLOC_CTX *_mem_save_site_dn_0; > uint32_t _ptr_computer_dn; >+ uint32_t size_computer_dn_1 = 0; >+ uint32_t length_computer_dn_1 = 0; > TALLOC_CTX *_mem_save_computer_dn_0; > uint32_t _ptr_server_dn; >+ uint32_t size_server_dn_1 = 0; >+ uint32_t length_server_dn_1 = 0; > TALLOC_CTX *_mem_save_server_dn_0; > uint32_t _ptr_ntds_dn; >+ uint32_t size_ntds_dn_1 = 0; >+ uint32_t length_ntds_dn_1 = 0; > TALLOC_CTX *_mem_save_ntds_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6785,11 +6925,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); >- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); >+ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); >+ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); >+ if (length_netbios_name_1 > size_netbios_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); > } > if (r->dns_name) { >@@ -6797,11 +6939,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); >- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); >+ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); >+ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); >+ if (length_dns_name_1 > size_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); > } > if (r->site_name) { >@@ -6809,11 +6953,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_name)); >- if (ndr_get_array_length(ndr, &r->site_name) > ndr_get_array_size(ndr, &r->site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_name), ndr_get_array_length(ndr, &r->site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > if (r->site_dn) { >@@ -6821,11 +6967,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->site_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_dn)); >- if (ndr_get_array_length(ndr, &r->site_dn) > ndr_get_array_size(ndr, &r->site_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_dn), ndr_get_array_length(ndr, &r->site_dn)); >+ size_site_dn_1 = ndr_get_array_size(ndr, &r->site_dn); >+ length_site_dn_1 = ndr_get_array_length(ndr, &r->site_dn); >+ if (length_site_dn_1 > size_site_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_dn_1, length_site_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, length_site_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_dn_0, 0); > } > if (r->computer_dn) { >@@ -6833,11 +6981,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->computer_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_dn)); >- if (ndr_get_array_length(ndr, &r->computer_dn) > ndr_get_array_size(ndr, &r->computer_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_dn), ndr_get_array_length(ndr, &r->computer_dn)); >+ size_computer_dn_1 = ndr_get_array_size(ndr, &r->computer_dn); >+ length_computer_dn_1 = ndr_get_array_length(ndr, &r->computer_dn); >+ if (length_computer_dn_1 > size_computer_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_dn_1, length_computer_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, length_computer_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_dn_0, 0); > } > if (r->server_dn) { >@@ -6845,11 +6995,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); >- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); >+ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); >+ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); >+ if (length_server_dn_1 > size_server_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); > } > if (r->ntds_dn) { >@@ -6857,11 +7009,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->ntds_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->ntds_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->ntds_dn)); >- if (ndr_get_array_length(ndr, &r->ntds_dn) > ndr_get_array_size(ndr, &r->ntds_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->ntds_dn), ndr_get_array_length(ndr, &r->ntds_dn)); >+ size_ntds_dn_1 = ndr_get_array_size(ndr, &r->ntds_dn); >+ length_ntds_dn_1 = ndr_get_array_length(ndr, &r->ntds_dn); >+ if (length_ntds_dn_1 > size_ntds_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ntds_dn_1, length_ntds_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_ntds_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, length_ntds_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ntds_dn_0, 0); > } > } >@@ -6950,6 +7104,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCInfoCtr3(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoCtr3 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -6971,13 +7126,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr3(struct ndr_pull *ndr, > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo3(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo3(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -7045,6 +7201,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCConnection01(struct ndr_push *n > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCConnection01(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCConnection01 *r) > { > uint32_t _ptr_client_account; >+ uint32_t size_client_account_1 = 0; >+ uint32_t length_client_account_1 = 0; > TALLOC_CTX *_mem_save_client_account_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7072,11 +7230,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCConnection01(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->client_account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_account)); >- if (ndr_get_array_length(ndr, &r->client_account) > ndr_get_array_size(ndr, &r->client_account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_account), ndr_get_array_length(ndr, &r->client_account)); >+ size_client_account_1 = ndr_get_array_size(ndr, &r->client_account); >+ length_client_account_1 = ndr_get_array_length(ndr, &r->client_account); >+ if (length_client_account_1 > size_client_account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_account_1, length_client_account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_account, ndr_get_array_length(ndr, &r->client_account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_account, length_client_account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_account_0, 0); > } > } >@@ -7127,6 +7287,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetDCConnectionCtr01(struct ndr_push > static enum ndr_err_code ndr_pull_drsuapi_DsGetDCConnectionCtr01(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCConnectionCtr01 *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -7148,13 +7309,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetDCConnectionCtr01(struct ndr_pull > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCConnection01(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsGetDCConnection01(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -7533,6 +7695,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsAddEntryExtraErrorBuffer(struct ndr_ > static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryExtraErrorBuffer(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsAddEntryExtraErrorBuffer *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7552,8 +7715,9 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryExtraErrorBuffer(struct ndr_ > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -8083,6 +8247,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryCtr2(struct ndr_pull *ndr, i > uint32_t _ptr_id; > TALLOC_CTX *_mem_save_id_0; > uint32_t _ptr_objects; >+ uint32_t size_objects_1 = 0; > uint32_t cntr_objects_1; > TALLOC_CTX *_mem_save_objects_0; > TALLOC_CTX *_mem_save_objects_1; >@@ -8118,13 +8283,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryCtr2(struct ndr_pull *ndr, i > _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->objects)); >- NDR_PULL_ALLOC_N(ndr, r->objects, ndr_get_array_size(ndr, &r->objects)); >+ size_objects_1 = ndr_get_array_size(ndr, &r->objects); >+ NDR_PULL_ALLOC_N(ndr, r->objects, size_objects_1); > _mem_save_objects_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); >- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { >+ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_SCALARS, &r->objects[cntr_objects_1])); > } >- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { >+ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_BUFFERS, &r->objects[cntr_objects_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_1, 0); >@@ -8208,6 +8374,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryCtr3(struct ndr_pull *ndr, i > uint32_t _ptr_error; > TALLOC_CTX *_mem_save_error_0; > uint32_t _ptr_objects; >+ uint32_t size_objects_1 = 0; > uint32_t cntr_objects_1; > TALLOC_CTX *_mem_save_objects_0; > TALLOC_CTX *_mem_save_objects_1; >@@ -8255,13 +8422,14 @@ static enum ndr_err_code ndr_pull_drsuapi_DsAddEntryCtr3(struct ndr_pull *ndr, i > _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->objects)); >- NDR_PULL_ALLOC_N(ndr, r->objects, ndr_get_array_size(ndr, &r->objects)); >+ size_objects_1 = ndr_get_array_size(ndr, &r->objects); >+ NDR_PULL_ALLOC_N(ndr, r->objects, size_objects_1); > _mem_save_objects_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); >- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { >+ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_SCALARS, &r->objects[cntr_objects_1])); > } >- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { >+ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_BUFFERS, &r->objects[cntr_objects_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_1, 0); >@@ -8492,6 +8660,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaGetInfoRequest1(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaGetInfoRequest1 *r) > { > uint32_t _ptr_object_dn; >+ uint32_t size_object_dn_1 = 0; >+ uint32_t length_object_dn_1 = 0; > TALLOC_CTX *_mem_save_object_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -8510,11 +8680,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest1(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); >- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); >+ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); >+ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); >+ if (length_object_dn_1 > size_object_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); > } > } >@@ -8574,10 +8746,16 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaGetInfoRequest2 *r) > { > uint32_t _ptr_object_dn; >+ uint32_t size_object_dn_1 = 0; >+ uint32_t length_object_dn_1 = 0; > TALLOC_CTX *_mem_save_object_dn_0; > uint32_t _ptr_string1; >+ uint32_t size_string1_1 = 0; >+ uint32_t length_string1_1 = 0; > TALLOC_CTX *_mem_save_string1_0; > uint32_t _ptr_string2; >+ uint32_t size_string2_1 = 0; >+ uint32_t length_string2_1 = 0; > TALLOC_CTX *_mem_save_string2_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -8610,11 +8788,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); >- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); >+ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); >+ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); >+ if (length_object_dn_1 > size_object_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); > } > if (r->string1) { >@@ -8622,11 +8802,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->string1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string1)); >- if (ndr_get_array_length(ndr, &r->string1) > ndr_get_array_size(ndr, &r->string1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string1), ndr_get_array_length(ndr, &r->string1)); >+ size_string1_1 = ndr_get_array_size(ndr, &r->string1); >+ length_string1_1 = ndr_get_array_length(ndr, &r->string1); >+ if (length_string1_1 > size_string1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string1_1, length_string1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->string1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string1, ndr_get_array_length(ndr, &r->string1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_string1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string1, length_string1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string1_0, 0); > } > if (r->string2) { >@@ -8634,11 +8816,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->string2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string2)); >- if (ndr_get_array_length(ndr, &r->string2) > ndr_get_array_size(ndr, &r->string2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string2), ndr_get_array_length(ndr, &r->string2)); >+ size_string2_1 = ndr_get_array_size(ndr, &r->string2); >+ length_string2_1 = ndr_get_array_length(ndr, &r->string2); >+ if (length_string2_1 > size_string2_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string2_1, length_string2_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->string2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string2, ndr_get_array_length(ndr, &r->string2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_string2_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string2, length_string2_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string2_0, 0); > } > } >@@ -8822,12 +9006,20 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaNeighbour(struct ndr_push *nd > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaNeighbour *r) > { > uint32_t _ptr_naming_context_dn; >+ uint32_t size_naming_context_dn_1 = 0; >+ uint32_t length_naming_context_dn_1 = 0; > TALLOC_CTX *_mem_save_naming_context_dn_0; > uint32_t _ptr_source_dsa_obj_dn; >+ uint32_t size_source_dsa_obj_dn_1 = 0; >+ uint32_t length_source_dsa_obj_dn_1 = 0; > TALLOC_CTX *_mem_save_source_dsa_obj_dn_0; > uint32_t _ptr_source_dsa_address; >+ uint32_t size_source_dsa_address_1 = 0; >+ uint32_t length_source_dsa_address_1 = 0; > TALLOC_CTX *_mem_save_source_dsa_address_0; > uint32_t _ptr_transport_obj_dn; >+ uint32_t size_transport_obj_dn_1 = 0; >+ uint32_t length_transport_obj_dn_1 = 0; > TALLOC_CTX *_mem_save_transport_obj_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -8874,11 +9066,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->naming_context_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->naming_context_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->naming_context_dn)); >- if (ndr_get_array_length(ndr, &r->naming_context_dn) > ndr_get_array_size(ndr, &r->naming_context_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->naming_context_dn), ndr_get_array_length(ndr, &r->naming_context_dn)); >+ size_naming_context_dn_1 = ndr_get_array_size(ndr, &r->naming_context_dn); >+ length_naming_context_dn_1 = ndr_get_array_length(ndr, &r->naming_context_dn); >+ if (length_naming_context_dn_1 > size_naming_context_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_naming_context_dn_1, length_naming_context_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->naming_context_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->naming_context_dn, ndr_get_array_length(ndr, &r->naming_context_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_naming_context_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->naming_context_dn, length_naming_context_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_naming_context_dn_0, 0); > } > if (r->source_dsa_obj_dn) { >@@ -8886,11 +9080,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_obj_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_obj_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_obj_dn)); >- if (ndr_get_array_length(ndr, &r->source_dsa_obj_dn) > ndr_get_array_size(ndr, &r->source_dsa_obj_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_obj_dn), ndr_get_array_length(ndr, &r->source_dsa_obj_dn)); >+ size_source_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->source_dsa_obj_dn); >+ length_source_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->source_dsa_obj_dn); >+ if (length_source_dsa_obj_dn_1 > size_source_dsa_obj_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_obj_dn_1, length_source_dsa_obj_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_obj_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, length_source_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_obj_dn_0, 0); > } > if (r->source_dsa_address) { >@@ -8898,11 +9094,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_address)); >- if (ndr_get_array_length(ndr, &r->source_dsa_address) > ndr_get_array_size(ndr, &r->source_dsa_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_address), ndr_get_array_length(ndr, &r->source_dsa_address)); >+ size_source_dsa_address_1 = ndr_get_array_size(ndr, &r->source_dsa_address); >+ length_source_dsa_address_1 = ndr_get_array_length(ndr, &r->source_dsa_address); >+ if (length_source_dsa_address_1 > size_source_dsa_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_address_1, length_source_dsa_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, length_source_dsa_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_address_0, 0); > } > if (r->transport_obj_dn) { >@@ -8910,11 +9108,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->transport_obj_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->transport_obj_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->transport_obj_dn)); >- if (ndr_get_array_length(ndr, &r->transport_obj_dn) > ndr_get_array_size(ndr, &r->transport_obj_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->transport_obj_dn), ndr_get_array_length(ndr, &r->transport_obj_dn)); >+ size_transport_obj_dn_1 = ndr_get_array_size(ndr, &r->transport_obj_dn); >+ length_transport_obj_dn_1 = ndr_get_array_length(ndr, &r->transport_obj_dn); >+ if (length_transport_obj_dn_1 > size_transport_obj_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_obj_dn_1, length_transport_obj_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->transport_obj_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport_obj_dn, ndr_get_array_length(ndr, &r->transport_obj_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_obj_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport_obj_dn, length_transport_obj_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_obj_dn_0, 0); > } > } >@@ -8986,6 +9186,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaNeighbourCtr(struct ndr_push > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbourCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaNeighbourCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -8993,10 +9194,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbourCtr(struct ndr_pull > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaNeighbour(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -9005,9 +9207,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbourCtr(struct ndr_pull > } > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaNeighbour(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -9054,6 +9257,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursorCtr(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursorCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursorCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -9061,10 +9265,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursorCtr(struct ndr_pull *nd > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -9122,6 +9327,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaObjMetaData(struct ndr_push * > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaData *r) > { > uint32_t _ptr_attribute_name; >+ uint32_t size_attribute_name_1 = 0; >+ uint32_t length_attribute_name_1 = 0; > TALLOC_CTX *_mem_save_attribute_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -9143,11 +9350,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); >- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); >+ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); >+ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); >+ if (length_attribute_name_1 > size_attribute_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); > } > } >@@ -9194,6 +9403,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaObjMetaDataCtr(struct ndr_pus > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaDataCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaDataCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -9201,10 +9411,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaDataCtr(struct ndr_pul > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -9213,9 +9424,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaDataCtr(struct ndr_pul > } > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -9267,6 +9479,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaKccDsaFailure(struct ndr_push > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailure(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaKccDsaFailure *r) > { > uint32_t _ptr_dsa_obj_dn; >+ uint32_t size_dsa_obj_dn_1 = 0; >+ uint32_t length_dsa_obj_dn_1 = 0; > TALLOC_CTX *_mem_save_dsa_obj_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -9287,11 +9501,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailure(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->dsa_obj_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dsa_obj_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dsa_obj_dn)); >- if (ndr_get_array_length(ndr, &r->dsa_obj_dn) > ndr_get_array_size(ndr, &r->dsa_obj_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dsa_obj_dn), ndr_get_array_length(ndr, &r->dsa_obj_dn)); >+ size_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->dsa_obj_dn); >+ length_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->dsa_obj_dn); >+ if (length_dsa_obj_dn_1 > size_dsa_obj_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dsa_obj_dn_1, length_dsa_obj_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dsa_obj_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dsa_obj_dn, ndr_get_array_length(ndr, &r->dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dsa_obj_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dsa_obj_dn, length_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dsa_obj_dn_0, 0); > } > } >@@ -9337,6 +9553,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaKccDsaFailuresCtr(struct ndr_ > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailuresCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaKccDsaFailuresCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -9344,10 +9561,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailuresCtr(struct ndr_ > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaKccDsaFailure(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -9356,9 +9574,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailuresCtr(struct ndr_ > } > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaKccDsaFailure(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -9609,10 +9828,16 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaOp(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOp(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaOp *r) > { > uint32_t _ptr_nc_dn; >+ uint32_t size_nc_dn_1 = 0; >+ uint32_t length_nc_dn_1 = 0; > TALLOC_CTX *_mem_save_nc_dn_0; > uint32_t _ptr_remote_dsa_obj_dn; >+ uint32_t size_remote_dsa_obj_dn_1 = 0; >+ uint32_t length_remote_dsa_obj_dn_1 = 0; > TALLOC_CTX *_mem_save_remote_dsa_obj_dn_0; > uint32_t _ptr_remote_dsa_address; >+ uint32_t size_remote_dsa_address_1 = 0; >+ uint32_t length_remote_dsa_address_1 = 0; > TALLOC_CTX *_mem_save_remote_dsa_address_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -9649,11 +9874,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOp(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->nc_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->nc_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->nc_dn)); >- if (ndr_get_array_length(ndr, &r->nc_dn) > ndr_get_array_size(ndr, &r->nc_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->nc_dn), ndr_get_array_length(ndr, &r->nc_dn)); >+ size_nc_dn_1 = ndr_get_array_size(ndr, &r->nc_dn); >+ length_nc_dn_1 = ndr_get_array_length(ndr, &r->nc_dn); >+ if (length_nc_dn_1 > size_nc_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_nc_dn_1, length_nc_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->nc_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->nc_dn, ndr_get_array_length(ndr, &r->nc_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_nc_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->nc_dn, length_nc_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_nc_dn_0, 0); > } > if (r->remote_dsa_obj_dn) { >@@ -9661,11 +9888,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOp(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->remote_dsa_obj_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->remote_dsa_obj_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->remote_dsa_obj_dn)); >- if (ndr_get_array_length(ndr, &r->remote_dsa_obj_dn) > ndr_get_array_size(ndr, &r->remote_dsa_obj_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote_dsa_obj_dn), ndr_get_array_length(ndr, &r->remote_dsa_obj_dn)); >+ size_remote_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->remote_dsa_obj_dn); >+ length_remote_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->remote_dsa_obj_dn); >+ if (length_remote_dsa_obj_dn_1 > size_remote_dsa_obj_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_dsa_obj_dn_1, length_remote_dsa_obj_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote_dsa_obj_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_obj_dn, ndr_get_array_length(ndr, &r->remote_dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_dsa_obj_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_obj_dn, length_remote_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_dsa_obj_dn_0, 0); > } > if (r->remote_dsa_address) { >@@ -9673,11 +9902,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOp(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->remote_dsa_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->remote_dsa_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->remote_dsa_address)); >- if (ndr_get_array_length(ndr, &r->remote_dsa_address) > ndr_get_array_size(ndr, &r->remote_dsa_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote_dsa_address), ndr_get_array_length(ndr, &r->remote_dsa_address)); >+ size_remote_dsa_address_1 = ndr_get_array_size(ndr, &r->remote_dsa_address); >+ length_remote_dsa_address_1 = ndr_get_array_length(ndr, &r->remote_dsa_address); >+ if (length_remote_dsa_address_1 > size_remote_dsa_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_dsa_address_1, length_remote_dsa_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote_dsa_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_address, ndr_get_array_length(ndr, &r->remote_dsa_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_dsa_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_address, length_remote_dsa_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_dsa_address_0, 0); > } > } >@@ -9739,6 +9970,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaOpCtr(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOpCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaOpCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -9746,10 +9978,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOpCtr(struct ndr_pull *ndr, i > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->time)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaOp(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -9758,9 +9991,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOpCtr(struct ndr_pull *ndr, i > } > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaOp(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -9827,8 +10061,12 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaAttrValMetaData(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaData *r) > { > uint32_t _ptr_attribute_name; >+ uint32_t size_attribute_name_1 = 0; >+ uint32_t length_attribute_name_1 = 0; > TALLOC_CTX *_mem_save_attribute_name_0; > uint32_t _ptr_object_dn; >+ uint32_t size_object_dn_1 = 0; >+ uint32_t length_object_dn_1 = 0; > TALLOC_CTX *_mem_save_object_dn_0; > uint32_t _ptr_binary; > TALLOC_CTX *_mem_save_binary_0; >@@ -9867,11 +10105,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); >- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); >+ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); >+ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); >+ if (length_attribute_name_1 > size_attribute_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); > } > if (r->object_dn) { >@@ -9879,11 +10119,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); >- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); >+ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); >+ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); >+ if (length_object_dn_1 > size_object_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); > } > if (r->binary) { >@@ -9951,6 +10193,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaAttrValMetaDataCtr(struct ndr > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaDataCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaDataCtr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -9958,10 +10201,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaDataCtr(struct ndr > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->enumeration_context)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -9970,9 +10214,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaDataCtr(struct ndr > } > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10019,6 +10264,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursor2Ctr(struct ndr_push *n > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor2Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor2Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10026,10 +10272,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor2Ctr(struct ndr_pull *n > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->enumeration_context)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor2(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10085,6 +10332,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursor3(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor3 *r) > { > uint32_t _ptr_source_dsa_obj_dn; >+ uint32_t size_source_dsa_obj_dn_1 = 0; >+ uint32_t length_source_dsa_obj_dn_1 = 0; > TALLOC_CTX *_mem_save_source_dsa_obj_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -10104,11 +10353,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_obj_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_obj_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_obj_dn)); >- if (ndr_get_array_length(ndr, &r->source_dsa_obj_dn) > ndr_get_array_size(ndr, &r->source_dsa_obj_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_obj_dn), ndr_get_array_length(ndr, &r->source_dsa_obj_dn)); >+ size_source_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->source_dsa_obj_dn); >+ length_source_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->source_dsa_obj_dn); >+ if (length_source_dsa_obj_dn_1 > size_source_dsa_obj_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_obj_dn_1, length_source_dsa_obj_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_obj_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, length_source_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_obj_dn_0, 0); > } > } >@@ -10153,6 +10404,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaCursor3Ctr(struct ndr_push *n > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor3Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10160,10 +10412,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3Ctr(struct ndr_pull *n > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->enumeration_context)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor3(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10172,9 +10425,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3Ctr(struct ndr_pull *n > } > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor3(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10234,8 +10488,12 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaObjMetaData2(struct ndr_push > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaData2 *r) > { > uint32_t _ptr_attribute_name; >+ uint32_t size_attribute_name_1 = 0; >+ uint32_t length_attribute_name_1 = 0; > TALLOC_CTX *_mem_save_attribute_name_0; > uint32_t _ptr_originating_dsa_dn; >+ uint32_t size_originating_dsa_dn_1 = 0; >+ uint32_t length_originating_dsa_dn_1 = 0; > TALLOC_CTX *_mem_save_originating_dsa_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -10263,11 +10521,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); >- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); >+ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); >+ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); >+ if (length_attribute_name_1 > size_attribute_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); > } > if (r->originating_dsa_dn) { >@@ -10275,11 +10535,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->originating_dsa_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->originating_dsa_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->originating_dsa_dn)); >- if (ndr_get_array_length(ndr, &r->originating_dsa_dn) > ndr_get_array_size(ndr, &r->originating_dsa_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->originating_dsa_dn), ndr_get_array_length(ndr, &r->originating_dsa_dn)); >+ size_originating_dsa_dn_1 = ndr_get_array_size(ndr, &r->originating_dsa_dn); >+ length_originating_dsa_dn_1 = ndr_get_array_length(ndr, &r->originating_dsa_dn); >+ if (length_originating_dsa_dn_1 > size_originating_dsa_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_originating_dsa_dn_1, length_originating_dsa_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_originating_dsa_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, length_originating_dsa_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_originating_dsa_dn_0, 0); > } > } >@@ -10332,6 +10594,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaObjMetaData2Ctr(struct ndr_pu > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaData2Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10339,10 +10602,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2Ctr(struct ndr_pu > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->enumeration_context)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData2(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10351,9 +10615,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2Ctr(struct ndr_pu > } > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData2(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10427,12 +10692,18 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaAttrValMetaData2(struct ndr_p > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaData2 *r) > { > uint32_t _ptr_attribute_name; >+ uint32_t size_attribute_name_1 = 0; >+ uint32_t length_attribute_name_1 = 0; > TALLOC_CTX *_mem_save_attribute_name_0; > uint32_t _ptr_object_dn; >+ uint32_t size_object_dn_1 = 0; >+ uint32_t length_object_dn_1 = 0; > TALLOC_CTX *_mem_save_object_dn_0; > uint32_t _ptr_binary; > TALLOC_CTX *_mem_save_binary_0; > uint32_t _ptr_originating_dsa_dn; >+ uint32_t size_originating_dsa_dn_1 = 0; >+ uint32_t length_originating_dsa_dn_1 = 0; > TALLOC_CTX *_mem_save_originating_dsa_dn_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -10475,11 +10746,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); >- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); >+ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); >+ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); >+ if (length_attribute_name_1 > size_attribute_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); > } > if (r->object_dn) { >@@ -10487,11 +10760,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); >- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); >+ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); >+ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); >+ if (length_object_dn_1 > size_object_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); > } > if (r->binary) { >@@ -10505,11 +10780,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->originating_dsa_dn, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->originating_dsa_dn)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->originating_dsa_dn)); >- if (ndr_get_array_length(ndr, &r->originating_dsa_dn) > ndr_get_array_size(ndr, &r->originating_dsa_dn)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->originating_dsa_dn), ndr_get_array_length(ndr, &r->originating_dsa_dn)); >+ size_originating_dsa_dn_1 = ndr_get_array_size(ndr, &r->originating_dsa_dn); >+ length_originating_dsa_dn_1 = ndr_get_array_length(ndr, &r->originating_dsa_dn); >+ if (length_originating_dsa_dn_1 > size_originating_dsa_dn_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_originating_dsa_dn_1, length_originating_dsa_dn_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_originating_dsa_dn_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, length_originating_dsa_dn_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_originating_dsa_dn_0, 0); > } > } >@@ -10577,6 +10854,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaAttrValMetaData2Ctr(struct nd > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaData2Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10584,10 +10862,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2Ctr(struct nd > NDR_CHECK(ndr_pull_align(ndr, 8)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); > NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->enumeration_context)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData2(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10596,9 +10875,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2Ctr(struct nd > } > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData2(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10703,6 +10983,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplicaConnection04Ctr(struct ndr_pu > > static enum ndr_err_code ndr_pull_drsuapi_DsReplicaConnection04Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaConnection04Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10713,10 +10994,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaConnection04Ctr(struct ndr_pu > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplicaConnection04(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10776,6 +11058,8 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplica06(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_drsuapi_DsReplica06(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplica06 *r) > { > uint32_t _ptr_str1; >+ uint32_t size_str1_1 = 0; >+ uint32_t length_str1_1 = 0; > TALLOC_CTX *_mem_save_str1_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -10799,11 +11083,13 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplica06(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->str1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->str1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->str1)); >- if (ndr_get_array_length(ndr, &r->str1) > ndr_get_array_size(ndr, &r->str1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->str1), ndr_get_array_length(ndr, &r->str1)); >+ size_str1_1 = ndr_get_array_size(ndr, &r->str1); >+ length_str1_1 = ndr_get_array_length(ndr, &r->str1); >+ if (length_str1_1 > size_str1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_str1_1, length_str1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->str1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str1, ndr_get_array_length(ndr, &r->str1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_str1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str1, length_str1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_str1_0, 0); > } > } >@@ -10852,6 +11138,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsReplica06Ctr(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_drsuapi_DsReplica06Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplica06Ctr *r) > { >+ uint32_t size_array_0 = 0; > uint32_t cntr_array_0; > TALLOC_CTX *_mem_save_array_0; > if (ndr_flags & NDR_SCALARS) { >@@ -10862,10 +11149,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplica06Ctr(struct ndr_pull *ndr, i > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_0 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplica06(ndr, NDR_SCALARS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -10874,9 +11162,10 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplica06Ctr(struct ndr_pull *ndr, i > } > } > if (ndr_flags & NDR_BUFFERS) { >+ size_array_0 = ndr_get_array_size(ndr, &r->array); > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { >+ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { > NDR_CHECK(ndr_pull_drsuapi_DsReplica06(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); >@@ -11079,20 +11368,35 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_neighbours_0; >+ uint32_t _ptr_neighbours; > TALLOC_CTX *_mem_save_cursors_0; >+ uint32_t _ptr_cursors; > TALLOC_CTX *_mem_save_objmetadata_0; >+ uint32_t _ptr_objmetadata; > TALLOC_CTX *_mem_save_connectfailures_0; >+ uint32_t _ptr_connectfailures; > TALLOC_CTX *_mem_save_linkfailures_0; >+ uint32_t _ptr_linkfailures; > TALLOC_CTX *_mem_save_pendingops_0; >+ uint32_t _ptr_pendingops; > TALLOC_CTX *_mem_save_attrvalmetadata_0; >+ uint32_t _ptr_attrvalmetadata; > TALLOC_CTX *_mem_save_cursors2_0; >+ uint32_t _ptr_cursors2; > TALLOC_CTX *_mem_save_cursors3_0; >+ uint32_t _ptr_cursors3; > TALLOC_CTX *_mem_save_objmetadata2_0; >+ uint32_t _ptr_objmetadata2; > TALLOC_CTX *_mem_save_attrvalmetadata2_0; >+ uint32_t _ptr_attrvalmetadata2; > TALLOC_CTX *_mem_save_neighbours02_0; >+ uint32_t _ptr_neighbours02; > TALLOC_CTX *_mem_save_connections04_0; >+ uint32_t _ptr_connections04; > TALLOC_CTX *_mem_save_cursors05_0; >+ uint32_t _ptr_cursors05; > TALLOC_CTX *_mem_save_i06_0; >+ uint32_t _ptr_i06; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -11101,7 +11405,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > } > switch (level) { > case DRSUAPI_DS_REPLICA_INFO_NEIGHBORS: { >- uint32_t _ptr_neighbours; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_neighbours)); > if (_ptr_neighbours) { > NDR_PULL_ALLOC(ndr, r->neighbours); >@@ -11111,7 +11414,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_CURSORS: { >- uint32_t _ptr_cursors; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors)); > if (_ptr_cursors) { > NDR_PULL_ALLOC(ndr, r->cursors); >@@ -11121,7 +11423,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_OBJ_METADATA: { >- uint32_t _ptr_objmetadata; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_objmetadata)); > if (_ptr_objmetadata) { > NDR_PULL_ALLOC(ndr, r->objmetadata); >@@ -11131,7 +11432,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_KCC_DSA_CONNECT_FAILURES: { >- uint32_t _ptr_connectfailures; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_connectfailures)); > if (_ptr_connectfailures) { > NDR_PULL_ALLOC(ndr, r->connectfailures); >@@ -11141,7 +11441,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_KCC_DSA_LINK_FAILURES: { >- uint32_t _ptr_linkfailures; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_linkfailures)); > if (_ptr_linkfailures) { > NDR_PULL_ALLOC(ndr, r->linkfailures); >@@ -11151,7 +11450,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_PENDING_OPS: { >- uint32_t _ptr_pendingops; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_pendingops)); > if (_ptr_pendingops) { > NDR_PULL_ALLOC(ndr, r->pendingops); >@@ -11161,7 +11459,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_ATTRIBUTE_VALUE_METADATA: { >- uint32_t _ptr_attrvalmetadata; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_attrvalmetadata)); > if (_ptr_attrvalmetadata) { > NDR_PULL_ALLOC(ndr, r->attrvalmetadata); >@@ -11171,7 +11468,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_CURSORS2: { >- uint32_t _ptr_cursors2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors2)); > if (_ptr_cursors2) { > NDR_PULL_ALLOC(ndr, r->cursors2); >@@ -11181,7 +11477,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_CURSORS3: { >- uint32_t _ptr_cursors3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors3)); > if (_ptr_cursors3) { > NDR_PULL_ALLOC(ndr, r->cursors3); >@@ -11191,7 +11486,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_OBJ_METADATA2: { >- uint32_t _ptr_objmetadata2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_objmetadata2)); > if (_ptr_objmetadata2) { > NDR_PULL_ALLOC(ndr, r->objmetadata2); >@@ -11201,7 +11495,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_ATTRIBUTE_VALUE_METADATA2: { >- uint32_t _ptr_attrvalmetadata2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_attrvalmetadata2)); > if (_ptr_attrvalmetadata2) { > NDR_PULL_ALLOC(ndr, r->attrvalmetadata2); >@@ -11211,7 +11504,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_NEIGHBORS02: { >- uint32_t _ptr_neighbours02; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_neighbours02)); > if (_ptr_neighbours02) { > NDR_PULL_ALLOC(ndr, r->neighbours02); >@@ -11221,7 +11513,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_CONNECTIONS04: { >- uint32_t _ptr_connections04; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_connections04)); > if (_ptr_connections04) { > NDR_PULL_ALLOC(ndr, r->connections04); >@@ -11231,7 +11522,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_CURSORS05: { >- uint32_t _ptr_cursors05; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors05)); > if (_ptr_cursors05) { > NDR_PULL_ALLOC(ndr, r->cursors05); >@@ -11241,7 +11531,6 @@ static enum ndr_err_code ndr_pull_drsuapi_DsReplicaInfo(struct ndr_pull *ndr, in > break; } > > case DRSUAPI_DS_REPLICA_INFO_06: { >- uint32_t _ptr_i06; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_i06)); > if (_ptr_i06) { > NDR_PULL_ALLOC(ndr, r->i06); >@@ -11646,6 +11935,7 @@ static enum ndr_err_code ndr_push_drsuapi_DsGetMemberships2Request1(struct ndr_p > static enum ndr_err_code ndr_pull_drsuapi_DsGetMemberships2Request1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetMemberships2Request1 *r) > { > uint32_t _ptr_req_array; >+ uint32_t size_req_array_1 = 0; > uint32_t cntr_req_array_1; > TALLOC_CTX *_mem_save_req_array_0; > TALLOC_CTX *_mem_save_req_array_1; >@@ -11668,10 +11958,11 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMemberships2Request1(struct ndr_p > _mem_save_req_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->req_array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->req_array)); >- NDR_PULL_ALLOC_N(ndr, r->req_array, ndr_get_array_size(ndr, &r->req_array)); >+ size_req_array_1 = ndr_get_array_size(ndr, &r->req_array); >+ NDR_PULL_ALLOC_N(ndr, r->req_array, size_req_array_1); > _mem_save_req_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->req_array, 0); >- for (cntr_req_array_1 = 0; cntr_req_array_1 < r->num_req; cntr_req_array_1++) { >+ for (cntr_req_array_1 = 0; cntr_req_array_1 < size_req_array_1; cntr_req_array_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_req_array)); > if (_ptr_req_array) { > NDR_PULL_ALLOC(ndr, r->req_array[cntr_req_array_1]); >@@ -11679,7 +11970,7 @@ static enum ndr_err_code ndr_pull_drsuapi_DsGetMemberships2Request1(struct ndr_p > r->req_array[cntr_req_array_1] = NULL; > } > } >- for (cntr_req_array_1 = 0; cntr_req_array_1 < r->num_req; cntr_req_array_1++) { >+ for (cntr_req_array_1 = 0; cntr_req_array_1 < size_req_array_1; cntr_req_array_1++) { > if (r->req_array[cntr_req_array_1]) { > _mem_save_req_array_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->req_array[cntr_req_array_1], 0); >@@ -11857,6 +12148,7 @@ static enum ndr_err_code ndr_push_drsuapi_QuerySitesByCostCtr1(struct ndr_push * > static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_QuerySitesByCostCtr1 *r) > { > uint32_t _ptr_info; >+ uint32_t size_info_1 = 0; > uint32_t cntr_info_1; > TALLOC_CTX *_mem_save_info_0; > TALLOC_CTX *_mem_save_info_1; >@@ -11879,10 +12171,11 @@ static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostCtr1(struct ndr_pull * > _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->info)); >- NDR_PULL_ALLOC_N(ndr, r->info, ndr_get_array_size(ndr, &r->info)); >+ size_info_1 = ndr_get_array_size(ndr, &r->info); >+ NDR_PULL_ALLOC_N(ndr, r->info, size_info_1); > _mem_save_info_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->info, 0); >- for (cntr_info_1 = 0; cntr_info_1 < r->num_info; cntr_info_1++) { >+ for (cntr_info_1 = 0; cntr_info_1 < size_info_1; cntr_info_1++) { > NDR_CHECK(ndr_pull_drsuapi_DsSiteCostInfo(ndr, NDR_SCALARS, &r->info[cntr_info_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_1, 0); >@@ -12033,9 +12326,14 @@ static enum ndr_err_code ndr_push_drsuapi_QuerySitesByCostRequest1(struct ndr_pu > static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_QuerySitesByCostRequest1 *r) > { > uint32_t _ptr_site_from; >+ uint32_t size_site_from_1 = 0; >+ uint32_t length_site_from_1 = 0; > TALLOC_CTX *_mem_save_site_from_0; > uint32_t _ptr_site_to; >+ uint32_t size_site_to_1 = 0; > uint32_t cntr_site_to_1; >+ uint32_t size_site_to_3 = 0; >+ uint32_t length_site_to_3 = 0; > TALLOC_CTX *_mem_save_site_to_0; > TALLOC_CTX *_mem_save_site_to_1; > TALLOC_CTX *_mem_save_site_to_2; >@@ -12065,21 +12363,24 @@ static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostRequest1(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->site_from, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_from)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_from)); >- if (ndr_get_array_length(ndr, &r->site_from) > ndr_get_array_size(ndr, &r->site_from)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_from), ndr_get_array_length(ndr, &r->site_from)); >+ size_site_from_1 = ndr_get_array_size(ndr, &r->site_from); >+ length_site_from_1 = ndr_get_array_length(ndr, &r->site_from); >+ if (length_site_from_1 > size_site_from_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_from_1, length_site_from_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_from), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_from, ndr_get_array_length(ndr, &r->site_from), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_from_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_from, length_site_from_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_from_0, 0); > } > if (r->site_to) { > _mem_save_site_to_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->site_to, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_to)); >- NDR_PULL_ALLOC_N(ndr, r->site_to, ndr_get_array_size(ndr, &r->site_to)); >+ size_site_to_1 = ndr_get_array_size(ndr, &r->site_to); >+ NDR_PULL_ALLOC_N(ndr, r->site_to, size_site_to_1); > _mem_save_site_to_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->site_to, 0); >- for (cntr_site_to_1 = 0; cntr_site_to_1 < r->num_req; cntr_site_to_1++) { >+ for (cntr_site_to_1 = 0; cntr_site_to_1 < size_site_to_1; cntr_site_to_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_site_to)); > if (_ptr_site_to) { > NDR_PULL_ALLOC(ndr, r->site_to[cntr_site_to_1]); >@@ -12087,17 +12388,19 @@ static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostRequest1(struct ndr_pu > r->site_to[cntr_site_to_1] = NULL; > } > } >- for (cntr_site_to_1 = 0; cntr_site_to_1 < r->num_req; cntr_site_to_1++) { >+ for (cntr_site_to_1 = 0; cntr_site_to_1 < size_site_to_1; cntr_site_to_1++) { > if (r->site_to[cntr_site_to_1]) { > _mem_save_site_to_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->site_to[cntr_site_to_1], 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->site_to[cntr_site_to_1])); > NDR_CHECK(ndr_pull_array_length(ndr, &r->site_to[cntr_site_to_1])); >- if (ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]) > ndr_get_array_size(ndr, &r->site_to[cntr_site_to_1])) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_to[cntr_site_to_1]), ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1])); >+ size_site_to_3 = ndr_get_array_size(ndr, &r->site_to[cntr_site_to_1]); >+ length_site_to_3 = ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]); >+ if (length_site_to_3 > size_site_to_3) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_to_3, length_site_to_3); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_to[cntr_site_to_1], ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_to_3, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_to[cntr_site_to_1], length_site_to_3, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_to_2, 0); > } > } >diff --git a/librpc/gen_ndr/ndr_dssetup.c b/librpc/gen_ndr/ndr_dssetup.c >index 7ce80dd..a65726d 100644 >--- a/librpc/gen_ndr/ndr_dssetup.c >+++ b/librpc/gen_ndr/ndr_dssetup.c >@@ -95,10 +95,16 @@ static enum ndr_err_code ndr_push_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_pull *ndr, int ndr_flags, struct dssetup_DsRolePrimaryDomInfoBasic *r) > { > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > uint32_t _ptr_dns_domain; >+ uint32_t size_dns_domain_1 = 0; >+ uint32_t length_dns_domain_1 = 0; > TALLOC_CTX *_mem_save_dns_domain_0; > uint32_t _ptr_forest; >+ uint32_t size_forest_1 = 0; >+ uint32_t length_forest_1 = 0; > TALLOC_CTX *_mem_save_forest_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -130,11 +136,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->dns_domain) { >@@ -142,11 +150,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->dns_domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_domain)); >- if (ndr_get_array_length(ndr, &r->dns_domain) > ndr_get_array_size(ndr, &r->dns_domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_domain), ndr_get_array_length(ndr, &r->dns_domain)); >+ size_dns_domain_1 = ndr_get_array_size(ndr, &r->dns_domain); >+ length_dns_domain_1 = ndr_get_array_length(ndr, &r->dns_domain); >+ if (length_dns_domain_1 > size_dns_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_domain_1, length_dns_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain, ndr_get_array_length(ndr, &r->dns_domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain, length_dns_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_domain_0, 0); > } > if (r->forest) { >@@ -154,11 +164,13 @@ static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->forest, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->forest)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->forest)); >- if (ndr_get_array_length(ndr, &r->forest) > ndr_get_array_size(ndr, &r->forest)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->forest), ndr_get_array_length(ndr, &r->forest)); >+ size_forest_1 = ndr_get_array_size(ndr, &r->forest); >+ length_forest_1 = ndr_get_array_length(ndr, &r->forest); >+ if (length_forest_1 > size_forest_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_forest_1, length_forest_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->forest), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest, ndr_get_array_length(ndr, &r->forest), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_forest_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest, length_forest_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_0, 0); > } > } >diff --git a/librpc/gen_ndr/ndr_echo.c b/librpc/gen_ndr/ndr_echo.c >index e555c2f..b0b2da2 100644 >--- a/librpc/gen_ndr/ndr_echo.c >+++ b/librpc/gen_ndr/ndr_echo.c >@@ -595,16 +595,18 @@ static enum ndr_err_code ndr_push_echo_Surrounding(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_echo_Surrounding(struct ndr_pull *ndr, int ndr_flags, struct echo_Surrounding *r) > { >+ uint32_t size_surrounding_0 = 0; > uint32_t cntr_surrounding_0; > TALLOC_CTX *_mem_save_surrounding_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->surrounding)); > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->x)); >- NDR_PULL_ALLOC_N(ndr, r->surrounding, ndr_get_array_size(ndr, &r->surrounding)); >+ size_surrounding_0 = ndr_get_array_size(ndr, &r->surrounding); >+ NDR_PULL_ALLOC_N(ndr, r->surrounding, size_surrounding_0); > _mem_save_surrounding_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->surrounding, 0); >- for (cntr_surrounding_0 = 0; cntr_surrounding_0 < r->x; cntr_surrounding_0++) { >+ for (cntr_surrounding_0 = 0; cntr_surrounding_0 < size_surrounding_0; cntr_surrounding_0++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->surrounding[cntr_surrounding_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_surrounding_0, 0); >@@ -713,21 +715,25 @@ static enum ndr_err_code ndr_push_echo_EchoData(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_echo_EchoData(struct ndr_pull *ndr, int flags, struct echo_EchoData *r) > { >+ uint32_t size_in_data_0 = 0; >+ uint32_t size_out_data_0 = 0; > if (flags & NDR_IN) { > ZERO_STRUCT(r->out); > > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.len)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.in_data)); >- NDR_PULL_ALLOC_N(ndr, r->in.in_data, ndr_get_array_size(ndr, &r->in.in_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.in_data, ndr_get_array_size(ndr, &r->in.in_data))); >+ size_in_data_0 = ndr_get_array_size(ndr, &r->in.in_data); >+ NDR_PULL_ALLOC_N(ndr, r->in.in_data, size_in_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.in_data, size_in_data_0)); > if (r->in.in_data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.in_data, r->in.len)); > } > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.out_data)); >- NDR_PULL_ALLOC_N(ndr, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data))); >+ size_out_data_0 = ndr_get_array_size(ndr, &r->out.out_data); >+ NDR_PULL_ALLOC_N(ndr, r->out.out_data, size_out_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, size_out_data_0)); > if (r->out.out_data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.out_data, r->in.len)); > } >@@ -772,11 +778,13 @@ static enum ndr_err_code ndr_push_echo_SinkData(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_echo_SinkData(struct ndr_pull *ndr, int flags, struct echo_SinkData *r) > { >+ uint32_t size_data_0 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.len)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); >+ size_data_0 = ndr_get_array_size(ndr, &r->in.data); >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_0)); > if (r->in.data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.data, r->in.len)); > } >@@ -822,6 +830,7 @@ static enum ndr_err_code ndr_push_echo_SourceData(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_echo_SourceData(struct ndr_pull *ndr, int flags, struct echo_SourceData *r) > { >+ uint32_t size_data_0 = 0; > if (flags & NDR_IN) { > ZERO_STRUCT(r->out); > >@@ -829,8 +838,9 @@ static enum ndr_err_code ndr_pull_echo_SourceData(struct ndr_pull *ndr, int flag > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); >+ size_data_0 = ndr_get_array_size(ndr, &r->out.data); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_0)); > if (r->out.data) { > NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.data, r->in.len)); > } >@@ -888,7 +898,11 @@ static enum ndr_err_code ndr_push_echo_TestCall(struct ndr_push *ndr, int flags, > > static enum ndr_err_code ndr_pull_echo_TestCall(struct ndr_pull *ndr, int flags, struct echo_TestCall *r) > { >+ uint32_t size_s1_1 = 0; >+ uint32_t length_s1_1 = 0; > uint32_t _ptr_s2; >+ uint32_t size_s2_2 = 0; >+ uint32_t length_s2_2 = 0; > TALLOC_CTX *_mem_save_s2_0; > TALLOC_CTX *_mem_save_s2_1; > if (flags & NDR_IN) { >@@ -896,11 +910,13 @@ static enum ndr_err_code ndr_pull_echo_TestCall(struct ndr_pull *ndr, int flags, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.s1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.s1)); >- if (ndr_get_array_length(ndr, &r->in.s1) > ndr_get_array_size(ndr, &r->in.s1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.s1), ndr_get_array_length(ndr, &r->in.s1)); >+ size_s1_1 = ndr_get_array_size(ndr, &r->in.s1); >+ length_s1_1 = ndr_get_array_length(ndr, &r->in.s1); >+ if (length_s1_1 > size_s1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_s1_1, length_s1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.s1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.s1, ndr_get_array_length(ndr, &r->in.s1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_s1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.s1, length_s1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.s2); > ZERO_STRUCTP(r->out.s2); > } >@@ -921,11 +937,13 @@ static enum ndr_err_code ndr_pull_echo_TestCall(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, *r->out.s2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.s2)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.s2)); >- if (ndr_get_array_length(ndr, r->out.s2) > ndr_get_array_size(ndr, r->out.s2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.s2), ndr_get_array_length(ndr, r->out.s2)); >+ size_s2_2 = ndr_get_array_size(ndr, r->out.s2); >+ length_s2_2 = ndr_get_array_length(ndr, r->out.s2); >+ if (length_s2_2 > size_s2_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_s2_2, length_s2_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.s2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.s2, ndr_get_array_length(ndr, r->out.s2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_s2_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.s2, length_s2_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s2_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s2_0, LIBNDR_FLAG_REF_ALLOC); >diff --git a/librpc/gen_ndr/ndr_epmapper.c b/librpc/gen_ndr/ndr_epmapper.c >index ad1c66c..1379e75 100644 >--- a/librpc/gen_ndr/ndr_epmapper.c >+++ b/librpc/gen_ndr/ndr_epmapper.c >@@ -1531,6 +1531,7 @@ static enum ndr_err_code ndr_push_epm_tower(struct ndr_push *ndr, int ndr_flags, > > static enum ndr_err_code ndr_pull_epm_tower(struct ndr_pull *ndr, int ndr_flags, struct epm_tower *r) > { >+ uint32_t size_floors_0 = 0; > uint32_t cntr_floors_0; > TALLOC_CTX *_mem_save_floors_0; > { >@@ -1539,10 +1540,11 @@ static enum ndr_err_code ndr_pull_epm_tower(struct ndr_pull *ndr, int ndr_flags, > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_floors)); >- NDR_PULL_ALLOC_N(ndr, r->floors, r->num_floors); >+ size_floors_0 = r->num_floors; >+ NDR_PULL_ALLOC_N(ndr, r->floors, size_floors_0); > _mem_save_floors_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->floors, 0); >- for (cntr_floors_0 = 0; cntr_floors_0 < r->num_floors; cntr_floors_0++) { >+ for (cntr_floors_0 = 0; cntr_floors_0 < size_floors_0; cntr_floors_0++) { > NDR_CHECK(ndr_pull_epm_floor(ndr, NDR_SCALARS, &r->floors[cntr_floors_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_floors_0, 0); >@@ -1649,6 +1651,7 @@ static enum ndr_err_code ndr_pull_epm_entry_t(struct ndr_pull *ndr, int ndr_flag > { > uint32_t _ptr_tower; > TALLOC_CTX *_mem_save_tower_0; >+ uint32_t size_annotation_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->object)); >@@ -1660,7 +1663,8 @@ static enum ndr_err_code ndr_pull_epm_entry_t(struct ndr_pull *ndr, int ndr_flag > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__annotation_offset)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__annotation_length)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->annotation, r->__annotation_length, sizeof(uint8_t), CH_DOS)); >+ size_annotation_0 = r->__annotation_length; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->annotation, size_annotation_0, sizeof(uint8_t), CH_DOS)); > } > if (ndr_flags & NDR_BUFFERS) { > if (r->tower) { >@@ -1799,18 +1803,20 @@ static enum ndr_err_code ndr_push_epm_Insert(struct ndr_push *ndr, int flags, co > > static enum ndr_err_code ndr_pull_epm_Insert(struct ndr_pull *ndr, int flags, struct epm_Insert *r) > { >+ uint32_t size_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_entries_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.num_ents)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.entries)); >- NDR_PULL_ALLOC_N(ndr, r->in.entries, ndr_get_array_size(ndr, &r->in.entries)); >+ size_entries_0 = ndr_get_array_size(ndr, &r->in.entries); >+ NDR_PULL_ALLOC_N(ndr, r->in.entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->in.entries[cntr_entries_0])); > } >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->in.entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -1880,18 +1886,20 @@ static enum ndr_err_code ndr_push_epm_Delete(struct ndr_push *ndr, int flags, co > > static enum ndr_err_code ndr_pull_epm_Delete(struct ndr_pull *ndr, int flags, struct epm_Delete *r) > { >+ uint32_t size_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_entries_0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.num_ents)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.entries)); >- NDR_PULL_ALLOC_N(ndr, r->in.entries, ndr_get_array_size(ndr, &r->in.entries)); >+ size_entries_0 = ndr_get_array_size(ndr, &r->in.entries); >+ NDR_PULL_ALLOC_N(ndr, r->in.entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->in.entries[cntr_entries_0])); > } >- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->in.entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -1985,6 +1993,8 @@ static enum ndr_err_code ndr_pull_epm_Lookup(struct ndr_pull *ndr, int flags, st > { > uint32_t _ptr_object; > uint32_t _ptr_interface_id; >+ uint32_t size_entries_0 = 0; >+ uint32_t length_entries_0 = 0; > uint32_t cntr_entries_0; > TALLOC_CTX *_mem_save_object_0; > TALLOC_CTX *_mem_save_interface_id_0; >@@ -2050,16 +2060,18 @@ static enum ndr_err_code ndr_pull_epm_Lookup(struct ndr_pull *ndr, int flags, st > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_num_ents_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.entries)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.entries)); >- if (ndr_get_array_length(ndr, &r->out.entries) > ndr_get_array_size(ndr, &r->out.entries)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.entries), ndr_get_array_length(ndr, &r->out.entries)); >+ size_entries_0 = ndr_get_array_size(ndr, &r->out.entries); >+ length_entries_0 = ndr_get_array_length(ndr, &r->out.entries); >+ if (length_entries_0 > size_entries_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_entries_0, length_entries_0); > } >- NDR_PULL_ALLOC_N(ndr, r->out.entries, ndr_get_array_size(ndr, &r->out.entries)); >+ NDR_PULL_ALLOC_N(ndr, r->out.entries, size_entries_0); > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.entries, 0); >- for (cntr_entries_0 = 0; cntr_entries_0 < *r->out.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < length_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->out.entries[cntr_entries_0])); > } >- for (cntr_entries_0 = 0; cntr_entries_0 < *r->out.num_ents; cntr_entries_0++) { >+ for (cntr_entries_0 = 0; cntr_entries_0 < length_entries_0; cntr_entries_0++) { > NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->out.entries[cntr_entries_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); >@@ -2178,6 +2190,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_epm_Map(struct ndr_pull *ndr, int flags, str > { > uint32_t _ptr_object; > uint32_t _ptr_map_tower; >+ uint32_t size_towers_0 = 0; >+ uint32_t length_towers_0 = 0; > uint32_t cntr_towers_0; > TALLOC_CTX *_mem_save_object_0; > TALLOC_CTX *_mem_save_map_tower_0; >@@ -2241,16 +2255,18 @@ _PUBLIC_ enum ndr_err_code ndr_pull_epm_Map(struct ndr_pull *ndr, int flags, str > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_num_towers_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.towers)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.towers)); >- if (ndr_get_array_length(ndr, &r->out.towers) > ndr_get_array_size(ndr, &r->out.towers)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.towers), ndr_get_array_length(ndr, &r->out.towers)); >+ size_towers_0 = ndr_get_array_size(ndr, &r->out.towers); >+ length_towers_0 = ndr_get_array_length(ndr, &r->out.towers); >+ if (length_towers_0 > size_towers_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_towers_0, length_towers_0); > } >- NDR_PULL_ALLOC_N(ndr, r->out.towers, ndr_get_array_size(ndr, &r->out.towers)); >+ NDR_PULL_ALLOC_N(ndr, r->out.towers, size_towers_0); > _mem_save_towers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.towers, 0); >- for (cntr_towers_0 = 0; cntr_towers_0 < *r->out.num_towers; cntr_towers_0++) { >+ for (cntr_towers_0 = 0; cntr_towers_0 < length_towers_0; cntr_towers_0++) { > NDR_CHECK(ndr_pull_epm_twr_p_t(ndr, NDR_SCALARS, &r->out.towers[cntr_towers_0])); > } >- for (cntr_towers_0 = 0; cntr_towers_0 < *r->out.num_towers; cntr_towers_0++) { >+ for (cntr_towers_0 = 0; cntr_towers_0 < length_towers_0; cntr_towers_0++) { > NDR_CHECK(ndr_pull_epm_twr_p_t(ndr, NDR_BUFFERS, &r->out.towers[cntr_towers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_towers_0, 0); >diff --git a/librpc/gen_ndr/ndr_eventlog.c b/librpc/gen_ndr/ndr_eventlog.c >index 33d27db..10ed06e 100644 >--- a/librpc/gen_ndr/ndr_eventlog.c >+++ b/librpc/gen_ndr/ndr_eventlog.c >@@ -153,6 +153,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_eventlog_Record_tdb(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_eventlog_Record_tdb(struct ndr_pull *ndr, int ndr_flags, struct eventlog_Record_tdb *r) > { >+ uint32_t size_reserved_0 = 0; >+ uint32_t size_strings_0 = 0; > uint32_t cntr_strings_0; > TALLOC_CTX *_mem_save_strings_0; > { >@@ -161,7 +163,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_eventlog_Record_tdb(struct ndr_pull *ndr, in > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->reserved, 4, sizeof(uint8_t), CH_DOS)); >+ size_reserved_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->reserved, size_reserved_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->record_number)); > NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->time_generated)); > NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->time_written)); >@@ -199,10 +202,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_eventlog_Record_tdb(struct ndr_pull *ndr, in > { > uint32_t _flags_save_string = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM); >- NDR_PULL_ALLOC_N(ndr, r->strings, r->num_of_strings); >+ size_strings_0 = r->num_of_strings; >+ NDR_PULL_ALLOC_N(ndr, r->strings, size_strings_0); > _mem_save_strings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->strings, 0); >- for (cntr_strings_0 = 0; cntr_strings_0 < r->num_of_strings; cntr_strings_0++) { >+ for (cntr_strings_0 = 0; cntr_strings_0 < size_strings_0; cntr_strings_0++) { > NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->strings[cntr_strings_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_strings_0, 0); >@@ -317,10 +321,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_EVENTLOGHEADER(struct ndr_push *ndr, int ndr > > _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOGHEADER(struct ndr_pull *ndr, int ndr_flags, struct EVENTLOGHEADER *r) > { >+ uint32_t size_Signature_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->HeaderSize)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, 4, sizeof(uint8_t), CH_DOS)); >+ size_Signature_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, size_Signature_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->MajorVersion)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->MinorVersion)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->StartOffset)); >@@ -434,12 +440,16 @@ _PUBLIC_ enum ndr_err_code ndr_push_EVENTLOGRECORD(struct ndr_push *ndr, int ndr > > _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOGRECORD(struct ndr_pull *ndr, int ndr_flags, struct EVENTLOGRECORD *r) > { >+ uint32_t size_Reserved_0 = 0; >+ uint32_t size_Strings_0 = 0; > uint32_t cntr_Strings_0; > TALLOC_CTX *_mem_save_Strings_0; >+ uint32_t size_Data_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Length)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Reserved, 4, sizeof(uint8_t), CH_DOS)); >+ size_Reserved_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Reserved, size_Reserved_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->RecordNumber)); > NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->TimeGenerated)); > NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->TimeWritten)); >@@ -480,10 +490,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOGRECORD(struct ndr_pull *ndr, int ndr > { > uint32_t _flags_save_string = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM); >- NDR_PULL_ALLOC_N(ndr, r->Strings, r->NumStrings); >+ size_Strings_0 = r->NumStrings; >+ NDR_PULL_ALLOC_N(ndr, r->Strings, size_Strings_0); > _mem_save_Strings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->Strings, 0); >- for (cntr_Strings_0 = 0; cntr_Strings_0 < r->NumStrings; cntr_Strings_0++) { >+ for (cntr_Strings_0 = 0; cntr_Strings_0 < size_Strings_0; cntr_Strings_0++) { > NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->Strings[cntr_Strings_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Strings_0, 0); >@@ -492,8 +503,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOGRECORD(struct ndr_pull *ndr, int ndr > { > uint32_t _flags_save_uint8 = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); >- NDR_PULL_ALLOC_N(ndr, r->Data, r->DataLength); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Data, r->DataLength)); >+ size_Data_0 = r->DataLength; >+ NDR_PULL_ALLOC_N(ndr, r->Data, size_Data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Data, size_Data_0)); > ndr->flags = _flags_save_uint8; > } > { >@@ -637,24 +649,27 @@ _PUBLIC_ enum ndr_err_code ndr_push_EVENTLOG_EVT_FILE(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOG_EVT_FILE(struct ndr_pull *ndr, int ndr_flags, struct EVENTLOG_EVT_FILE *r) > { >+ uint32_t size_records_0 = 0; > uint32_t cntr_records_0; > TALLOC_CTX *_mem_save_records_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_EVENTLOGHEADER(ndr, NDR_SCALARS, &r->hdr)); >- NDR_PULL_ALLOC_N(ndr, r->records, r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber); >+ size_records_0 = r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; >+ NDR_PULL_ALLOC_N(ndr, r->records, size_records_0); > _mem_save_records_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->records, 0); >- for (cntr_records_0 = 0; cntr_records_0 < r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; cntr_records_0++) { >+ for (cntr_records_0 = 0; cntr_records_0 < size_records_0; cntr_records_0++) { > NDR_CHECK(ndr_pull_EVENTLOGRECORD(ndr, NDR_SCALARS, &r->records[cntr_records_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_records_0, 0); > NDR_CHECK(ndr_pull_EVENTLOGEOF(ndr, NDR_SCALARS, &r->eof)); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_records_0 = r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; > _mem_save_records_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->records, 0); >- for (cntr_records_0 = 0; cntr_records_0 < r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; cntr_records_0++) { >+ for (cntr_records_0 = 0; cntr_records_0 < size_records_0; cntr_records_0++) { > NDR_CHECK(ndr_pull_EVENTLOGRECORD(ndr, NDR_BUFFERS, &r->records[cntr_records_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_records_0, 0); >@@ -1598,6 +1613,7 @@ static enum ndr_err_code ndr_push_eventlog_ReadEventLogW(struct ndr_push *ndr, i > > static enum ndr_err_code ndr_pull_eventlog_ReadEventLogW(struct ndr_pull *ndr, int flags, struct eventlog_ReadEventLogW *r) > { >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_sent_size_0; > TALLOC_CTX *_mem_save_real_size_0; >@@ -1626,10 +1642,11 @@ static enum ndr_err_code ndr_pull_eventlog_ReadEventLogW(struct ndr_pull *ndr, i > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->out.data); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); >+ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.sent_size); > } >@@ -1759,8 +1776,10 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventW(struct ndr_pull *ndr, in > { > uint32_t _ptr_user_sid; > uint32_t _ptr_strings; >+ uint32_t size_strings_1 = 0; > uint32_t cntr_strings_1; > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > uint32_t _ptr_record_number; > uint32_t _ptr_time_written; > TALLOC_CTX *_mem_save_handle_0; >@@ -1823,12 +1842,13 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventW(struct ndr_pull *ndr, in > _mem_save_strings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.strings)); >- NDR_PULL_ALLOC_N(ndr, r->in.strings, ndr_get_array_size(ndr, &r->in.strings)); >+ size_strings_1 = ndr_get_array_size(ndr, &r->in.strings); >+ NDR_PULL_ALLOC_N(ndr, r->in.strings, size_strings_1); > _mem_save_strings_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); >- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { >+ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { > } >- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { >+ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_strings)); > if (_ptr_strings) { > NDR_PULL_ALLOC(ndr, r->in.strings[cntr_strings_1]); >@@ -1855,8 +1875,9 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventW(struct ndr_pull *ndr, in > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->in.data); >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.flags)); >@@ -2451,6 +2472,7 @@ static enum ndr_err_code ndr_push_eventlog_GetLogInformation(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_eventlog_GetLogInformation(struct ndr_pull *ndr, int flags, struct eventlog_GetLogInformation *r) > { >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_handle_0; > TALLOC_CTX *_mem_save_bytes_needed_0; > if (flags & NDR_IN) { >@@ -2475,10 +2497,11 @@ static enum ndr_err_code ndr_pull_eventlog_GetLogInformation(struct ndr_pull *nd > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.bytes_needed); > } >@@ -2657,8 +2680,10 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventAndSourceW(struct ndr_pull > { > uint32_t _ptr_user_sid; > uint32_t _ptr_strings; >+ uint32_t size_strings_1 = 0; > uint32_t cntr_strings_1; > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > uint32_t _ptr_record_number; > uint32_t _ptr_time_written; > TALLOC_CTX *_mem_save_handle_0; >@@ -2729,12 +2754,13 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventAndSourceW(struct ndr_pull > _mem_save_strings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.strings)); >- NDR_PULL_ALLOC_N(ndr, r->in.strings, ndr_get_array_size(ndr, &r->in.strings)); >+ size_strings_1 = ndr_get_array_size(ndr, &r->in.strings); >+ NDR_PULL_ALLOC_N(ndr, r->in.strings, size_strings_1); > _mem_save_strings_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); >- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { >+ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { > } >- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { >+ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_strings)); > if (_ptr_strings) { > NDR_PULL_ALLOC(ndr, r->in.strings[cntr_strings_1]); >@@ -2761,8 +2787,9 @@ static enum ndr_err_code ndr_pull_eventlog_ReportEventAndSourceW(struct ndr_pull > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); >- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->in.data); >+ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.flags)); >diff --git a/librpc/gen_ndr/ndr_krb5pac.c b/librpc/gen_ndr/ndr_krb5pac.c >index 7a2a476..fa8c97f 100644 >--- a/librpc/gen_ndr/ndr_krb5pac.c >+++ b/librpc/gen_ndr/ndr_krb5pac.c >@@ -21,11 +21,13 @@ static enum ndr_err_code ndr_push_PAC_LOGON_NAME(struct ndr_push *ndr, int ndr_f > > static enum ndr_err_code ndr_pull_PAC_LOGON_NAME(struct ndr_pull *ndr, int ndr_flags, struct PAC_LOGON_NAME *r) > { >+ uint32_t size_account_name_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->logon_time)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, r->size, sizeof(uint8_t), CH_UTF16)); >+ size_account_name_0 = r->size; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, size_account_name_0, sizeof(uint8_t), CH_UTF16)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -456,24 +458,27 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_DATA(struct ndr_push *ndr, int ndr_flags > > _PUBLIC_ enum ndr_err_code ndr_pull_PAC_DATA(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA *r) > { >+ uint32_t size_buffers_0 = 0; > uint32_t cntr_buffers_0; > TALLOC_CTX *_mem_save_buffers_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_buffers)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); >- NDR_PULL_ALLOC_N(ndr, r->buffers, r->num_buffers); >+ size_buffers_0 = r->num_buffers; >+ NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_0); > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_buffers_0 = r->num_buffers; > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); >@@ -619,24 +624,27 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_DATA_RAW(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_PAC_DATA_RAW(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA_RAW *r) > { >+ uint32_t size_buffers_0 = 0; > uint32_t cntr_buffers_0; > TALLOC_CTX *_mem_save_buffers_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_buffers)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); >- NDR_PULL_ALLOC_N(ndr, r->buffers, r->num_buffers); >+ size_buffers_0 = r->num_buffers; >+ NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_0); > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER_RAW(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_buffers_0 = r->num_buffers; > _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); >- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { >+ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { > NDR_CHECK(ndr_pull_PAC_BUFFER_RAW(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); >diff --git a/librpc/gen_ndr/ndr_lsa.c b/librpc/gen_ndr/ndr_lsa.c >index 2aee3f7..6ebc703 100644 >--- a/librpc/gen_ndr/ndr_lsa.c >+++ b/librpc/gen_ndr/ndr_lsa.c >@@ -27,6 +27,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_String(struct ndr_push *ndr, int ndr_fla > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_String(struct ndr_pull *ndr, int ndr_flags, struct lsa_String *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -45,10 +47,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_String(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -98,6 +102,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_StringLarge(struct ndr_push *ndr, int nd > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_StringLarge(struct ndr_pull *ndr, int ndr_flags, struct lsa_StringLarge *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -116,10 +122,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_StringLarge(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -172,6 +180,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_Strings(struct ndr_push *ndr, int ndr_fl > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_Strings(struct ndr_pull *ndr, int ndr_flags, struct lsa_Strings *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -190,13 +199,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_Strings(struct ndr_pull *ndr, int ndr_fl > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -255,6 +265,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_AsciiString(struct ndr_push *ndr, int nd > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiString(struct ndr_pull *ndr, int ndr_flags, struct lsa_AsciiString *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -273,10 +285,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiString(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -326,6 +340,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_AsciiStringLarge(struct ndr_push *ndr, i > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiStringLarge(struct ndr_pull *ndr, int ndr_flags, struct lsa_AsciiStringLarge *r) > { > uint32_t _ptr_string; >+ uint32_t size_string_1 = 0; >+ uint32_t length_string_1 = 0; > TALLOC_CTX *_mem_save_string_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -344,10 +360,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiStringLarge(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); >- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); >+ size_string_1 = ndr_get_array_size(ndr, &r->string); >+ length_string_1 = ndr_get_array_length(ndr, &r->string); >+ if (length_string_1 > size_string_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint8_t), CH_DOS)); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint8_t), CH_DOS)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); > } > if (r->string) { >@@ -400,6 +418,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_BinaryString(struct ndr_push *ndr, int n > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_BinaryString(struct ndr_pull *ndr, int ndr_flags, struct lsa_BinaryString *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; >+ uint32_t length_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -420,13 +440,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_BinaryString(struct ndr_pull *ndr, int n > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->array)); >- if (ndr_get_array_length(ndr, &r->array) > ndr_get_array_size(ndr, &r->array)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->array), ndr_get_array_length(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ length_array_1 = ndr_get_array_length(ndr, &r->array); >+ if (length_array_1 > size_array_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_array_1, length_array_1); > } >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->length / 2; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < length_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -560,6 +582,7 @@ static enum ndr_err_code ndr_push_lsa_PrivArray(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_lsa_PrivArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_PrivArray *r) > { > uint32_t _ptr_privs; >+ uint32_t size_privs_1 = 0; > uint32_t cntr_privs_1; > TALLOC_CTX *_mem_save_privs_0; > TALLOC_CTX *_mem_save_privs_1; >@@ -578,13 +601,14 @@ static enum ndr_err_code ndr_pull_lsa_PrivArray(struct ndr_pull *ndr, int ndr_fl > _mem_save_privs_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privs, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->privs)); >- NDR_PULL_ALLOC_N(ndr, r->privs, ndr_get_array_size(ndr, &r->privs)); >+ size_privs_1 = ndr_get_array_size(ndr, &r->privs); >+ NDR_PULL_ALLOC_N(ndr, r->privs, size_privs_1); > _mem_save_privs_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privs, 0); >- for (cntr_privs_1 = 0; cntr_privs_1 < r->count; cntr_privs_1++) { >+ for (cntr_privs_1 = 0; cntr_privs_1 < size_privs_1; cntr_privs_1++) { > NDR_CHECK(ndr_pull_lsa_PrivEntry(ndr, NDR_SCALARS, &r->privs[cntr_privs_1])); > } >- for (cntr_privs_1 = 0; cntr_privs_1 < r->count; cntr_privs_1++) { >+ for (cntr_privs_1 = 0; cntr_privs_1 < size_privs_1; cntr_privs_1++) { > NDR_CHECK(ndr_pull_lsa_PrivEntry(ndr, NDR_BUFFERS, &r->privs[cntr_privs_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privs_1, 0); >@@ -696,6 +720,8 @@ static enum ndr_err_code ndr_pull_lsa_ObjectAttribute(struct ndr_pull *ndr, int > uint32_t _ptr_root_dir; > TALLOC_CTX *_mem_save_root_dir_0; > uint32_t _ptr_object_name; >+ uint32_t size_object_name_1 = 0; >+ uint32_t length_object_name_1 = 0; > TALLOC_CTX *_mem_save_object_name_0; > uint32_t _ptr_sec_desc; > TALLOC_CTX *_mem_save_sec_desc_0; >@@ -742,11 +768,13 @@ static enum ndr_err_code ndr_pull_lsa_ObjectAttribute(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->object_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->object_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->object_name)); >- if (ndr_get_array_length(ndr, &r->object_name) > ndr_get_array_size(ndr, &r->object_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_name), ndr_get_array_length(ndr, &r->object_name)); >+ size_object_name_1 = ndr_get_array_size(ndr, &r->object_name); >+ length_object_name_1 = ndr_get_array_length(ndr, &r->object_name); >+ if (length_object_name_1 > size_object_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_name_1, length_object_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_name, ndr_get_array_length(ndr, &r->object_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_name, length_object_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_name_0, 0); > } > if (r->sec_desc) { >@@ -1004,6 +1032,7 @@ static enum ndr_err_code ndr_push_lsa_AuditEventsInfo(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_lsa_AuditEventsInfo(struct ndr_pull *ndr, int ndr_flags, struct lsa_AuditEventsInfo *r) > { > uint32_t _ptr_settings; >+ uint32_t size_settings_1 = 0; > uint32_t cntr_settings_1; > TALLOC_CTX *_mem_save_settings_0; > TALLOC_CTX *_mem_save_settings_1; >@@ -1023,10 +1052,11 @@ static enum ndr_err_code ndr_pull_lsa_AuditEventsInfo(struct ndr_pull *ndr, int > _mem_save_settings_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->settings, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->settings)); >- NDR_PULL_ALLOC_N(ndr, r->settings, ndr_get_array_size(ndr, &r->settings)); >+ size_settings_1 = ndr_get_array_size(ndr, &r->settings); >+ NDR_PULL_ALLOC_N(ndr, r->settings, size_settings_1); > _mem_save_settings_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->settings, 0); >- for (cntr_settings_1 = 0; cntr_settings_1 < r->count; cntr_settings_1++) { >+ for (cntr_settings_1 = 0; cntr_settings_1 < size_settings_1; cntr_settings_1++) { > NDR_CHECK(ndr_pull_lsa_PolicyAuditPolicy(ndr, NDR_SCALARS, &r->settings[cntr_settings_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_settings_1, 0); >@@ -1890,6 +1920,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_SidArray(struct ndr_push *ndr, int ndr_f > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_SidArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_SidArray *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -1911,13 +1942,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_SidArray(struct ndr_pull *ndr, int ndr_f > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_SidPtr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_SidPtr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -1979,6 +2011,7 @@ static enum ndr_err_code ndr_push_lsa_DomainList(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_lsa_DomainList(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainList *r) > { > uint32_t _ptr_domains; >+ uint32_t size_domains_1 = 0; > uint32_t cntr_domains_1; > TALLOC_CTX *_mem_save_domains_0; > TALLOC_CTX *_mem_save_domains_1; >@@ -1997,13 +2030,14 @@ static enum ndr_err_code ndr_pull_lsa_DomainList(struct ndr_pull *ndr, int ndr_f > _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); >- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); >+ size_domains_1 = ndr_get_array_size(ndr, &r->domains); >+ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); > _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); > } >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); >@@ -2131,6 +2165,7 @@ static enum ndr_err_code ndr_push_lsa_TransSidArray(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_lsa_TransSidArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -2152,10 +2187,11 @@ static enum ndr_err_code ndr_pull_lsa_TransSidArray(struct ndr_pull *ndr, int nd > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -2218,6 +2254,7 @@ static enum ndr_err_code ndr_push_lsa_RefDomainList(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_lsa_RefDomainList(struct ndr_pull *ndr, int ndr_flags, struct lsa_RefDomainList *r) > { > uint32_t _ptr_domains; >+ uint32_t size_domains_1 = 0; > uint32_t cntr_domains_1; > TALLOC_CTX *_mem_save_domains_0; > TALLOC_CTX *_mem_save_domains_1; >@@ -2240,13 +2277,14 @@ static enum ndr_err_code ndr_pull_lsa_RefDomainList(struct ndr_pull *ndr, int nd > _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); >- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); >+ size_domains_1 = ndr_get_array_size(ndr, &r->domains); >+ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); > _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); > } >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); >@@ -2377,6 +2415,7 @@ static enum ndr_err_code ndr_push_lsa_TransNameArray(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_lsa_TransNameArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransNameArray *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -2398,13 +2437,14 @@ static enum ndr_err_code ndr_pull_lsa_TransNameArray(struct ndr_pull *ndr, int n > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -2493,6 +2533,7 @@ static enum ndr_err_code ndr_push_lsa_PrivilegeSet(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_lsa_PrivilegeSet(struct ndr_pull *ndr, int ndr_flags, struct lsa_PrivilegeSet *r) > { >+ uint32_t size_set_0 = 0; > uint32_t cntr_set_0; > TALLOC_CTX *_mem_save_set_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2503,10 +2544,11 @@ static enum ndr_err_code ndr_pull_lsa_PrivilegeSet(struct ndr_pull *ndr, int ndr > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown)); >- NDR_PULL_ALLOC_N(ndr, r->set, ndr_get_array_size(ndr, &r->set)); >+ size_set_0 = ndr_get_array_size(ndr, &r->set); >+ NDR_PULL_ALLOC_N(ndr, r->set, size_set_0); > _mem_save_set_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->set, 0); >- for (cntr_set_0 = 0; cntr_set_0 < r->count; cntr_set_0++) { >+ for (cntr_set_0 = 0; cntr_set_0 < size_set_0; cntr_set_0++) { > NDR_CHECK(ndr_pull_lsa_LUIDAttribute(ndr, NDR_SCALARS, &r->set[cntr_set_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_set_0, 0); >@@ -2566,6 +2608,8 @@ static enum ndr_err_code ndr_push_lsa_DATA_BUF(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_lsa_DATA_BUF(struct ndr_pull *ndr, int ndr_flags, struct lsa_DATA_BUF *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; >+ uint32_t length_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -2587,11 +2631,13 @@ static enum ndr_err_code ndr_pull_lsa_DATA_BUF(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); >- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ length_data_1 = ndr_get_array_length(ndr, &r->data); >+ if (length_data_1 > size_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_length(ndr, &r->data))); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, length_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -2650,6 +2696,7 @@ static enum ndr_err_code ndr_push_lsa_DATA_BUF2(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_lsa_DATA_BUF2(struct ndr_pull *ndr, int ndr_flags, struct lsa_DATA_BUF2 *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -2672,8 +2719,9 @@ static enum ndr_err_code ndr_pull_lsa_DATA_BUF2(struct ndr_pull *ndr, int ndr_fl > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -2875,6 +2923,7 @@ static enum ndr_err_code ndr_push_lsa_TrustDomainInfoControllers(struct ndr_push > static enum ndr_err_code ndr_pull_lsa_TrustDomainInfoControllers(struct ndr_pull *ndr, int ndr_flags, struct lsa_TrustDomainInfoControllers *r) > { > uint32_t _ptr_netbios_names; >+ uint32_t size_netbios_names_1 = 0; > uint32_t cntr_netbios_names_1; > TALLOC_CTX *_mem_save_netbios_names_0; > TALLOC_CTX *_mem_save_netbios_names_1; >@@ -2893,13 +2942,14 @@ static enum ndr_err_code ndr_pull_lsa_TrustDomainInfoControllers(struct ndr_pull > _mem_save_netbios_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_names)); >- NDR_PULL_ALLOC_N(ndr, r->netbios_names, ndr_get_array_size(ndr, &r->netbios_names)); >+ size_netbios_names_1 = ndr_get_array_size(ndr, &r->netbios_names); >+ NDR_PULL_ALLOC_N(ndr, r->netbios_names, size_netbios_names_1); > _mem_save_netbios_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_names, 0); >- for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < r->entries; cntr_netbios_names_1++) { >+ for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < size_netbios_names_1; cntr_netbios_names_1++) { > NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_SCALARS, &r->netbios_names[cntr_netbios_names_1])); > } >- for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < r->entries; cntr_netbios_names_1++) { >+ for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < size_netbios_names_1; cntr_netbios_names_1++) { > NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_BUFFERS, &r->netbios_names[cntr_netbios_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_names_1, 0); >@@ -3494,6 +3544,7 @@ static enum ndr_err_code ndr_push_lsa_TrustDomainInfoInfoEx2Internal(struct ndr_ > static enum ndr_err_code ndr_pull_lsa_TrustDomainInfoInfoEx2Internal(struct ndr_pull *ndr, int ndr_flags, struct lsa_TrustDomainInfoInfoEx2Internal *r) > { > uint32_t _ptr_forest_trust_data; >+ uint32_t size_forest_trust_data_1 = 0; > TALLOC_CTX *_mem_save_forest_trust_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -3512,8 +3563,9 @@ static enum ndr_err_code ndr_pull_lsa_TrustDomainInfoInfoEx2Internal(struct ndr_ > _mem_save_forest_trust_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->forest_trust_data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->forest_trust_data)); >- NDR_PULL_ALLOC_N(ndr, r->forest_trust_data, ndr_get_array_size(ndr, &r->forest_trust_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->forest_trust_data, ndr_get_array_size(ndr, &r->forest_trust_data))); >+ size_forest_trust_data_1 = ndr_get_array_size(ndr, &r->forest_trust_data); >+ NDR_PULL_ALLOC_N(ndr, r->forest_trust_data, size_forest_trust_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->forest_trust_data, size_forest_trust_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_trust_data_0, 0); > } > if (r->forest_trust_data) { >@@ -3995,6 +4047,7 @@ static enum ndr_err_code ndr_push_lsa_RightSet(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_lsa_RightSet(struct ndr_pull *ndr, int ndr_flags, struct lsa_RightSet *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -4016,13 +4069,14 @@ static enum ndr_err_code ndr_pull_lsa_RightSet(struct ndr_pull *ndr, int ndr_fla > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -4084,6 +4138,7 @@ static enum ndr_err_code ndr_push_lsa_DomainListEx(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_lsa_DomainListEx(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainListEx *r) > { > uint32_t _ptr_domains; >+ uint32_t size_domains_1 = 0; > uint32_t cntr_domains_1; > TALLOC_CTX *_mem_save_domains_0; > TALLOC_CTX *_mem_save_domains_1; >@@ -4102,13 +4157,14 @@ static enum ndr_err_code ndr_pull_lsa_DomainListEx(struct ndr_pull *ndr, int ndr > _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); >- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); >+ size_domains_1 = ndr_get_array_size(ndr, &r->domains); >+ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); > _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_TrustDomainInfoInfoEx(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); > } >- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { >+ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { > NDR_CHECK(ndr_pull_lsa_TrustDomainInfoInfoEx(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); >@@ -4209,6 +4265,7 @@ static enum ndr_err_code ndr_push_lsa_DomainInfoEfs(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_lsa_DomainInfoEfs(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainInfoEfs *r) > { > uint32_t _ptr_efs_blob; >+ uint32_t size_efs_blob_1 = 0; > TALLOC_CTX *_mem_save_efs_blob_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4225,8 +4282,9 @@ static enum ndr_err_code ndr_pull_lsa_DomainInfoEfs(struct ndr_pull *ndr, int nd > _mem_save_efs_blob_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->efs_blob, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->efs_blob)); >- NDR_PULL_ALLOC_N(ndr, r->efs_blob, ndr_get_array_size(ndr, &r->efs_blob)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->efs_blob, ndr_get_array_size(ndr, &r->efs_blob))); >+ size_efs_blob_1 = ndr_get_array_size(ndr, &r->efs_blob); >+ NDR_PULL_ALLOC_N(ndr, r->efs_blob, size_efs_blob_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->efs_blob, size_efs_blob_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_efs_blob_0, 0); > } > if (r->efs_blob) { >@@ -4409,6 +4467,7 @@ static enum ndr_err_code ndr_push_lsa_TransNameArray2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_lsa_TransNameArray2(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransNameArray2 *r) > { > uint32_t _ptr_names; >+ uint32_t size_names_1 = 0; > uint32_t cntr_names_1; > TALLOC_CTX *_mem_save_names_0; > TALLOC_CTX *_mem_save_names_1; >@@ -4430,13 +4489,14 @@ static enum ndr_err_code ndr_pull_lsa_TransNameArray2(struct ndr_pull *ndr, int > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); >- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); >+ size_names_1 = ndr_get_array_size(ndr, &r->names); >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); > _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName2(ndr, NDR_SCALARS, &r->names[cntr_names_1])); > } >- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { >+ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedName2(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); >@@ -4534,6 +4594,7 @@ static enum ndr_err_code ndr_push_lsa_TransSidArray2(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_lsa_TransSidArray2(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray2 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -4555,10 +4616,11 @@ static enum ndr_err_code ndr_pull_lsa_TransSidArray2(struct ndr_pull *ndr, int n > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid2(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -4680,6 +4742,7 @@ static enum ndr_err_code ndr_push_lsa_TransSidArray3(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_lsa_TransSidArray3(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray3 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -4701,13 +4764,14 @@ static enum ndr_err_code ndr_pull_lsa_TransSidArray3(struct ndr_pull *ndr, int n > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid3(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_lsa_TranslatedSid3(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -4763,6 +4827,7 @@ static enum ndr_err_code ndr_push_lsa_ForestTrustBinaryData(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_lsa_ForestTrustBinaryData(struct ndr_pull *ndr, int ndr_flags, struct lsa_ForestTrustBinaryData *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4782,8 +4847,9 @@ static enum ndr_err_code ndr_pull_lsa_ForestTrustBinaryData(struct ndr_pull *ndr > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -5091,6 +5157,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_ForestTrustInformation(struct ndr_push * > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_ForestTrustInformation(struct ndr_pull *ndr, int ndr_flags, struct lsa_ForestTrustInformation *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -5113,10 +5180,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_ForestTrustInformation(struct ndr_pull * > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_entries)); > if (_ptr_entries) { > NDR_PULL_ALLOC(ndr, r->entries[cntr_entries_1]); >@@ -5124,7 +5192,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_ForestTrustInformation(struct ndr_pull * > r->entries[cntr_entries_1] = NULL; > } > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > if (r->entries[cntr_entries_1]) { > _mem_save_entries_2 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries[cntr_entries_1], 0); >@@ -6433,6 +6501,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_LookupNames(struct ndr_push *ndr, int fl > > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames(struct ndr_pull *ndr, int flags, struct lsa_LookupNames *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_handle_0; >@@ -6456,13 +6525,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames(struct ndr_pull *ndr, int fl > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -9333,6 +9403,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_OpenPolicy2(struct ndr_push *ndr, int fl > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_OpenPolicy2(struct ndr_pull *ndr, int flags, struct lsa_OpenPolicy2 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_attr_0; > TALLOC_CTX *_mem_save_handle_0; >@@ -9350,11 +9422,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_OpenPolicy2(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -9465,6 +9539,8 @@ static enum ndr_err_code ndr_push_lsa_GetUserName(struct ndr_push *ndr, int flag > static enum ndr_err_code ndr_pull_lsa_GetUserName(struct ndr_pull *ndr, int flags, struct lsa_GetUserName *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > uint32_t _ptr_account_name; > uint32_t _ptr_authority_name; > TALLOC_CTX *_mem_save_system_name_0; >@@ -9486,11 +9562,13 @@ static enum ndr_err_code ndr_pull_lsa_GetUserName(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -10900,6 +10978,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_LookupNames2(struct ndr_push *ndr, int f > > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames2(struct ndr_pull *ndr, int flags, struct lsa_LookupNames2 *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_handle_0; >@@ -10923,13 +11002,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames2(struct ndr_pull *ndr, int f > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -11554,6 +11634,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_lsa_LookupNames3(struct ndr_push *ndr, int f > > _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames3(struct ndr_pull *ndr, int flags, struct lsa_LookupNames3 *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_handle_0; >@@ -11577,13 +11658,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames3(struct ndr_pull *ndr, int f > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -12300,6 +12382,7 @@ static enum ndr_err_code ndr_push_lsa_LookupNames4(struct ndr_push *ndr, int fla > > static enum ndr_err_code ndr_pull_lsa_LookupNames4(struct ndr_pull *ndr, int flags, struct lsa_LookupNames4 *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > uint32_t _ptr_domains; > TALLOC_CTX *_mem_save_names_0; >@@ -12315,13 +12398,14 @@ static enum ndr_err_code ndr_pull_lsa_LookupNames4(struct ndr_pull *ndr, int fla > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >diff --git a/librpc/gen_ndr/ndr_misc.c b/librpc/gen_ndr/ndr_misc.c >index 45872d6..02ef363 100644 >--- a/librpc/gen_ndr/ndr_misc.c >+++ b/librpc/gen_ndr/ndr_misc.c >@@ -20,13 +20,17 @@ _PUBLIC_ enum ndr_err_code ndr_push_GUID(struct ndr_push *ndr, int ndr_flags, co > > _PUBLIC_ enum ndr_err_code ndr_pull_GUID(struct ndr_pull *ndr, int ndr_flags, struct GUID *r) > { >+ uint32_t size_clock_seq_0 = 0; >+ uint32_t size_node_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->time_low)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->time_mid)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->time_hi_and_version)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->clock_seq, 2)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->node, 6)); >+ size_clock_seq_0 = 2; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->clock_seq, size_clock_seq_0)); >+ size_node_0 = 6; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->node, size_node_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >diff --git a/librpc/gen_ndr/ndr_named_pipe_auth.c b/librpc/gen_ndr/ndr_named_pipe_auth.c >index 88ad449..717421c 100644 >--- a/librpc/gen_ndr/ndr_named_pipe_auth.c >+++ b/librpc/gen_ndr/ndr_named_pipe_auth.c >@@ -117,6 +117,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_named_pipe_auth_req(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req *r) > { >+ uint32_t size_magic_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > { >@@ -125,7 +126,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); > ndr->flags = _flags_save_uint32; > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, 4, sizeof(uint8_t), CH_DOS)); >+ size_magic_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, size_magic_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->level)); > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->info, r->level)); > NDR_CHECK(ndr_pull_named_pipe_auth_req_info(ndr, NDR_SCALARS, &r->info)); >@@ -262,6 +264,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_named_pipe_auth_rep(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep *r) > { >+ uint32_t size_magic_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > { >@@ -270,7 +273,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, in > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); > ndr->flags = _flags_save_uint32; > } >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, 4, sizeof(uint8_t), CH_DOS)); >+ size_magic_0 = 4; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, size_magic_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->level)); > NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->info, r->level)); > NDR_CHECK(ndr_pull_named_pipe_auth_rep_info(ndr, NDR_SCALARS, &r->info)); >diff --git a/librpc/gen_ndr/ndr_nbt.c b/librpc/gen_ndr/ndr_nbt.c >index 8fcd94c..3604f1d 100644 >--- a/librpc/gen_ndr/ndr_nbt.c >+++ b/librpc/gen_ndr/ndr_nbt.c >@@ -242,15 +242,17 @@ static enum ndr_err_code ndr_push_nbt_rdata_netbios(struct ndr_push *ndr, int nd > > static enum ndr_err_code ndr_pull_nbt_rdata_netbios(struct ndr_pull *ndr, int ndr_flags, struct nbt_rdata_netbios *r) > { >+ uint32_t size_addresses_0 = 0; > uint32_t cntr_addresses_0; > TALLOC_CTX *_mem_save_addresses_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); >- NDR_PULL_ALLOC_N(ndr, r->addresses, r->length / 6); >+ size_addresses_0 = r->length / 6; >+ NDR_PULL_ALLOC_N(ndr, r->addresses, size_addresses_0); > _mem_save_addresses_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->addresses, 0); >- for (cntr_addresses_0 = 0; cntr_addresses_0 < r->length / 6; cntr_addresses_0++) { >+ for (cntr_addresses_0 = 0; cntr_addresses_0 < size_addresses_0; cntr_addresses_0++) { > NDR_CHECK(ndr_pull_nbt_rdata_address(ndr, NDR_SCALARS, &r->addresses[cntr_addresses_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_0, 0); >@@ -311,9 +313,11 @@ static enum ndr_err_code ndr_push_nbt_statistics(struct ndr_push *ndr, int ndr_f > > static enum ndr_err_code ndr_pull_nbt_statistics(struct ndr_pull *ndr, int ndr_flags, struct nbt_statistics *r) > { >+ uint32_t size_unit_id_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unit_id, 6)); >+ size_unit_id_0 = 6; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unit_id, size_unit_id_0)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->jumpers)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->test_result)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->version_number)); >@@ -381,9 +385,11 @@ static enum ndr_err_code ndr_push_nbt_status_name(struct ndr_push *ndr, int ndr_ > > static enum ndr_err_code ndr_pull_nbt_status_name(struct ndr_pull *ndr, int ndr_flags, struct nbt_status_name *r) > { >+ uint32_t size_name_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, 15, sizeof(uint8_t), CH_DOS)); >+ size_name_0 = 15; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, size_name_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_nbt_name_type(ndr, NDR_SCALARS, &r->type)); > NDR_CHECK(ndr_pull_nb_flags(ndr, NDR_SCALARS, &r->nb_flags)); > } >@@ -421,16 +427,18 @@ static enum ndr_err_code ndr_push_nbt_rdata_status(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_nbt_rdata_status(struct ndr_pull *ndr, int ndr_flags, struct nbt_rdata_status *r) > { >+ uint32_t size_names_0 = 0; > uint32_t cntr_names_0; > TALLOC_CTX *_mem_save_names_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_names)); >- NDR_PULL_ALLOC_N(ndr, r->names, r->num_names); >+ size_names_0 = r->num_names; >+ NDR_PULL_ALLOC_N(ndr, r->names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_nbt_status_name(ndr, NDR_SCALARS, &r->names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -476,11 +484,13 @@ static enum ndr_err_code ndr_push_nbt_rdata_data(struct ndr_push *ndr, int ndr_f > > static enum ndr_err_code ndr_pull_nbt_rdata_data(struct ndr_pull *ndr, int ndr_flags, struct nbt_rdata_data *r) > { >+ uint32_t size_data_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 2)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); >- NDR_PULL_ALLOC_N(ndr, r->data, r->length); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, r->length)); >+ size_data_0 = r->length; >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -673,12 +683,16 @@ _PUBLIC_ enum ndr_err_code ndr_push_nbt_name_packet(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_nbt_name_packet(struct ndr_pull *ndr, int ndr_flags, struct nbt_name_packet *r) > { >+ uint32_t size_questions_0 = 0; > uint32_t cntr_questions_0; > TALLOC_CTX *_mem_save_questions_0; >+ uint32_t size_answers_0 = 0; > uint32_t cntr_answers_0; > TALLOC_CTX *_mem_save_answers_0; >+ uint32_t size_nsrecs_0 = 0; > uint32_t cntr_nsrecs_0; > TALLOC_CTX *_mem_save_nsrecs_0; >+ uint32_t size_additional_0 = 0; > uint32_t cntr_additional_0; > TALLOC_CTX *_mem_save_additional_0; > { >@@ -692,31 +706,35 @@ _PUBLIC_ enum ndr_err_code ndr_pull_nbt_name_packet(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->ancount)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->nscount)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->arcount)); >- NDR_PULL_ALLOC_N(ndr, r->questions, r->qdcount); >+ size_questions_0 = r->qdcount; >+ NDR_PULL_ALLOC_N(ndr, r->questions, size_questions_0); > _mem_save_questions_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->questions, 0); >- for (cntr_questions_0 = 0; cntr_questions_0 < r->qdcount; cntr_questions_0++) { >+ for (cntr_questions_0 = 0; cntr_questions_0 < size_questions_0; cntr_questions_0++) { > NDR_CHECK(ndr_pull_nbt_name_question(ndr, NDR_SCALARS, &r->questions[cntr_questions_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_questions_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->answers, r->ancount); >+ size_answers_0 = r->ancount; >+ NDR_PULL_ALLOC_N(ndr, r->answers, size_answers_0); > _mem_save_answers_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->answers, 0); >- for (cntr_answers_0 = 0; cntr_answers_0 < r->ancount; cntr_answers_0++) { >+ for (cntr_answers_0 = 0; cntr_answers_0 < size_answers_0; cntr_answers_0++) { > NDR_CHECK(ndr_pull_nbt_res_rec(ndr, NDR_SCALARS, &r->answers[cntr_answers_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_answers_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->nsrecs, r->nscount); >+ size_nsrecs_0 = r->nscount; >+ NDR_PULL_ALLOC_N(ndr, r->nsrecs, size_nsrecs_0); > _mem_save_nsrecs_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->nsrecs, 0); >- for (cntr_nsrecs_0 = 0; cntr_nsrecs_0 < r->nscount; cntr_nsrecs_0++) { >+ for (cntr_nsrecs_0 = 0; cntr_nsrecs_0 < size_nsrecs_0; cntr_nsrecs_0++) { > NDR_CHECK(ndr_pull_nbt_res_rec(ndr, NDR_SCALARS, &r->nsrecs[cntr_nsrecs_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_nsrecs_0, 0); >- NDR_PULL_ALLOC_N(ndr, r->additional, r->arcount); >+ size_additional_0 = r->arcount; >+ NDR_PULL_ALLOC_N(ndr, r->additional, size_additional_0); > _mem_save_additional_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->additional, 0); >- for (cntr_additional_0 = 0; cntr_additional_0 < r->arcount; cntr_additional_0++) { >+ for (cntr_additional_0 = 0; cntr_additional_0 < size_additional_0; cntr_additional_0++) { > NDR_CHECK(ndr_pull_nbt_res_rec(ndr, NDR_SCALARS, &r->additional[cntr_additional_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_additional_0, 0); >@@ -1093,6 +1111,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_dgram_smb_packet(struct ndr_push *ndr, int n > > _PUBLIC_ enum ndr_err_code ndr_pull_dgram_smb_packet(struct ndr_pull *ndr, int ndr_flags, struct dgram_smb_packet *r) > { >+ uint32_t size_signature_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN|LIBNDR_FLAG_LITTLE_ENDIAN|LIBNDR_PRINT_ARRAY_HEX); >@@ -1105,7 +1124,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dgram_smb_packet(struct ndr_pull *ndr, int n > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->flags)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->flags2)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->pid_high)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->signature, 8)); >+ size_signature_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->signature, size_signature_0)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->reserved)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->tid)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->pid)); >@@ -2306,6 +2326,7 @@ static enum ndr_err_code ndr_push_NETLOGON_DB_CHANGE(struct ndr_push *ndr, int n > > static enum ndr_err_code ndr_pull_NETLOGON_DB_CHANGE(struct ndr_pull *ndr, int ndr_flags, struct NETLOGON_DB_CHANGE *r) > { >+ uint32_t size_dbchange_0 = 0; > uint32_t cntr_dbchange_0; > TALLOC_CTX *_mem_save_dbchange_0; > if (ndr_flags & NDR_SCALARS) { >@@ -2345,10 +2366,11 @@ static enum ndr_err_code ndr_pull_NETLOGON_DB_CHANGE(struct ndr_pull *ndr, int n > ndr->flags = _flags_save_string; > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->db_count)); >- NDR_PULL_ALLOC_N(ndr, r->dbchange, r->db_count); >+ size_dbchange_0 = r->db_count; >+ NDR_PULL_ALLOC_N(ndr, r->dbchange, size_dbchange_0); > _mem_save_dbchange_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->dbchange, 0); >- for (cntr_dbchange_0 = 0; cntr_dbchange_0 < r->db_count; cntr_dbchange_0++) { >+ for (cntr_dbchange_0 = 0; cntr_dbchange_0 < size_dbchange_0; cntr_dbchange_0++) { > NDR_CHECK(ndr_pull_nbt_db_change_info(ndr, NDR_SCALARS, &r->dbchange[cntr_dbchange_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dbchange_0, 0); >@@ -2619,11 +2641,13 @@ static enum ndr_err_code ndr_push_nbt_browse_host_announcement(struct ndr_push * > > static enum ndr_err_code ndr_pull_nbt_browse_host_announcement(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_host_announcement *r) > { >+ uint32_t size_ServerName_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->UpdateCount)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Periodicity)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, 16, sizeof(uint8_t), CH_DOS)); >+ size_ServerName_0 = 16; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, size_ServerName_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMajor)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMinor)); > NDR_CHECK(ndr_pull_svcctl_ServerType(ndr, NDR_SCALARS, &r->ServerType)); >@@ -2805,16 +2829,18 @@ static enum ndr_err_code ndr_push_nbt_browse_backup_list_response(struct ndr_pus > > static enum ndr_err_code ndr_pull_nbt_browse_backup_list_response(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_backup_list_response *r) > { >+ uint32_t size_BackupServerList_0 = 0; > uint32_t cntr_BackupServerList_0; > TALLOC_CTX *_mem_save_BackupServerList_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->BackupCount)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Token)); >- NDR_PULL_ALLOC_N(ndr, r->BackupServerList, r->BackupCount); >+ size_BackupServerList_0 = r->BackupCount; >+ NDR_PULL_ALLOC_N(ndr, r->BackupServerList, size_BackupServerList_0); > _mem_save_BackupServerList_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->BackupServerList, 0); >- for (cntr_BackupServerList_0 = 0; cntr_BackupServerList_0 < r->BackupCount; cntr_BackupServerList_0++) { >+ for (cntr_BackupServerList_0 = 0; cntr_BackupServerList_0 < size_BackupServerList_0; cntr_BackupServerList_0++) { > NDR_CHECK(ndr_pull_nbt_name(ndr, NDR_SCALARS, &r->BackupServerList[cntr_BackupServerList_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_BackupServerList_0, 0); >@@ -2909,11 +2935,13 @@ static enum ndr_err_code ndr_push_nbt_browse_domain_announcement(struct ndr_push > > static enum ndr_err_code ndr_pull_nbt_browse_domain_announcement(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_domain_announcement *r) > { >+ uint32_t size_ServerName_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->UpdateCount)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Periodicity)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, 16, sizeof(uint8_t), CH_DOS)); >+ size_ServerName_0 = 16; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, size_ServerName_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMajor)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMinor)); > NDR_CHECK(ndr_pull_svcctl_ServerType(ndr, NDR_SCALARS, &r->ServerType)); >@@ -3042,11 +3070,13 @@ static enum ndr_err_code ndr_push_nbt_browse_local_master_announcement(struct nd > > static enum ndr_err_code ndr_pull_nbt_browse_local_master_announcement(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_local_master_announcement *r) > { >+ uint32_t size_ServerName_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->UpdateCount)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Periodicity)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, 16, sizeof(uint8_t), CH_DOS)); >+ size_ServerName_0 = 16; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, size_ServerName_0, sizeof(uint8_t), CH_DOS)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMajor)); > NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMinor)); > NDR_CHECK(ndr_pull_svcctl_ServerType(ndr, NDR_SCALARS, &r->ServerType)); >diff --git a/librpc/gen_ndr/ndr_netlogon.c b/librpc/gen_ndr/ndr_netlogon.c >index c1bdce4..c3ab81a 100644 >--- a/librpc/gen_ndr/ndr_netlogon.c >+++ b/librpc/gen_ndr/ndr_netlogon.c >@@ -61,12 +61,20 @@ static enum ndr_err_code ndr_push_netr_UasInfo(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_UasInfo *r) > { > uint32_t _ptr_account_name; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; > TALLOC_CTX *_mem_save_account_name_0; > uint32_t _ptr_computer; >+ uint32_t size_computer_1 = 0; >+ uint32_t length_computer_1 = 0; > TALLOC_CTX *_mem_save_computer_0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_domain_0; > uint32_t _ptr_script_path; >+ uint32_t size_script_path_1 = 0; >+ uint32_t length_script_path_1 = 0; > TALLOC_CTX *_mem_save_script_path_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -113,11 +121,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->account_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->account_name)); >- if (ndr_get_array_length(ndr, &r->account_name) > ndr_get_array_size(ndr, &r->account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->account_name), ndr_get_array_length(ndr, &r->account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_name_0, 0); > } > if (r->computer) { >@@ -125,11 +135,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->computer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->computer)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->computer)); >- if (ndr_get_array_length(ndr, &r->computer) > ndr_get_array_size(ndr, &r->computer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer), ndr_get_array_length(ndr, &r->computer)); >+ size_computer_1 = ndr_get_array_size(ndr, &r->computer); >+ length_computer_1 = ndr_get_array_length(ndr, &r->computer); >+ if (length_computer_1 > size_computer_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_1, length_computer_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer, ndr_get_array_length(ndr, &r->computer), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer, length_computer_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_0, 0); > } > if (r->domain) { >@@ -137,11 +149,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > if (r->script_path) { >@@ -149,11 +163,13 @@ static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_fla > NDR_PULL_SET_MEM_CTX(ndr, r->script_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->script_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->script_path)); >- if (ndr_get_array_length(ndr, &r->script_path) > ndr_get_array_size(ndr, &r->script_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->script_path), ndr_get_array_length(ndr, &r->script_path)); >+ size_script_path_1 = ndr_get_array_size(ndr, &r->script_path); >+ length_script_path_1 = ndr_get_array_length(ndr, &r->script_path); >+ if (length_script_path_1 > size_script_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_script_path_1, length_script_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->script_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->script_path, ndr_get_array_length(ndr, &r->script_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_script_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->script_path, length_script_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_script_path_0, 0); > } > } >@@ -418,6 +434,8 @@ static enum ndr_err_code ndr_push_netr_ChallengeResponse(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_ChallengeResponse(struct ndr_pull *ndr, int ndr_flags, struct netr_ChallengeResponse *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; >+ uint32_t length_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -439,11 +457,13 @@ static enum ndr_err_code ndr_pull_netr_ChallengeResponse(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); >- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ length_data_1 = ndr_get_array_length(ndr, &r->data); >+ if (length_data_1 > size_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_length(ndr, &r->data))); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, length_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -502,13 +522,15 @@ static enum ndr_err_code ndr_push_netr_NetworkInfo(struct ndr_push *ndr, int ndr > > static enum ndr_err_code ndr_pull_netr_NetworkInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_NetworkInfo *r) > { >+ uint32_t size_challenge_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_netr_IdentityInfo(ndr, NDR_SCALARS, &r->identity_info)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->challenge, 8)); >+ size_challenge_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->challenge, size_challenge_0)); > NDR_CHECK(ndr_pull_netr_ChallengeResponse(ndr, NDR_SCALARS, &r->nt)); > NDR_CHECK(ndr_pull_netr_ChallengeResponse(ndr, NDR_SCALARS, &r->lm)); > } >@@ -566,6 +588,7 @@ static enum ndr_err_code ndr_push_netr_GenericInfo(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_netr_GenericInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_GenericInfo *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -589,8 +612,9 @@ static enum ndr_err_code ndr_pull_netr_GenericInfo(struct ndr_pull *ndr, int ndr > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -748,8 +772,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_password_0; >+ uint32_t _ptr_password; > TALLOC_CTX *_mem_save_network_0; >+ uint32_t _ptr_network; > TALLOC_CTX *_mem_save_generic_0; >+ uint32_t _ptr_generic; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); >@@ -758,7 +785,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > } > switch (level) { > case NetlogonInteractiveInformation: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -768,7 +794,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonNetworkInformation: { >- uint32_t _ptr_network; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_network)); > if (_ptr_network) { > NDR_PULL_ALLOC(ndr, r->network); >@@ -778,7 +803,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonServiceInformation: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -788,7 +812,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonGenericInformation: { >- uint32_t _ptr_generic; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_generic)); > if (_ptr_generic) { > NDR_PULL_ALLOC(ndr, r->generic); >@@ -798,7 +821,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonInteractiveTransitiveInformation: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -808,7 +830,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonNetworkTransitiveInformation: { >- uint32_t _ptr_network; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_network)); > if (_ptr_network) { > NDR_PULL_ALLOC(ndr, r->network); >@@ -818,7 +839,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonLevel(struct ndr_pull *ndr, int nd > break; } > > case NetlogonServiceTransitiveInformation: { >- uint32_t _ptr_password; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); > if (_ptr_password) { > NDR_PULL_ALLOC(ndr, r->password); >@@ -995,12 +1015,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_UserSessionKey(struct ndr_push *ndr, in > > _PUBLIC_ enum ndr_err_code ndr_pull_netr_UserSessionKey(struct ndr_pull *ndr, int ndr_flags, struct netr_UserSessionKey *r) > { >+ uint32_t size_key_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, 16)); >+ size_key_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, size_key_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -1040,12 +1062,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_LMSessionKey(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_netr_LMSessionKey(struct ndr_pull *ndr, int ndr_flags, struct netr_LMSessionKey *r) > { >+ uint32_t size_key_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, 8)); >+ size_key_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, size_key_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -1153,6 +1177,7 @@ static enum ndr_err_code ndr_pull_netr_SamBaseInfo(struct ndr_pull *ndr, int ndr > { > uint32_t _ptr_domain_sid; > TALLOC_CTX *_mem_save_domain_sid_0; >+ uint32_t size_unknown_0 = 0; > uint32_t cntr_unknown_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1185,7 +1210,8 @@ static enum ndr_err_code ndr_pull_netr_SamBaseInfo(struct ndr_pull *ndr, int ndr > } > NDR_CHECK(ndr_pull_netr_LMSessionKey(ndr, NDR_SCALARS, &r->LMSessKey)); > NDR_CHECK(ndr_pull_samr_AcctFlags(ndr, NDR_SCALARS, &r->acct_flags)); >- for (cntr_unknown_0 = 0; cntr_unknown_0 < 7; cntr_unknown_0++) { >+ size_unknown_0 = 7; >+ for (cntr_unknown_0 = 0; cntr_unknown_0 < size_unknown_0; cntr_unknown_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown[cntr_unknown_0])); > } > } >@@ -1369,6 +1395,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_SamInfo3(struct ndr_push *ndr, int ndr_ > _PUBLIC_ enum ndr_err_code ndr_pull_netr_SamInfo3(struct ndr_pull *ndr, int ndr_flags, struct netr_SamInfo3 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -1389,13 +1416,14 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_SamInfo3(struct ndr_pull *ndr, int ndr_ > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -1468,9 +1496,11 @@ static enum ndr_err_code ndr_push_netr_SamInfo6(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_netr_SamInfo6(struct ndr_pull *ndr, int ndr_flags, struct netr_SamInfo6 *r) > { > uint32_t _ptr_sids; >+ uint32_t size_sids_1 = 0; > uint32_t cntr_sids_1; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >+ uint32_t size_unknown4_0 = 0; > uint32_t cntr_unknown4_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1484,7 +1514,8 @@ static enum ndr_err_code ndr_pull_netr_SamInfo6(struct ndr_pull *ndr, int ndr_fl > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->forest)); > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->principle)); >- for (cntr_unknown4_0 = 0; cntr_unknown4_0 < 20; cntr_unknown4_0++) { >+ size_unknown4_0 = 20; >+ for (cntr_unknown4_0 = 0; cntr_unknown4_0 < size_unknown4_0; cntr_unknown4_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown4[cntr_unknown4_0])); > } > } >@@ -1494,13 +1525,14 @@ static enum ndr_err_code ndr_pull_netr_SamInfo6(struct ndr_pull *ndr, int ndr_fl > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_1 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); > } >- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { >+ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { > NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); >@@ -1597,9 +1629,12 @@ static enum ndr_err_code ndr_push_netr_PacInfo(struct ndr_push *ndr, int ndr_fla > static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_PacInfo *r) > { > uint32_t _ptr_pac; >+ uint32_t size_pac_1 = 0; > TALLOC_CTX *_mem_save_pac_0; > uint32_t _ptr_auth; >+ uint32_t size_auth_1 = 0; > TALLOC_CTX *_mem_save_auth_0; >+ uint32_t size_expansionroom_0 = 0; > uint32_t cntr_expansionroom_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -1621,7 +1656,8 @@ static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_fla > r->auth = NULL; > } > NDR_CHECK(ndr_pull_netr_UserSessionKey(ndr, NDR_SCALARS, &r->user_session_key)); >- for (cntr_expansionroom_0 = 0; cntr_expansionroom_0 < 10; cntr_expansionroom_0++) { >+ size_expansionroom_0 = 10; >+ for (cntr_expansionroom_0 = 0; cntr_expansionroom_0 < size_expansionroom_0; cntr_expansionroom_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->expansionroom[cntr_expansionroom_0])); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->unknown1)); >@@ -1634,8 +1670,9 @@ static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_fla > _mem_save_pac_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->pac, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->pac)); >- NDR_PULL_ALLOC_N(ndr, r->pac, ndr_get_array_size(ndr, &r->pac)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pac, ndr_get_array_size(ndr, &r->pac))); >+ size_pac_1 = ndr_get_array_size(ndr, &r->pac); >+ NDR_PULL_ALLOC_N(ndr, r->pac, size_pac_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pac, size_pac_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pac_0, 0); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->logon_domain)); >@@ -1645,8 +1682,9 @@ static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_fla > _mem_save_auth_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->auth, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->auth)); >- NDR_PULL_ALLOC_N(ndr, r->auth, ndr_get_array_size(ndr, &r->auth)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->auth, ndr_get_array_size(ndr, &r->auth))); >+ size_auth_1 = ndr_get_array_size(ndr, &r->auth); >+ NDR_PULL_ALLOC_N(ndr, r->auth, size_auth_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->auth, size_auth_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_auth_0, 0); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->unknown1)); >@@ -1727,6 +1765,7 @@ static enum ndr_err_code ndr_push_netr_GenericInfo2(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_GenericInfo2(struct ndr_pull *ndr, int ndr_flags, struct netr_GenericInfo2 *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -1746,8 +1785,9 @@ static enum ndr_err_code ndr_pull_netr_GenericInfo2(struct ndr_pull *ndr, int nd > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -1853,10 +1893,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_sam2_0; >+ uint32_t _ptr_sam2; > TALLOC_CTX *_mem_save_sam3_0; >+ uint32_t _ptr_sam3; > TALLOC_CTX *_mem_save_pac_0; >+ uint32_t _ptr_pac; > TALLOC_CTX *_mem_save_generic_0; >+ uint32_t _ptr_generic; > TALLOC_CTX *_mem_save_sam6_0; >+ uint32_t _ptr_sam6; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); >@@ -1865,7 +1910,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > } > switch (level) { > case NetlogonValidationSamInfo: { >- uint32_t _ptr_sam2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam2)); > if (_ptr_sam2) { > NDR_PULL_ALLOC(ndr, r->sam2); >@@ -1875,7 +1919,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case NetlogonValidationSamInfo2: { >- uint32_t _ptr_sam3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam3)); > if (_ptr_sam3) { > NDR_PULL_ALLOC(ndr, r->sam3); >@@ -1885,7 +1928,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case 4: { >- uint32_t _ptr_pac; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_pac)); > if (_ptr_pac) { > NDR_PULL_ALLOC(ndr, r->pac); >@@ -1895,7 +1937,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case NetlogonValidationGenericInfo2: { >- uint32_t _ptr_generic; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_generic)); > if (_ptr_generic) { > NDR_PULL_ALLOC(ndr, r->generic); >@@ -1905,7 +1946,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_Validation(struct ndr_pull *ndr, int nd > break; } > > case NetlogonValidationSamInfo4: { >- uint32_t _ptr_sam6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam6)); > if (_ptr_sam6) { > NDR_PULL_ALLOC(ndr, r->sam6); >@@ -2046,12 +2086,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_Credential(struct ndr_push *ndr, int nd > > _PUBLIC_ enum ndr_err_code ndr_pull_netr_Credential(struct ndr_pull *ndr, int ndr_flags, struct netr_Credential *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 8)); >+ size_data_0 = 8; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -2138,6 +2180,8 @@ static enum ndr_err_code ndr_push_netr_DELTA_DELETE_USER(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_DELTA_DELETE_USER(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_DELETE_USER *r) > { > uint32_t _ptr_account_name; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; > TALLOC_CTX *_mem_save_account_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2162,11 +2206,13 @@ static enum ndr_err_code ndr_pull_netr_DELTA_DELETE_USER(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->account_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->account_name)); >- if (ndr_get_array_length(ndr, &r->account_name) > ndr_get_array_size(ndr, &r->account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->account_name), ndr_get_array_length(ndr, &r->account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_name_0, 0); > } > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->unknown1)); >@@ -2257,6 +2303,8 @@ static enum ndr_err_code ndr_push_netr_PasswordHistory(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_netr_PasswordHistory(struct ndr_pull *ndr, int ndr_flags, struct netr_PasswordHistory *r) > { >+ uint32_t size_nt_history_0 = 0; >+ uint32_t size_lm_history_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->nt_length)); >@@ -2265,10 +2313,12 @@ static enum ndr_err_code ndr_pull_netr_PasswordHistory(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm_length)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm_size)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->lm_flags)); >- NDR_PULL_ALLOC_N(ndr, r->nt_history, r->nt_length); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nt_history, r->nt_length)); >- NDR_PULL_ALLOC_N(ndr, r->lm_history, r->lm_length); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->lm_history, r->lm_length)); >+ size_nt_history_0 = r->nt_length; >+ NDR_PULL_ALLOC_N(ndr, r->nt_history, size_nt_history_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nt_history, size_nt_history_0)); >+ size_lm_history_0 = r->lm_length; >+ NDR_PULL_ALLOC_N(ndr, r->lm_history, size_lm_history_0); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->lm_history, size_lm_history_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -2419,6 +2469,7 @@ static enum ndr_err_code ndr_push_netr_USER_PRIVATE_INFO(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_USER_PRIVATE_INFO(struct ndr_pull *ndr, int ndr_flags, struct netr_USER_PRIVATE_INFO *r) > { > uint32_t _ptr_SensitiveData; >+ uint32_t size_SensitiveData_1 = 0; > TALLOC_CTX *_mem_save_SensitiveData_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2444,8 +2495,9 @@ static enum ndr_err_code ndr_pull_netr_USER_PRIVATE_INFO(struct ndr_pull *ndr, i > _mem_save_SensitiveData_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->SensitiveData, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->SensitiveData)); >- NDR_PULL_ALLOC_N(ndr, r->SensitiveData, ndr_get_array_size(ndr, &r->SensitiveData)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SensitiveData, ndr_get_array_size(ndr, &r->SensitiveData))); >+ size_SensitiveData_1 = ndr_get_array_size(ndr, &r->SensitiveData); >+ NDR_PULL_ALLOC_N(ndr, r->SensitiveData, size_SensitiveData_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SensitiveData, size_SensitiveData_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_SensitiveData_0, 0); > } > ndr->flags = _flags_save_uint8; >@@ -2926,10 +2978,12 @@ static enum ndr_err_code ndr_push_netr_DELTA_GROUP_MEMBER(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_DELTA_GROUP_MEMBER(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_GROUP_MEMBER *r) > { > uint32_t _ptr_rids; >+ uint32_t size_rids_1 = 0; > uint32_t cntr_rids_1; > TALLOC_CTX *_mem_save_rids_0; > TALLOC_CTX *_mem_save_rids_1; > uint32_t _ptr_attribs; >+ uint32_t size_attribs_1 = 0; > uint32_t cntr_attribs_1; > TALLOC_CTX *_mem_save_attribs_0; > TALLOC_CTX *_mem_save_attribs_1; >@@ -2958,10 +3012,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_GROUP_MEMBER(struct ndr_pull *ndr, > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); >- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); >+ size_rids_1 = ndr_get_array_size(ndr, &r->rids); >+ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); > _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); >- for (cntr_rids_1 = 0; cntr_rids_1 < r->num_rids; cntr_rids_1++) { >+ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); >@@ -2971,10 +3026,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_GROUP_MEMBER(struct ndr_pull *ndr, > _mem_save_attribs_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attribs, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->attribs)); >- NDR_PULL_ALLOC_N(ndr, r->attribs, ndr_get_array_size(ndr, &r->attribs)); >+ size_attribs_1 = ndr_get_array_size(ndr, &r->attribs); >+ NDR_PULL_ALLOC_N(ndr, r->attribs, size_attribs_1); > _mem_save_attribs_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->attribs, 0); >- for (cntr_attribs_1 = 0; cntr_attribs_1 < r->num_rids; cntr_attribs_1++) { >+ for (cntr_attribs_1 = 0; cntr_attribs_1 < size_attribs_1; cntr_attribs_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->attribs[cntr_attribs_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribs_1, 0); >@@ -3247,6 +3303,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_POLICY(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_DELTA_POLICY(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_POLICY *r) > { > uint32_t _ptr_eventauditoptions; >+ uint32_t size_eventauditoptions_1 = 0; > uint32_t cntr_eventauditoptions_1; > TALLOC_CTX *_mem_save_eventauditoptions_0; > TALLOC_CTX *_mem_save_eventauditoptions_1; >@@ -3290,10 +3347,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_POLICY(struct ndr_pull *ndr, int nd > _mem_save_eventauditoptions_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->eventauditoptions, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->eventauditoptions)); >- NDR_PULL_ALLOC_N(ndr, r->eventauditoptions, ndr_get_array_size(ndr, &r->eventauditoptions)); >+ size_eventauditoptions_1 = ndr_get_array_size(ndr, &r->eventauditoptions); >+ NDR_PULL_ALLOC_N(ndr, r->eventauditoptions, size_eventauditoptions_1); > _mem_save_eventauditoptions_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->eventauditoptions, 0); >- for (cntr_eventauditoptions_1 = 0; cntr_eventauditoptions_1 < r->maxauditeventcount + 1; cntr_eventauditoptions_1++) { >+ for (cntr_eventauditoptions_1 = 0; cntr_eventauditoptions_1 < size_eventauditoptions_1; cntr_eventauditoptions_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->eventauditoptions[cntr_eventauditoptions_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventauditoptions_1, 0); >@@ -3407,6 +3465,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_TRUSTED_DOMAIN(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_netr_DELTA_TRUSTED_DOMAIN(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_TRUSTED_DOMAIN *r) > { > uint32_t _ptr_controller_names; >+ uint32_t size_controller_names_1 = 0; > uint32_t cntr_controller_names_1; > TALLOC_CTX *_mem_save_controller_names_0; > TALLOC_CTX *_mem_save_controller_names_1; >@@ -3437,13 +3496,14 @@ static enum ndr_err_code ndr_pull_netr_DELTA_TRUSTED_DOMAIN(struct ndr_pull *ndr > _mem_save_controller_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->controller_names, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->controller_names)); >- NDR_PULL_ALLOC_N(ndr, r->controller_names, ndr_get_array_size(ndr, &r->controller_names)); >+ size_controller_names_1 = ndr_get_array_size(ndr, &r->controller_names); >+ NDR_PULL_ALLOC_N(ndr, r->controller_names, size_controller_names_1); > _mem_save_controller_names_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->controller_names, 0); >- for (cntr_controller_names_1 = 0; cntr_controller_names_1 < r->num_controllers; cntr_controller_names_1++) { >+ for (cntr_controller_names_1 = 0; cntr_controller_names_1 < size_controller_names_1; cntr_controller_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->controller_names[cntr_controller_names_1])); > } >- for (cntr_controller_names_1 = 0; cntr_controller_names_1 < r->num_controllers; cntr_controller_names_1++) { >+ for (cntr_controller_names_1 = 0; cntr_controller_names_1 < size_controller_names_1; cntr_controller_names_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->controller_names[cntr_controller_names_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_controller_names_1, 0); >@@ -3577,10 +3637,12 @@ static enum ndr_err_code ndr_push_netr_DELTA_ACCOUNT(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_netr_DELTA_ACCOUNT(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_ACCOUNT *r) > { > uint32_t _ptr_privilege_attrib; >+ uint32_t size_privilege_attrib_1 = 0; > uint32_t cntr_privilege_attrib_1; > TALLOC_CTX *_mem_save_privilege_attrib_0; > TALLOC_CTX *_mem_save_privilege_attrib_1; > uint32_t _ptr_privilege_name; >+ uint32_t size_privilege_name_1 = 0; > uint32_t cntr_privilege_name_1; > TALLOC_CTX *_mem_save_privilege_name_0; > TALLOC_CTX *_mem_save_privilege_name_1; >@@ -3618,10 +3680,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ACCOUNT(struct ndr_pull *ndr, int n > _mem_save_privilege_attrib_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_attrib, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->privilege_attrib)); >- NDR_PULL_ALLOC_N(ndr, r->privilege_attrib, ndr_get_array_size(ndr, &r->privilege_attrib)); >+ size_privilege_attrib_1 = ndr_get_array_size(ndr, &r->privilege_attrib); >+ NDR_PULL_ALLOC_N(ndr, r->privilege_attrib, size_privilege_attrib_1); > _mem_save_privilege_attrib_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_attrib, 0); >- for (cntr_privilege_attrib_1 = 0; cntr_privilege_attrib_1 < r->privilege_entries; cntr_privilege_attrib_1++) { >+ for (cntr_privilege_attrib_1 = 0; cntr_privilege_attrib_1 < size_privilege_attrib_1; cntr_privilege_attrib_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->privilege_attrib[cntr_privilege_attrib_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privilege_attrib_1, 0); >@@ -3631,13 +3694,14 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ACCOUNT(struct ndr_pull *ndr, int n > _mem_save_privilege_name_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->privilege_name)); >- NDR_PULL_ALLOC_N(ndr, r->privilege_name, ndr_get_array_size(ndr, &r->privilege_name)); >+ size_privilege_name_1 = ndr_get_array_size(ndr, &r->privilege_name); >+ NDR_PULL_ALLOC_N(ndr, r->privilege_name, size_privilege_name_1); > _mem_save_privilege_name_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->privilege_name, 0); >- for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < r->privilege_entries; cntr_privilege_name_1++) { >+ for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < size_privilege_name_1; cntr_privilege_name_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->privilege_name[cntr_privilege_name_1])); > } >- for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < r->privilege_entries; cntr_privilege_name_1++) { >+ for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < size_privilege_name_1; cntr_privilege_name_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->privilege_name[cntr_privilege_name_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privilege_name_1, 0); >@@ -3793,6 +3857,8 @@ static enum ndr_err_code ndr_push_netr_CIPHER_VALUE(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_CIPHER_VALUE(struct ndr_pull *ndr, int ndr_flags, struct netr_CIPHER_VALUE *r) > { > uint32_t _ptr_cipher_data; >+ uint32_t size_cipher_data_1 = 0; >+ uint32_t length_cipher_data_1 = 0; > TALLOC_CTX *_mem_save_cipher_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -3811,11 +3877,13 @@ static enum ndr_err_code ndr_pull_netr_CIPHER_VALUE(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->cipher_data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->cipher_data)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->cipher_data)); >- if (ndr_get_array_length(ndr, &r->cipher_data) > ndr_get_array_size(ndr, &r->cipher_data)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->cipher_data), ndr_get_array_length(ndr, &r->cipher_data)); >+ size_cipher_data_1 = ndr_get_array_size(ndr, &r->cipher_data); >+ length_cipher_data_1 = ndr_get_array_length(ndr, &r->cipher_data); >+ if (length_cipher_data_1 > size_cipher_data_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_cipher_data_1, length_cipher_data_1); > } >- NDR_PULL_ALLOC_N(ndr, r->cipher_data, ndr_get_array_size(ndr, &r->cipher_data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->cipher_data, ndr_get_array_length(ndr, &r->cipher_data))); >+ NDR_PULL_ALLOC_N(ndr, r->cipher_data, size_cipher_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->cipher_data, length_cipher_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cipher_data_0, 0); > } > if (r->cipher_data) { >@@ -4195,21 +4263,37 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_domain_0; >+ uint32_t _ptr_domain; > TALLOC_CTX *_mem_save_group_0; >+ uint32_t _ptr_group; > TALLOC_CTX *_mem_save_rename_group_0; >+ uint32_t _ptr_rename_group; > TALLOC_CTX *_mem_save_user_0; >+ uint32_t _ptr_user; > TALLOC_CTX *_mem_save_rename_user_0; >+ uint32_t _ptr_rename_user; > TALLOC_CTX *_mem_save_group_member_0; >+ uint32_t _ptr_group_member; > TALLOC_CTX *_mem_save_alias_0; >+ uint32_t _ptr_alias; > TALLOC_CTX *_mem_save_rename_alias_0; >+ uint32_t _ptr_rename_alias; > TALLOC_CTX *_mem_save_alias_member_0; >+ uint32_t _ptr_alias_member; > TALLOC_CTX *_mem_save_policy_0; >+ uint32_t _ptr_policy; > TALLOC_CTX *_mem_save_trusted_domain_0; >+ uint32_t _ptr_trusted_domain; > TALLOC_CTX *_mem_save_account_0; >+ uint32_t _ptr_account; > TALLOC_CTX *_mem_save_secret_0; >+ uint32_t _ptr_secret; > TALLOC_CTX *_mem_save_delete_group_0; >+ uint32_t _ptr_delete_group; > TALLOC_CTX *_mem_save_delete_user_0; >+ uint32_t _ptr_delete_user; > TALLOC_CTX *_mem_save_modified_count_0; >+ uint32_t _ptr_modified_count; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); >@@ -4218,7 +4302,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > } > switch (level) { > case NETR_DELTA_DOMAIN: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -4228,7 +4311,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_GROUP: { >- uint32_t _ptr_group; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group)); > if (_ptr_group) { > NDR_PULL_ALLOC(ndr, r->group); >@@ -4241,7 +4323,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_RENAME_GROUP: { >- uint32_t _ptr_rename_group; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_group)); > if (_ptr_rename_group) { > NDR_PULL_ALLOC(ndr, r->rename_group); >@@ -4251,7 +4332,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_USER: { >- uint32_t _ptr_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); > if (_ptr_user) { > NDR_PULL_ALLOC(ndr, r->user); >@@ -4264,7 +4344,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_RENAME_USER: { >- uint32_t _ptr_rename_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_user)); > if (_ptr_rename_user) { > NDR_PULL_ALLOC(ndr, r->rename_user); >@@ -4274,7 +4353,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_GROUP_MEMBER: { >- uint32_t _ptr_group_member; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_member)); > if (_ptr_group_member) { > NDR_PULL_ALLOC(ndr, r->group_member); >@@ -4284,7 +4362,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_ALIAS: { >- uint32_t _ptr_alias; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_alias)); > if (_ptr_alias) { > NDR_PULL_ALLOC(ndr, r->alias); >@@ -4297,7 +4374,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_RENAME_ALIAS: { >- uint32_t _ptr_rename_alias; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_alias)); > if (_ptr_rename_alias) { > NDR_PULL_ALLOC(ndr, r->rename_alias); >@@ -4307,7 +4383,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_ALIAS_MEMBER: { >- uint32_t _ptr_alias_member; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_alias_member)); > if (_ptr_alias_member) { > NDR_PULL_ALLOC(ndr, r->alias_member); >@@ -4317,7 +4392,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_POLICY: { >- uint32_t _ptr_policy; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_policy)); > if (_ptr_policy) { > NDR_PULL_ALLOC(ndr, r->policy); >@@ -4327,7 +4401,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_TRUSTED_DOMAIN: { >- uint32_t _ptr_trusted_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_trusted_domain)); > if (_ptr_trusted_domain) { > NDR_PULL_ALLOC(ndr, r->trusted_domain); >@@ -4341,7 +4414,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_ACCOUNT: { >- uint32_t _ptr_account; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_account)); > if (_ptr_account) { > NDR_PULL_ALLOC(ndr, r->account); >@@ -4355,7 +4427,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_SECRET: { >- uint32_t _ptr_secret; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_secret)); > if (_ptr_secret) { > NDR_PULL_ALLOC(ndr, r->secret); >@@ -4369,7 +4440,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_DELETE_GROUP2: { >- uint32_t _ptr_delete_group; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_delete_group)); > if (_ptr_delete_group) { > NDR_PULL_ALLOC(ndr, r->delete_group); >@@ -4379,7 +4449,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_DELETE_USER2: { >- uint32_t _ptr_delete_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_delete_user)); > if (_ptr_delete_user) { > NDR_PULL_ALLOC(ndr, r->delete_user); >@@ -4389,7 +4458,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_UNION(struct ndr_pull *ndr, int ndr > break; } > > case NETR_DELTA_MODIFY_COUNT: { >- uint32_t _ptr_modified_count; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_modified_count)); > if (_ptr_modified_count) { > NDR_PULL_ALLOC(ndr, r->modified_count); >@@ -4954,7 +5022,11 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > int level; > uint16_t _level; > TALLOC_CTX *_mem_save_sid_0; >+ uint32_t _ptr_sid; > TALLOC_CTX *_mem_save_name_0; >+ uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); >@@ -5011,7 +5083,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_POLICY: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -5021,7 +5092,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_TRUSTED_DOMAIN: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -5031,7 +5101,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_DELETE_TRUST: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -5041,7 +5110,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_ACCOUNT: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -5051,7 +5119,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_DELETE_ACCOUNT: { >- uint32_t _ptr_sid; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); > if (_ptr_sid) { > NDR_PULL_ALLOC(ndr, r->sid); >@@ -5061,7 +5128,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_SECRET: { >- uint32_t _ptr_name; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_name)); > if (_ptr_name) { > NDR_PULL_ALLOC(ndr, r->name); >@@ -5071,7 +5137,6 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > break; } > > case NETR_DELTA_DELETE_SECRET: { >- uint32_t _ptr_name; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_name)); > if (_ptr_name) { > NDR_PULL_ALLOC(ndr, r->name); >@@ -5184,11 +5249,13 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > break; >@@ -5199,11 +5266,13 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ID_UNION(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > break; >@@ -5428,6 +5497,7 @@ static enum ndr_err_code ndr_push_netr_DELTA_ENUM_ARRAY(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_netr_DELTA_ENUM_ARRAY(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_ENUM_ARRAY *r) > { > uint32_t _ptr_delta_enum; >+ uint32_t size_delta_enum_1 = 0; > uint32_t cntr_delta_enum_1; > TALLOC_CTX *_mem_save_delta_enum_0; > TALLOC_CTX *_mem_save_delta_enum_1; >@@ -5446,13 +5516,14 @@ static enum ndr_err_code ndr_pull_netr_DELTA_ENUM_ARRAY(struct ndr_pull *ndr, in > _mem_save_delta_enum_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->delta_enum, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->delta_enum)); >- NDR_PULL_ALLOC_N(ndr, r->delta_enum, ndr_get_array_size(ndr, &r->delta_enum)); >+ size_delta_enum_1 = ndr_get_array_size(ndr, &r->delta_enum); >+ NDR_PULL_ALLOC_N(ndr, r->delta_enum, size_delta_enum_1); > _mem_save_delta_enum_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->delta_enum, 0); >- for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < r->num_deltas; cntr_delta_enum_1++) { >+ for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < size_delta_enum_1; cntr_delta_enum_1++) { > NDR_CHECK(ndr_pull_netr_DELTA_ENUM(ndr, NDR_SCALARS, &r->delta_enum[cntr_delta_enum_1])); > } >- for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < r->num_deltas; cntr_delta_enum_1++) { >+ for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < size_delta_enum_1; cntr_delta_enum_1++) { > NDR_CHECK(ndr_pull_netr_DELTA_ENUM(ndr, NDR_BUFFERS, &r->delta_enum[cntr_delta_enum_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_delta_enum_1, 0); >@@ -5509,12 +5580,14 @@ static enum ndr_err_code ndr_push_netr_UAS_INFO_0(struct ndr_push *ndr, int ndr_ > > static enum ndr_err_code ndr_pull_netr_UAS_INFO_0(struct ndr_pull *ndr, int ndr_flags, struct netr_UAS_INFO_0 *r) > { >+ uint32_t size_computer_name_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->computer_name, 16)); >+ size_computer_name_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->computer_name, size_computer_name_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->timecreated)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->serial_number)); > } >@@ -5660,6 +5733,8 @@ static enum ndr_err_code ndr_push_netr_NETLOGON_INFO_2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_2(struct ndr_pull *ndr, int ndr_flags, struct netr_NETLOGON_INFO_2 *r) > { > uint32_t _ptr_trusted_dc_name; >+ uint32_t size_trusted_dc_name_1 = 0; >+ uint32_t length_trusted_dc_name_1 = 0; > TALLOC_CTX *_mem_save_trusted_dc_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -5679,11 +5754,13 @@ static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->trusted_dc_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_dc_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->trusted_dc_name)); >- if (ndr_get_array_length(ndr, &r->trusted_dc_name) > ndr_get_array_size(ndr, &r->trusted_dc_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->trusted_dc_name), ndr_get_array_length(ndr, &r->trusted_dc_name)); >+ size_trusted_dc_name_1 = ndr_get_array_size(ndr, &r->trusted_dc_name); >+ length_trusted_dc_name_1 = ndr_get_array_length(ndr, &r->trusted_dc_name); >+ if (length_trusted_dc_name_1 > size_trusted_dc_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_dc_name_1, length_trusted_dc_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_dc_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, length_trusted_dc_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_dc_name_0, 0); > } > } >@@ -5781,8 +5858,12 @@ static enum ndr_err_code ndr_push_netr_NETLOGON_INFO_4(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_4(struct ndr_pull *ndr, int ndr_flags, struct netr_NETLOGON_INFO_4 *r) > { > uint32_t _ptr_trusted_dc_name; >+ uint32_t size_trusted_dc_name_1 = 0; >+ uint32_t length_trusted_dc_name_1 = 0; > TALLOC_CTX *_mem_save_trusted_dc_name_0; > uint32_t _ptr_trusted_domain_name; >+ uint32_t size_trusted_domain_name_1 = 0; >+ uint32_t length_trusted_domain_name_1 = 0; > TALLOC_CTX *_mem_save_trusted_domain_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -5805,11 +5886,13 @@ static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->trusted_dc_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_dc_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->trusted_dc_name)); >- if (ndr_get_array_length(ndr, &r->trusted_dc_name) > ndr_get_array_size(ndr, &r->trusted_dc_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->trusted_dc_name), ndr_get_array_length(ndr, &r->trusted_dc_name)); >+ size_trusted_dc_name_1 = ndr_get_array_size(ndr, &r->trusted_dc_name); >+ length_trusted_dc_name_1 = ndr_get_array_length(ndr, &r->trusted_dc_name); >+ if (length_trusted_dc_name_1 > size_trusted_dc_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_dc_name_1, length_trusted_dc_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_dc_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, length_trusted_dc_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_dc_name_0, 0); > } > if (r->trusted_domain_name) { >@@ -5817,11 +5900,13 @@ static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->trusted_domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->trusted_domain_name)); >- if (ndr_get_array_length(ndr, &r->trusted_domain_name) > ndr_get_array_size(ndr, &r->trusted_domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->trusted_domain_name), ndr_get_array_length(ndr, &r->trusted_domain_name)); >+ size_trusted_domain_name_1 = ndr_get_array_size(ndr, &r->trusted_domain_name); >+ length_trusted_domain_name_1 = ndr_get_array_length(ndr, &r->trusted_domain_name); >+ if (length_trusted_domain_name_1 > size_trusted_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_domain_name_1, length_trusted_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->trusted_domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_domain_name, ndr_get_array_length(ndr, &r->trusted_domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_domain_name, length_trusted_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_domain_name_0, 0); > } > } >@@ -5912,9 +5997,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -5923,7 +6012,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > } > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -5933,7 +6021,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -5943,7 +6030,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -5953,7 +6039,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_QUERY_INFORMATION(struct ndr_pull > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -6207,7 +6292,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_domain_0; >+ uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > TALLOC_CTX *_mem_save_user_0; >+ uint32_t _ptr_user; >+ uint32_t size_user_1 = 0; >+ uint32_t length_user_1 = 0; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -6216,7 +6307,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > } > switch (level) { > case NETLOGON_CONTROL_REDISCOVER: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -6226,7 +6316,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_TC_QUERY: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -6236,7 +6325,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_TRANSPORT_NOTIFY: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -6246,7 +6334,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_CHANGE_PASSWORD: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -6256,7 +6343,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_TC_VERIFY: { >- uint32_t _ptr_domain; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); > if (_ptr_domain) { > NDR_PULL_ALLOC(ndr, r->domain); >@@ -6266,7 +6352,6 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > break; } > > case NETLOGON_CONTROL_FIND_USER: { >- uint32_t _ptr_user; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); > if (_ptr_user) { > NDR_PULL_ALLOC(ndr, r->user); >@@ -6291,11 +6376,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6306,11 +6393,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6321,11 +6410,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6336,11 +6427,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6351,11 +6444,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); >- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > break; >@@ -6366,11 +6461,13 @@ static enum ndr_err_code ndr_pull_netr_CONTROL_DATA_INFORMATION(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); >- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); >+ size_user_1 = ndr_get_array_size(ndr, &r->user); >+ length_user_1 = ndr_get_array_length(ndr, &r->user); >+ if (length_user_1 > size_user_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); > } > break; >@@ -6703,6 +6800,7 @@ static enum ndr_err_code ndr_push_netr_Blob(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_netr_Blob(struct ndr_pull *ndr, int ndr_flags, struct netr_Blob *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6719,8 +6817,9 @@ static enum ndr_err_code ndr_pull_netr_Blob(struct ndr_pull *ndr, int ndr_flags, > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -6903,16 +7002,28 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_DsRGetDCNameInfo(struct ndr_push *ndr, > _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRGetDCNameInfo *r) > { > uint32_t _ptr_dc_unc; >+ uint32_t size_dc_unc_1 = 0; >+ uint32_t length_dc_unc_1 = 0; > TALLOC_CTX *_mem_save_dc_unc_0; > uint32_t _ptr_dc_address; >+ uint32_t size_dc_address_1 = 0; >+ uint32_t length_dc_address_1 = 0; > TALLOC_CTX *_mem_save_dc_address_0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_domain_name_0; > uint32_t _ptr_forest_name; >+ uint32_t size_forest_name_1 = 0; >+ uint32_t length_forest_name_1 = 0; > TALLOC_CTX *_mem_save_forest_name_0; > uint32_t _ptr_dc_site_name; >+ uint32_t size_dc_site_name_1 = 0; >+ uint32_t length_dc_site_name_1 = 0; > TALLOC_CTX *_mem_save_dc_site_name_0; > uint32_t _ptr_client_site_name; >+ uint32_t size_client_site_name_1 = 0; >+ uint32_t length_client_site_name_1 = 0; > TALLOC_CTX *_mem_save_client_site_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6962,11 +7073,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->dc_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_unc)); >- if (ndr_get_array_length(ndr, &r->dc_unc) > ndr_get_array_size(ndr, &r->dc_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_unc), ndr_get_array_length(ndr, &r->dc_unc)); >+ size_dc_unc_1 = ndr_get_array_size(ndr, &r->dc_unc); >+ length_dc_unc_1 = ndr_get_array_length(ndr, &r->dc_unc); >+ if (length_dc_unc_1 > size_dc_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_unc_1, length_dc_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_unc, ndr_get_array_length(ndr, &r->dc_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_unc, length_dc_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_unc_0, 0); > } > if (r->dc_address) { >@@ -6974,11 +7087,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->dc_address, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_address)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_address)); >- if (ndr_get_array_length(ndr, &r->dc_address) > ndr_get_array_size(ndr, &r->dc_address)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_address), ndr_get_array_length(ndr, &r->dc_address)); >+ size_dc_address_1 = ndr_get_array_size(ndr, &r->dc_address); >+ length_dc_address_1 = ndr_get_array_length(ndr, &r->dc_address); >+ if (length_dc_address_1 > size_dc_address_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_address_1, length_dc_address_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_address), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_address, ndr_get_array_length(ndr, &r->dc_address), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_address_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_address, length_dc_address_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_address_0, 0); > } > if (r->domain_name) { >@@ -6986,11 +7101,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); >- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > if (r->forest_name) { >@@ -6998,11 +7115,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->forest_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->forest_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->forest_name)); >- if (ndr_get_array_length(ndr, &r->forest_name) > ndr_get_array_size(ndr, &r->forest_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->forest_name), ndr_get_array_length(ndr, &r->forest_name)); >+ size_forest_name_1 = ndr_get_array_size(ndr, &r->forest_name); >+ length_forest_name_1 = ndr_get_array_length(ndr, &r->forest_name); >+ if (length_forest_name_1 > size_forest_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_forest_name_1, length_forest_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->forest_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest_name, ndr_get_array_length(ndr, &r->forest_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_forest_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest_name, length_forest_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_name_0, 0); > } > if (r->dc_site_name) { >@@ -7010,11 +7129,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->dc_site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_site_name)); >- if (ndr_get_array_length(ndr, &r->dc_site_name) > ndr_get_array_size(ndr, &r->dc_site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_site_name), ndr_get_array_length(ndr, &r->dc_site_name)); >+ size_dc_site_name_1 = ndr_get_array_size(ndr, &r->dc_site_name); >+ length_dc_site_name_1 = ndr_get_array_length(ndr, &r->dc_site_name); >+ if (length_dc_site_name_1 > size_dc_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_site_name_1, length_dc_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_site_name, ndr_get_array_length(ndr, &r->dc_site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_site_name, length_dc_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_site_name_0, 0); > } > if (r->client_site_name) { >@@ -7022,11 +7143,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->client_site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->client_site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->client_site_name)); >- if (ndr_get_array_length(ndr, &r->client_site_name) > ndr_get_array_size(ndr, &r->client_site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_site_name), ndr_get_array_length(ndr, &r->client_site_name)); >+ size_client_site_name_1 = ndr_get_array_size(ndr, &r->client_site_name); >+ length_client_site_name_1 = ndr_get_array_length(ndr, &r->client_site_name); >+ if (length_client_site_name_1 > size_client_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_site_name_1, length_client_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_site_name, ndr_get_array_length(ndr, &r->client_site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_site_name, length_client_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_site_name_0, 0); > } > } >@@ -7250,17 +7373,30 @@ static enum ndr_err_code ndr_push_netr_DomainQuery1(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainQuery1 *r) > { > uint32_t _ptr_workstation_domain; >+ uint32_t size_workstation_domain_1 = 0; >+ uint32_t length_workstation_domain_1 = 0; > TALLOC_CTX *_mem_save_workstation_domain_0; > uint32_t _ptr_workstation_site; >+ uint32_t size_workstation_site_1 = 0; >+ uint32_t length_workstation_site_1 = 0; > TALLOC_CTX *_mem_save_workstation_site_0; > uint32_t _ptr_unknown1; >+ uint32_t size_unknown1_1 = 0; >+ uint32_t length_unknown1_1 = 0; > TALLOC_CTX *_mem_save_unknown1_0; > uint32_t _ptr_unknown2; >+ uint32_t size_unknown2_1 = 0; >+ uint32_t length_unknown2_1 = 0; > TALLOC_CTX *_mem_save_unknown2_0; > uint32_t _ptr_unknown3; >+ uint32_t size_unknown3_1 = 0; >+ uint32_t length_unknown3_1 = 0; > TALLOC_CTX *_mem_save_unknown3_0; > uint32_t _ptr_unknown4; >+ uint32_t size_unknown4_1 = 0; >+ uint32_t length_unknown4_1 = 0; > TALLOC_CTX *_mem_save_unknown4_0; >+ uint32_t size_unknown7_0 = 0; > uint32_t cntr_unknown7_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7305,7 +7441,8 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->product)); > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->unknown5)); > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->unknown6)); >- for (cntr_unknown7_0 = 0; cntr_unknown7_0 < 4; cntr_unknown7_0++) { >+ size_unknown7_0 = 4; >+ for (cntr_unknown7_0 = 0; cntr_unknown7_0 < size_unknown7_0; cntr_unknown7_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown7[cntr_unknown7_0])); > } > } >@@ -7316,11 +7453,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->workstation_domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->workstation_domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->workstation_domain)); >- if (ndr_get_array_length(ndr, &r->workstation_domain) > ndr_get_array_size(ndr, &r->workstation_domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->workstation_domain), ndr_get_array_length(ndr, &r->workstation_domain)); >+ size_workstation_domain_1 = ndr_get_array_size(ndr, &r->workstation_domain); >+ length_workstation_domain_1 = ndr_get_array_length(ndr, &r->workstation_domain); >+ if (length_workstation_domain_1 > size_workstation_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_domain_1, length_workstation_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->workstation_domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->workstation_domain, ndr_get_array_length(ndr, &r->workstation_domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->workstation_domain, length_workstation_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_workstation_domain_0, 0); > } > if (r->workstation_site) { >@@ -7328,11 +7467,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->workstation_site, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->workstation_site)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->workstation_site)); >- if (ndr_get_array_length(ndr, &r->workstation_site) > ndr_get_array_size(ndr, &r->workstation_site)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->workstation_site), ndr_get_array_length(ndr, &r->workstation_site)); >+ size_workstation_site_1 = ndr_get_array_size(ndr, &r->workstation_site); >+ length_workstation_site_1 = ndr_get_array_length(ndr, &r->workstation_site); >+ if (length_workstation_site_1 > size_workstation_site_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_site_1, length_workstation_site_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->workstation_site), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->workstation_site, ndr_get_array_length(ndr, &r->workstation_site), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_site_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->workstation_site, length_workstation_site_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_workstation_site_0, 0); > } > if (r->unknown1) { >@@ -7340,11 +7481,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown1, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown1)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown1)); >- if (ndr_get_array_length(ndr, &r->unknown1) > ndr_get_array_size(ndr, &r->unknown1)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown1), ndr_get_array_length(ndr, &r->unknown1)); >+ size_unknown1_1 = ndr_get_array_size(ndr, &r->unknown1); >+ length_unknown1_1 = ndr_get_array_length(ndr, &r->unknown1); >+ if (length_unknown1_1 > size_unknown1_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown1_1, length_unknown1_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown1), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown1, ndr_get_array_length(ndr, &r->unknown1), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown1_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown1, length_unknown1_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown1_0, 0); > } > if (r->unknown2) { >@@ -7352,11 +7495,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown2, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown2)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown2)); >- if (ndr_get_array_length(ndr, &r->unknown2) > ndr_get_array_size(ndr, &r->unknown2)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown2), ndr_get_array_length(ndr, &r->unknown2)); >+ size_unknown2_1 = ndr_get_array_size(ndr, &r->unknown2); >+ length_unknown2_1 = ndr_get_array_length(ndr, &r->unknown2); >+ if (length_unknown2_1 > size_unknown2_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown2_1, length_unknown2_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown2_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, length_unknown2_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown2_0, 0); > } > if (r->unknown3) { >@@ -7364,11 +7509,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown3, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown3)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown3)); >- if (ndr_get_array_length(ndr, &r->unknown3) > ndr_get_array_size(ndr, &r->unknown3)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown3), ndr_get_array_length(ndr, &r->unknown3)); >+ size_unknown3_1 = ndr_get_array_size(ndr, &r->unknown3); >+ length_unknown3_1 = ndr_get_array_length(ndr, &r->unknown3); >+ if (length_unknown3_1 > size_unknown3_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown3_1, length_unknown3_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown3), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown3, ndr_get_array_length(ndr, &r->unknown3), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown3_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown3, length_unknown3_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown3_0, 0); > } > if (r->unknown4) { >@@ -7376,11 +7523,13 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery1(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->unknown4, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown4)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown4)); >- if (ndr_get_array_length(ndr, &r->unknown4) > ndr_get_array_size(ndr, &r->unknown4)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown4), ndr_get_array_length(ndr, &r->unknown4)); >+ size_unknown4_1 = ndr_get_array_size(ndr, &r->unknown4); >+ length_unknown4_1 = ndr_get_array_length(ndr, &r->unknown4); >+ if (length_unknown4_1 > size_unknown4_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown4_1, length_unknown4_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown4), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown4, ndr_get_array_length(ndr, &r->unknown4), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown4_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown4, length_unknown4_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown4_0, 0); > } > NDR_CHECK(ndr_pull_lsa_BinaryString(ndr, NDR_BUFFERS, &r->blob2)); >@@ -7495,6 +7644,7 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery(struct ndr_pull *ndr, int ndr > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_query1_0; >+ uint32_t _ptr_query1; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -7503,7 +7653,6 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery(struct ndr_pull *ndr, int ndr > } > switch (level) { > case 1: { >- uint32_t _ptr_query1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_query1)); > if (_ptr_query1) { > NDR_PULL_ALLOC(ndr, r->query1); >@@ -7513,7 +7662,6 @@ static enum ndr_err_code ndr_pull_netr_DomainQuery(struct ndr_pull *ndr, int ndr > break; } > > case 2: { >- uint32_t _ptr_query1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_query1)); > if (_ptr_query1) { > NDR_PULL_ALLOC(ndr, r->query1); >@@ -7725,7 +7873,9 @@ static enum ndr_err_code ndr_pull_netr_DomainTrustInfo(struct ndr_pull *ndr, int > { > uint32_t _ptr_sid; > TALLOC_CTX *_mem_save_sid_0; >+ uint32_t size_dummystring_0 = 0; > uint32_t cntr_dummystring_0; >+ uint32_t size_dummy_0 = 0; > uint32_t cntr_dummy_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7740,10 +7890,12 @@ static enum ndr_err_code ndr_pull_netr_DomainTrustInfo(struct ndr_pull *ndr, int > r->sid = NULL; > } > NDR_CHECK(ndr_pull_netr_trust_extension_container(ndr, NDR_SCALARS, &r->trust_extension)); >- for (cntr_dummystring_0 = 0; cntr_dummystring_0 < 3; cntr_dummystring_0++) { >+ size_dummystring_0 = 3; >+ for (cntr_dummystring_0 = 0; cntr_dummystring_0 < size_dummystring_0; cntr_dummystring_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->dummystring[cntr_dummystring_0])); > } >- for (cntr_dummy_0 = 0; cntr_dummy_0 < 4; cntr_dummy_0++) { >+ size_dummy_0 = 4; >+ for (cntr_dummy_0 = 0; cntr_dummy_0 < size_dummy_0; cntr_dummy_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->dummy[cntr_dummy_0])); > } > } >@@ -7758,7 +7910,8 @@ static enum ndr_err_code ndr_pull_netr_DomainTrustInfo(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sid_0, 0); > } > NDR_CHECK(ndr_pull_netr_trust_extension_container(ndr, NDR_BUFFERS, &r->trust_extension)); >- for (cntr_dummystring_0 = 0; cntr_dummystring_0 < 3; cntr_dummystring_0++) { >+ size_dummystring_0 = 3; >+ for (cntr_dummystring_0 = 0; cntr_dummystring_0 < size_dummystring_0; cntr_dummystring_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->dummystring[cntr_dummystring_0])); > } > } >@@ -7824,6 +7977,7 @@ static enum ndr_err_code ndr_push_netr_LsaPolicyInfo(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_netr_LsaPolicyInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_LsaPolicyInfo *r) > { > uint32_t _ptr_policy; >+ uint32_t size_policy_1 = 0; > TALLOC_CTX *_mem_save_policy_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7840,8 +7994,9 @@ static enum ndr_err_code ndr_pull_netr_LsaPolicyInfo(struct ndr_pull *ndr, int n > _mem_save_policy_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->policy, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->policy)); >- NDR_PULL_ALLOC_N(ndr, r->policy, ndr_get_array_size(ndr, &r->policy)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->policy, ndr_get_array_size(ndr, &r->policy))); >+ size_policy_1 = ndr_get_array_size(ndr, &r->policy); >+ NDR_PULL_ALLOC_N(ndr, r->policy, size_policy_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->policy, size_policy_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_policy_0, 0); > } > if (r->policy) { >@@ -7932,10 +8087,13 @@ static enum ndr_err_code ndr_push_netr_DomainInfo1(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_netr_DomainInfo1(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainInfo1 *r) > { > uint32_t _ptr_trusts; >+ uint32_t size_trusts_1 = 0; > uint32_t cntr_trusts_1; > TALLOC_CTX *_mem_save_trusts_0; > TALLOC_CTX *_mem_save_trusts_1; >+ uint32_t size_dummystring_0 = 0; > uint32_t cntr_dummystring_0; >+ uint32_t size_dummy_0 = 0; > uint32_t cntr_dummy_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7949,12 +8107,14 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo1(struct ndr_pull *ndr, int ndr > } > NDR_CHECK(ndr_pull_netr_LsaPolicyInfo(ndr, NDR_SCALARS, &r->lsa_policy)); > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->dns_hostname)); >- for (cntr_dummystring_0 = 0; cntr_dummystring_0 < 3; cntr_dummystring_0++) { >+ size_dummystring_0 = 3; >+ for (cntr_dummystring_0 = 0; cntr_dummystring_0 < size_dummystring_0; cntr_dummystring_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->dummystring[cntr_dummystring_0])); > } > NDR_CHECK(ndr_pull_netr_WorkstationFlags(ndr, NDR_SCALARS, &r->workstation_flags)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->supported_enc_types)); >- for (cntr_dummy_0 = 0; cntr_dummy_0 < 2; cntr_dummy_0++) { >+ size_dummy_0 = 2; >+ for (cntr_dummy_0 = 0; cntr_dummy_0 < size_dummy_0; cntr_dummy_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->dummy[cntr_dummy_0])); > } > } >@@ -7964,13 +8124,14 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo1(struct ndr_pull *ndr, int ndr > _mem_save_trusts_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->trusts, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->trusts)); >- NDR_PULL_ALLOC_N(ndr, r->trusts, ndr_get_array_size(ndr, &r->trusts)); >+ size_trusts_1 = ndr_get_array_size(ndr, &r->trusts); >+ NDR_PULL_ALLOC_N(ndr, r->trusts, size_trusts_1); > _mem_save_trusts_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->trusts, 0); >- for (cntr_trusts_1 = 0; cntr_trusts_1 < r->num_trusts; cntr_trusts_1++) { >+ for (cntr_trusts_1 = 0; cntr_trusts_1 < size_trusts_1; cntr_trusts_1++) { > NDR_CHECK(ndr_pull_netr_DomainTrustInfo(ndr, NDR_SCALARS, &r->trusts[cntr_trusts_1])); > } >- for (cntr_trusts_1 = 0; cntr_trusts_1 < r->num_trusts; cntr_trusts_1++) { >+ for (cntr_trusts_1 = 0; cntr_trusts_1 < size_trusts_1; cntr_trusts_1++) { > NDR_CHECK(ndr_pull_netr_DomainTrustInfo(ndr, NDR_BUFFERS, &r->trusts[cntr_trusts_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusts_1, 0); >@@ -7978,7 +8139,8 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo1(struct ndr_pull *ndr, int ndr > } > NDR_CHECK(ndr_pull_netr_LsaPolicyInfo(ndr, NDR_BUFFERS, &r->lsa_policy)); > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->dns_hostname)); >- for (cntr_dummystring_0 = 0; cntr_dummystring_0 < 3; cntr_dummystring_0++) { >+ size_dummystring_0 = 3; >+ for (cntr_dummystring_0 = 0; cntr_dummystring_0 < size_dummystring_0; cntr_dummystring_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->dummystring[cntr_dummystring_0])); > } > if (r->trusts) { >@@ -8084,7 +8246,9 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo(struct ndr_pull *ndr, int ndr_ > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -8093,7 +8257,6 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo(struct ndr_pull *ndr, int ndr_ > } > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -8103,7 +8266,6 @@ static enum ndr_err_code ndr_pull_netr_DomainInfo(struct ndr_pull *ndr, int ndr_ > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -8191,12 +8353,14 @@ static enum ndr_err_code ndr_push_netr_CryptPassword(struct ndr_push *ndr, int n > > static enum ndr_err_code ndr_pull_netr_CryptPassword(struct ndr_pull *ndr, int ndr_flags, struct netr_CryptPassword *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 512)); >+ size_data_0 = 512; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); > } > if (ndr_flags & NDR_BUFFERS) { >@@ -8245,6 +8409,7 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesWCtr(struct ndr_push > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesWCtr(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddressToSitenamesWCtr *r) > { > uint32_t _ptr_sitename; >+ uint32_t size_sitename_1 = 0; > uint32_t cntr_sitename_1; > TALLOC_CTX *_mem_save_sitename_0; > TALLOC_CTX *_mem_save_sitename_1; >@@ -8263,13 +8428,14 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesWCtr(struct ndr_pull > _mem_save_sitename_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sitename)); >- NDR_PULL_ALLOC_N(ndr, r->sitename, ndr_get_array_size(ndr, &r->sitename)); >+ size_sitename_1 = ndr_get_array_size(ndr, &r->sitename); >+ NDR_PULL_ALLOC_N(ndr, r->sitename, size_sitename_1); > _mem_save_sitename_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sitename[cntr_sitename_1])); > } >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sitename[cntr_sitename_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sitename_1, 0); >@@ -8325,6 +8491,7 @@ static enum ndr_err_code ndr_push_netr_DsRAddress(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_netr_DsRAddress(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddress *r) > { > uint32_t _ptr_buffer; >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_buffer_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -8341,8 +8508,9 @@ static enum ndr_err_code ndr_pull_netr_DsRAddress(struct ndr_pull *ndr, int ndr_ > _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->buffer)); >- NDR_PULL_ALLOC_N(ndr, r->buffer, ndr_get_array_size(ndr, &r->buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, ndr_get_array_size(ndr, &r->buffer))); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->buffer); >+ NDR_PULL_ALLOC_N(ndr, r->buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, size_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > if (r->buffer) { >@@ -8457,8 +8625,12 @@ static enum ndr_err_code ndr_push_netr_DomainTrust(struct ndr_push *ndr, int ndr > static enum ndr_err_code ndr_pull_netr_DomainTrust(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainTrust *r) > { > uint32_t _ptr_netbios_name; >+ uint32_t size_netbios_name_1 = 0; >+ uint32_t length_netbios_name_1 = 0; > TALLOC_CTX *_mem_save_netbios_name_0; > uint32_t _ptr_dns_name; >+ uint32_t size_dns_name_1 = 0; >+ uint32_t length_dns_name_1 = 0; > TALLOC_CTX *_mem_save_dns_name_0; > uint32_t _ptr_sid; > TALLOC_CTX *_mem_save_sid_0; >@@ -8494,11 +8666,13 @@ static enum ndr_err_code ndr_pull_netr_DomainTrust(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); >- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); >+ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); >+ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); >+ if (length_netbios_name_1 > size_netbios_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); > } > if (r->dns_name) { >@@ -8506,11 +8680,13 @@ static enum ndr_err_code ndr_pull_netr_DomainTrust(struct ndr_pull *ndr, int ndr > NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); >- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); >+ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); >+ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); >+ if (length_dns_name_1 > size_dns_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); > } > if (r->sid) { >@@ -8578,6 +8754,7 @@ static enum ndr_err_code ndr_push_netr_DomainTrustList(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DomainTrustList(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainTrustList *r) > { > uint32_t _ptr_array; >+ uint32_t size_array_1 = 0; > uint32_t cntr_array_1; > TALLOC_CTX *_mem_save_array_0; > TALLOC_CTX *_mem_save_array_1; >@@ -8596,13 +8773,14 @@ static enum ndr_err_code ndr_pull_netr_DomainTrustList(struct ndr_pull *ndr, int > _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); >- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); >+ size_array_1 = ndr_get_array_size(ndr, &r->array); >+ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); > _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_netr_DomainTrust(ndr, NDR_SCALARS, &r->array[cntr_array_1])); > } >- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { >+ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { > NDR_CHECK(ndr_pull_netr_DomainTrust(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); >@@ -8675,10 +8853,12 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesExWCtr(struct ndr_pu > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExWCtr(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddressToSitenamesExWCtr *r) > { > uint32_t _ptr_sitename; >+ uint32_t size_sitename_1 = 0; > uint32_t cntr_sitename_1; > TALLOC_CTX *_mem_save_sitename_0; > TALLOC_CTX *_mem_save_sitename_1; > uint32_t _ptr_subnetname; >+ uint32_t size_subnetname_1 = 0; > uint32_t cntr_subnetname_1; > TALLOC_CTX *_mem_save_subnetname_0; > TALLOC_CTX *_mem_save_subnetname_1; >@@ -8703,13 +8883,14 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExWCtr(struct ndr_pu > _mem_save_sitename_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sitename)); >- NDR_PULL_ALLOC_N(ndr, r->sitename, ndr_get_array_size(ndr, &r->sitename)); >+ size_sitename_1 = ndr_get_array_size(ndr, &r->sitename); >+ NDR_PULL_ALLOC_N(ndr, r->sitename, size_sitename_1); > _mem_save_sitename_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sitename[cntr_sitename_1])); > } >- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { >+ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sitename[cntr_sitename_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sitename_1, 0); >@@ -8719,13 +8900,14 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExWCtr(struct ndr_pu > _mem_save_subnetname_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->subnetname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->subnetname)); >- NDR_PULL_ALLOC_N(ndr, r->subnetname, ndr_get_array_size(ndr, &r->subnetname)); >+ size_subnetname_1 = ndr_get_array_size(ndr, &r->subnetname); >+ NDR_PULL_ALLOC_N(ndr, r->subnetname, size_subnetname_1); > _mem_save_subnetname_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->subnetname, 0); >- for (cntr_subnetname_1 = 0; cntr_subnetname_1 < r->count; cntr_subnetname_1++) { >+ for (cntr_subnetname_1 = 0; cntr_subnetname_1 < size_subnetname_1; cntr_subnetname_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->subnetname[cntr_subnetname_1])); > } >- for (cntr_subnetname_1 = 0; cntr_subnetname_1 < r->count; cntr_subnetname_1++) { >+ for (cntr_subnetname_1 = 0; cntr_subnetname_1 < size_subnetname_1; cntr_subnetname_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->subnetname[cntr_subnetname_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_subnetname_1, 0); >@@ -8806,6 +8988,7 @@ static enum ndr_err_code ndr_push_DcSitesCtr(struct ndr_push *ndr, int ndr_flags > static enum ndr_err_code ndr_pull_DcSitesCtr(struct ndr_pull *ndr, int ndr_flags, struct DcSitesCtr *r) > { > uint32_t _ptr_sites; >+ uint32_t size_sites_1 = 0; > uint32_t cntr_sites_1; > TALLOC_CTX *_mem_save_sites_0; > TALLOC_CTX *_mem_save_sites_1; >@@ -8824,13 +9007,14 @@ static enum ndr_err_code ndr_pull_DcSitesCtr(struct ndr_pull *ndr, int ndr_flags > _mem_save_sites_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sites, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sites)); >- NDR_PULL_ALLOC_N(ndr, r->sites, ndr_get_array_size(ndr, &r->sites)); >+ size_sites_1 = ndr_get_array_size(ndr, &r->sites); >+ NDR_PULL_ALLOC_N(ndr, r->sites, size_sites_1); > _mem_save_sites_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sites, 0); >- for (cntr_sites_1 = 0; cntr_sites_1 < r->num_sites; cntr_sites_1++) { >+ for (cntr_sites_1 = 0; cntr_sites_1 < size_sites_1; cntr_sites_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sites[cntr_sites_1])); > } >- for (cntr_sites_1 = 0; cntr_sites_1 < r->num_sites; cntr_sites_1++) { >+ for (cntr_sites_1 = 0; cntr_sites_1 < size_sites_1; cntr_sites_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sites[cntr_sites_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sites_1, 0); >@@ -8901,10 +9085,12 @@ static enum ndr_err_code ndr_push_netr_TrustInfo(struct ndr_push *ndr, int ndr_f > static enum ndr_err_code ndr_pull_netr_TrustInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_TrustInfo *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > uint32_t cntr_data_1; > TALLOC_CTX *_mem_save_data_0; > TALLOC_CTX *_mem_save_data_1; > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -8930,10 +9116,11 @@ static enum ndr_err_code ndr_pull_netr_TrustInfo(struct ndr_pull *ndr, int ndr_f > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); > _mem_save_data_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); >- for (cntr_data_1 = 0; cntr_data_1 < r->count; cntr_data_1++) { >+ for (cntr_data_1 = 0; cntr_data_1 < size_data_1; cntr_data_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->data[cntr_data_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_1, 0); >@@ -8943,13 +9130,14 @@ static enum ndr_err_code ndr_pull_netr_TrustInfo(struct ndr_pull *ndr, int ndr_f > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -9041,6 +9229,12 @@ static enum ndr_err_code ndr_push_netr_LogonUasLogon(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_LogonUasLogon(struct ndr_pull *ndr, int flags, struct netr_LogonUasLogon *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_workstation_0 = 0; >+ uint32_t length_workstation_0 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; >@@ -9059,27 +9253,33 @@ static enum ndr_err_code ndr_pull_netr_LogonUasLogon(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.workstation)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.workstation)); >- if (ndr_get_array_length(ndr, &r->in.workstation) > ndr_get_array_size(ndr, &r->in.workstation)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.workstation), ndr_get_array_length(ndr, &r->in.workstation)); >+ size_workstation_0 = ndr_get_array_size(ndr, &r->in.workstation); >+ length_workstation_0 = ndr_get_array_length(ndr, &r->in.workstation); >+ if (length_workstation_0 > size_workstation_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_0, length_workstation_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, length_workstation_0, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); > } >@@ -9177,6 +9377,12 @@ static enum ndr_err_code ndr_push_netr_LogonUasLogoff(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonUasLogoff(struct ndr_pull *ndr, int flags, struct netr_LogonUasLogoff *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_workstation_0 = 0; >+ uint32_t length_workstation_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -9193,27 +9399,33 @@ static enum ndr_err_code ndr_pull_netr_LogonUasLogoff(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.workstation)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.workstation)); >- if (ndr_get_array_length(ndr, &r->in.workstation) > ndr_get_array_size(ndr, &r->in.workstation)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.workstation), ndr_get_array_length(ndr, &r->in.workstation)); >+ size_workstation_0 = ndr_get_array_size(ndr, &r->in.workstation); >+ length_workstation_0 = ndr_get_array_length(ndr, &r->in.workstation); >+ if (length_workstation_0 > size_workstation_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_0, length_workstation_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, length_workstation_0, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_ALLOC(ndr, r->out.info); > ZERO_STRUCTP(r->out.info); > } >@@ -9318,7 +9530,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogon(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_LogonSamLogon(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogon *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_credential; > uint32_t _ptr_return_authenticator; > TALLOC_CTX *_mem_save_server_name_0; >@@ -9342,11 +9558,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogon(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -9360,11 +9578,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogon(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); >@@ -9548,7 +9768,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogoff(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonSamLogoff(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogoff *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_credential; > uint32_t _ptr_return_authenticator; > TALLOC_CTX *_mem_save_server_name_0; >@@ -9569,11 +9793,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogoff(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -9587,11 +9813,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogoff(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); >@@ -9726,6 +9954,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_ServerReqChallenge(struct ndr_push *ndr > _PUBLIC_ enum ndr_err_code ndr_pull_netr_ServerReqChallenge(struct ndr_pull *ndr, int flags, struct netr_ServerReqChallenge *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -9743,20 +9975,24 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_ServerReqChallenge(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -9853,6 +10089,12 @@ static enum ndr_err_code ndr_push_netr_ServerAuthenticate(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerAuthenticate(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -9870,28 +10112,34 @@ static enum ndr_err_code ndr_pull_netr_ServerAuthenticate(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -9994,6 +10242,12 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordSet(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_ServerPasswordSet(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordSet *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -10012,28 +10266,34 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -10155,6 +10415,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseDeltas(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_netr_DatabaseDeltas(struct ndr_pull *ndr, int flags, struct netr_DatabaseDeltas *r) > { >+ uint32_t size_logon_server_0 = 0; >+ uint32_t length_logon_server_0 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > uint32_t _ptr_delta_enum_array; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -10166,18 +10430,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseDeltas(struct ndr_pull *ndr, int > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_0 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_0 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_0 > size_logon_server_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_0, length_logon_server_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -10349,6 +10617,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseSync(struct ndr_push *ndr, int fl > > static enum ndr_err_code ndr_pull_netr_DatabaseSync(struct ndr_pull *ndr, int flags, struct netr_DatabaseSync *r) > { >+ uint32_t size_logon_server_0 = 0; >+ uint32_t length_logon_server_0 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > uint32_t _ptr_delta_enum_array; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -10360,18 +10632,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseSync(struct ndr_pull *ndr, int fl > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_0 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_0 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_0 > size_logon_server_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_0, length_logon_server_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -10552,6 +10828,10 @@ static enum ndr_err_code ndr_push_netr_AccountDeltas(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_AccountDeltas(struct ndr_pull *ndr, int flags, struct netr_AccountDeltas *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_return_authenticator_0; > TALLOC_CTX *_mem_save_buffer_0; >@@ -10572,20 +10852,24 @@ static enum ndr_err_code ndr_pull_netr_AccountDeltas(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.return_authenticator); >@@ -10777,6 +11061,10 @@ static enum ndr_err_code ndr_push_netr_AccountSync(struct ndr_push *ndr, int fla > static enum ndr_err_code ndr_pull_netr_AccountSync(struct ndr_pull *ndr, int flags, struct netr_AccountSync *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_return_authenticator_0; > TALLOC_CTX *_mem_save_buffer_0; >@@ -10798,20 +11086,24 @@ static enum ndr_err_code ndr_pull_netr_AccountSync(struct ndr_pull *ndr, int fla > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.return_authenticator); >@@ -10993,8 +11285,14 @@ static enum ndr_err_code ndr_push_netr_GetDcName(struct ndr_push *ndr, int flags > > static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags, struct netr_GetDcName *r) > { >+ uint32_t size_logon_server_0 = 0; >+ uint32_t length_logon_server_0 = 0; > uint32_t _ptr_domainname; >+ uint32_t size_domainname_1 = 0; >+ uint32_t length_domainname_1 = 0; > uint32_t _ptr_dcname; >+ uint32_t size_dcname_2 = 0; >+ uint32_t length_dcname_2 = 0; > TALLOC_CTX *_mem_save_domainname_0; > TALLOC_CTX *_mem_save_dcname_0; > TALLOC_CTX *_mem_save_dcname_1; >@@ -11003,11 +11301,13 @@ static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_0 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_0 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_0 > size_logon_server_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_0, length_logon_server_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domainname)); > if (_ptr_domainname) { > NDR_PULL_ALLOC(ndr, r->in.domainname); >@@ -11019,11 +11319,13 @@ static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags > NDR_PULL_SET_MEM_CTX(ndr, r->in.domainname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domainname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domainname)); >- if (ndr_get_array_length(ndr, &r->in.domainname) > ndr_get_array_size(ndr, &r->in.domainname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domainname), ndr_get_array_length(ndr, &r->in.domainname)); >+ size_domainname_1 = ndr_get_array_size(ndr, &r->in.domainname); >+ length_domainname_1 = ndr_get_array_length(ndr, &r->in.domainname); >+ if (length_domainname_1 > size_domainname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domainname_1, length_domainname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domainname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, length_domainname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domainname_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.dcname); >@@ -11046,11 +11348,13 @@ static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags > NDR_PULL_SET_MEM_CTX(ndr, *r->out.dcname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.dcname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.dcname)); >- if (ndr_get_array_length(ndr, r->out.dcname) > ndr_get_array_size(ndr, r->out.dcname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.dcname), ndr_get_array_length(ndr, r->out.dcname)); >+ size_dcname_2 = ndr_get_array_size(ndr, r->out.dcname); >+ length_dcname_2 = ndr_get_array_length(ndr, r->out.dcname); >+ if (length_dcname_2 > size_dcname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dcname_2, length_dcname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dcname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, length_dcname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -11123,6 +11427,8 @@ static enum ndr_err_code ndr_push_netr_LogonControl(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_netr_LogonControl(struct ndr_pull *ndr, int flags, struct netr_LogonControl *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_info_0; > if (flags & NDR_IN) { >@@ -11139,11 +11445,13 @@ static enum ndr_err_code ndr_pull_netr_LogonControl(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); >@@ -11236,8 +11544,14 @@ static enum ndr_err_code ndr_push_netr_GetAnyDCName(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int flags, struct netr_GetAnyDCName *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > uint32_t _ptr_domainname; >+ uint32_t size_domainname_1 = 0; >+ uint32_t length_domainname_1 = 0; > uint32_t _ptr_dcname; >+ uint32_t size_dcname_2 = 0; >+ uint32_t length_dcname_2 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_domainname_0; > TALLOC_CTX *_mem_save_dcname_0; >@@ -11256,11 +11570,13 @@ static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domainname)); >@@ -11274,11 +11590,13 @@ static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.domainname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domainname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domainname)); >- if (ndr_get_array_length(ndr, &r->in.domainname) > ndr_get_array_size(ndr, &r->in.domainname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domainname), ndr_get_array_length(ndr, &r->in.domainname)); >+ size_domainname_1 = ndr_get_array_size(ndr, &r->in.domainname); >+ length_domainname_1 = ndr_get_array_length(ndr, &r->in.domainname); >+ if (length_domainname_1 > size_domainname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domainname_1, length_domainname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domainname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, length_domainname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domainname_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.dcname); >@@ -11301,11 +11619,13 @@ static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, *r->out.dcname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.dcname)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.dcname)); >- if (ndr_get_array_length(ndr, r->out.dcname) > ndr_get_array_size(ndr, r->out.dcname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.dcname), ndr_get_array_length(ndr, r->out.dcname)); >+ size_dcname_2 = ndr_get_array_size(ndr, r->out.dcname); >+ length_dcname_2 = ndr_get_array_length(ndr, r->out.dcname); >+ if (length_dcname_2 > size_dcname_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dcname_2, length_dcname_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dcname_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, length_dcname_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_0, LIBNDR_FLAG_REF_ALLOC); >@@ -11388,6 +11708,8 @@ static enum ndr_err_code ndr_push_netr_LogonControl2(struct ndr_push *ndr, int f > static enum ndr_err_code ndr_pull_netr_LogonControl2(struct ndr_pull *ndr, int flags, struct netr_LogonControl2 *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_data_0; > TALLOC_CTX *_mem_save_query_0; >@@ -11405,11 +11727,13 @@ static enum ndr_err_code ndr_pull_netr_LogonControl2(struct ndr_pull *ndr, int f > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); >@@ -11523,6 +11847,12 @@ static enum ndr_err_code ndr_push_netr_ServerAuthenticate2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerAuthenticate2(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -11541,28 +11871,34 @@ static enum ndr_err_code ndr_pull_netr_ServerAuthenticate2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -11698,6 +12034,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseSync2(struct ndr_push *ndr, int f > > static enum ndr_err_code ndr_pull_netr_DatabaseSync2(struct ndr_pull *ndr, int flags, struct netr_DatabaseSync2 *r) > { >+ uint32_t size_logon_server_0 = 0; >+ uint32_t length_logon_server_0 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > uint32_t _ptr_delta_enum_array; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -11709,18 +12049,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseSync2(struct ndr_pull *ndr, int f > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_0 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_0 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_0 > size_logon_server_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_0, length_logon_server_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -11891,6 +12235,10 @@ static enum ndr_err_code ndr_push_netr_DatabaseRedo(struct ndr_push *ndr, int fl > > static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int flags, struct netr_DatabaseRedo *r) > { >+ uint32_t size_logon_server_0 = 0; >+ uint32_t length_logon_server_0 = 0; >+ uint32_t size_computername_0 = 0; >+ uint32_t length_computername_0 = 0; > uint32_t _ptr_delta_enum_array; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -11901,18 +12249,22 @@ static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int fl > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_0 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_0 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_0 > size_logon_server_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_0, length_logon_server_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); >- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); >+ size_computername_0 = ndr_get_array_size(ndr, &r->in.computername); >+ length_computername_0 = ndr_get_array_length(ndr, &r->in.computername); >+ if (length_computername_0 > size_computername_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_0, length_computername_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -12048,6 +12400,8 @@ static enum ndr_err_code ndr_push_netr_LogonControl2Ex(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonControl2Ex(struct ndr_pull *ndr, int flags, struct netr_LogonControl2Ex *r) > { > uint32_t _ptr_logon_server; >+ uint32_t size_logon_server_1 = 0; >+ uint32_t length_logon_server_1 = 0; > TALLOC_CTX *_mem_save_logon_server_0; > TALLOC_CTX *_mem_save_data_0; > TALLOC_CTX *_mem_save_query_0; >@@ -12065,11 +12419,13 @@ static enum ndr_err_code ndr_pull_netr_LogonControl2Ex(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); >- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); >+ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); >+ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); >+ if (length_logon_server_1 > size_logon_server_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); >@@ -12162,6 +12518,8 @@ static enum ndr_err_code ndr_push_netr_NetrEnumerateTrustedDomains(struct ndr_pu > static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomains(struct ndr_pull *ndr, int flags, struct netr_NetrEnumerateTrustedDomains *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_trusted_domains_blob_0; > if (flags & NDR_IN) { >@@ -12178,11 +12536,13 @@ static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomains(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.trusted_domains_blob); >@@ -12275,7 +12635,11 @@ static enum ndr_err_code ndr_push_netr_DsRGetDCName(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_netr_DsRGetDCName(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCName *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_site_guid; > uint32_t _ptr_info; >@@ -12299,11 +12663,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); >@@ -12317,11 +12683,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCName(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -12472,7 +12840,11 @@ static enum ndr_err_code ndr_push_netr_LogonGetCapabilities(struct ndr_push *ndr > > static enum ndr_err_code ndr_pull_netr_LogonGetCapabilities(struct ndr_pull *ndr, int flags, struct netr_LogonGetCapabilities *r) > { >+ uint32_t size_server_name_0 = 0; >+ uint32_t length_server_name_0 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -12482,11 +12854,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetCapabilities(struct ndr_pull *ndr > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_0 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_0 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_0 > size_server_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_0, length_server_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); > if (_ptr_computer_name) { > NDR_PULL_ALLOC(ndr, r->in.computer_name); >@@ -12498,11 +12872,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetCapabilities(struct ndr_pull *ndr > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -12664,7 +13040,11 @@ static enum ndr_err_code ndr_push_netr_LogonGetTrustRid(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_netr_LogonGetTrustRid(struct ndr_pull *ndr, int flags, struct netr_LogonGetTrustRid *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_domain_name_0; > TALLOC_CTX *_mem_save_rid_0; >@@ -12682,11 +13062,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetTrustRid(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); >@@ -12700,11 +13082,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetTrustRid(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.rid); >@@ -12891,6 +13275,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_netr_ServerAuthenticate3(struct ndr_push *nd > _PUBLIC_ enum ndr_err_code ndr_pull_netr_ServerAuthenticate3(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate3 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credentials_0; > TALLOC_CTX *_mem_save_return_credentials_0; >@@ -12910,28 +13300,34 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netr_ServerAuthenticate3(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credentials); > } >@@ -13076,9 +13472,15 @@ static enum ndr_err_code ndr_push_netr_DsRGetDCNameEx(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCNameEx *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_domain_name_0; >@@ -13100,11 +13502,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); >@@ -13118,11 +13522,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -13148,11 +13554,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); >- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_DsRGetDCName_flags(ndr, NDR_SCALARS, &r->in.flags)); >@@ -13268,7 +13676,11 @@ static enum ndr_err_code ndr_push_netr_DsRGetSiteName(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DsRGetSiteName(struct ndr_pull *ndr, int flags, struct netr_DsRGetSiteName *r) > { > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_site; >+ uint32_t size_site_2 = 0; >+ uint32_t length_site_2 = 0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_site_0; > TALLOC_CTX *_mem_save_site_1; >@@ -13286,11 +13698,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetSiteName(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.site); >@@ -13313,11 +13727,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetSiteName(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, *r->out.site, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.site)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.site)); >- if (ndr_get_array_length(ndr, r->out.site) > ndr_get_array_size(ndr, r->out.site)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.site), ndr_get_array_length(ndr, r->out.site)); >+ size_site_2 = ndr_get_array_size(ndr, r->out.site); >+ length_site_2 = ndr_get_array_length(ndr, r->out.site); >+ if (length_site_2 > size_site_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_2, length_site_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.site), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.site, ndr_get_array_length(ndr, r->out.site), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.site, length_site_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_0, LIBNDR_FLAG_REF_ALLOC); >@@ -13405,7 +13821,11 @@ static enum ndr_err_code ndr_push_netr_LogonGetDomainInfo(struct ndr_push *ndr, > > static enum ndr_err_code ndr_pull_netr_LogonGetDomainInfo(struct ndr_pull *ndr, int flags, struct netr_LogonGetDomainInfo *r) > { >+ uint32_t size_server_name_0 = 0; >+ uint32_t length_server_name_0 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -13415,11 +13835,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetDomainInfo(struct ndr_pull *ndr, > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_0 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_0 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_0 > size_server_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_0, length_server_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); > if (_ptr_computer_name) { > NDR_PULL_ALLOC(ndr, r->in.computer_name); >@@ -13431,11 +13853,13 @@ static enum ndr_err_code ndr_pull_netr_LogonGetDomainInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -13570,6 +13994,12 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordSet2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordSet2 *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -13588,28 +14018,34 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -13723,6 +14159,12 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordGet(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_netr_ServerPasswordGet(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordGet *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -13741,28 +14183,34 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordGet(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -13917,6 +14365,9 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesW(struct ndr_push *n > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesW(struct ndr_pull *ndr, int flags, struct netr_DsRAddressToSitenamesW *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_addresses_1 = 0; > uint32_t cntr_addresses_1; > uint32_t _ptr_ctr; > TALLOC_CTX *_mem_save_server_name_0; >@@ -13937,11 +14388,13 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesW(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); >@@ -13949,15 +14402,16 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesW(struct ndr_pull *n > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.addresses)); >+ size_addresses_1 = ndr_get_array_size(ndr, &r->in.addresses); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.addresses, ndr_get_array_size(ndr, &r->in.addresses)); >+ NDR_PULL_ALLOC_N(ndr, r->in.addresses, size_addresses_1); > } > _mem_save_addresses_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.addresses, 0); >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_SCALARS, &r->in.addresses[cntr_addresses_1])); > } >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_BUFFERS, &r->in.addresses[cntr_addresses_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_1, 0); >@@ -14096,10 +14550,18 @@ static enum ndr_err_code ndr_push_netr_DsRGetDCNameEx2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCNameEx2 *r) > { > uint32_t _ptr_server_unc; >+ uint32_t size_server_unc_1 = 0; >+ uint32_t length_server_unc_1 = 0; > uint32_t _ptr_client_account; >+ uint32_t size_client_account_1 = 0; >+ uint32_t length_client_account_1 = 0; > uint32_t _ptr_domain_name; >+ uint32_t size_domain_name_1 = 0; >+ uint32_t length_domain_name_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_site_name; >+ uint32_t size_site_name_1 = 0; >+ uint32_t length_site_name_1 = 0; > uint32_t _ptr_info; > TALLOC_CTX *_mem_save_server_unc_0; > TALLOC_CTX *_mem_save_client_account_0; >@@ -14122,11 +14584,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); >- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); >+ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); >+ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); >+ if (length_server_unc_1 > size_server_unc_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client_account)); >@@ -14140,11 +14604,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.client_account, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.client_account)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.client_account)); >- if (ndr_get_array_length(ndr, &r->in.client_account) > ndr_get_array_size(ndr, &r->in.client_account)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.client_account), ndr_get_array_length(ndr, &r->in.client_account)); >+ size_client_account_1 = ndr_get_array_size(ndr, &r->in.client_account); >+ length_client_account_1 = ndr_get_array_length(ndr, &r->in.client_account); >+ if (length_client_account_1 > size_client_account_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_account_1, length_client_account_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.client_account), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client_account, ndr_get_array_length(ndr, &r->in.client_account), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_account_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client_account, length_client_account_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_account_0, 0); > } > NDR_CHECK(ndr_pull_samr_AcctFlags(ndr, NDR_SCALARS, &r->in.mask)); >@@ -14159,11 +14625,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); >- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); >+ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); >+ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); >+ if (length_domain_name_1 > size_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -14189,11 +14657,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); >- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); >+ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); >+ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); >+ if (length_site_name_1 > size_site_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_DsRGetDCName_flags(ndr, NDR_SCALARS, &r->in.flags)); >@@ -14351,6 +14821,8 @@ static enum ndr_err_code ndr_push_netr_NetrEnumerateTrustedDomainsEx(struct ndr_ > static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomainsEx(struct ndr_pull *ndr, int flags, struct netr_NetrEnumerateTrustedDomainsEx *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_dom_trust_list_0; > if (flags & NDR_IN) { >@@ -14367,11 +14839,13 @@ static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomainsEx(struct ndr_ > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.dom_trust_list); >@@ -14460,6 +14934,9 @@ static enum ndr_err_code ndr_push_netr_DsRAddressToSitenamesExW(struct ndr_push > static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExW(struct ndr_pull *ndr, int flags, struct netr_DsRAddressToSitenamesExW *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_addresses_1 = 0; > uint32_t cntr_addresses_1; > uint32_t _ptr_ctr; > TALLOC_CTX *_mem_save_server_name_0; >@@ -14480,11 +14957,13 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExW(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); >@@ -14492,15 +14971,16 @@ static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExW(struct ndr_pull > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.addresses)); >+ size_addresses_1 = ndr_get_array_size(ndr, &r->in.addresses); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->in.addresses, ndr_get_array_size(ndr, &r->in.addresses)); >+ NDR_PULL_ALLOC_N(ndr, r->in.addresses, size_addresses_1); > } > _mem_save_addresses_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.addresses, 0); >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_SCALARS, &r->in.addresses[cntr_addresses_1])); > } >- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { >+ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { > NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_BUFFERS, &r->in.addresses[cntr_addresses_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_1, 0); >@@ -14612,6 +15092,8 @@ static enum ndr_err_code ndr_push_netr_DsrGetDcSiteCoverageW(struct ndr_push *nd > static enum ndr_err_code ndr_pull_netr_DsrGetDcSiteCoverageW(struct ndr_pull *ndr, int flags, struct netr_DsrGetDcSiteCoverageW *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_ctr; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_ctr_0; >@@ -14630,11 +15112,13 @@ static enum ndr_err_code ndr_pull_netr_DsrGetDcSiteCoverageW(struct ndr_pull *nd > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_PULL_ALLOC(ndr, r->out.ctr); >@@ -14751,7 +15235,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogonEx(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_netr_LogonSamLogonEx(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogonEx *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_computer_name_0; > TALLOC_CTX *_mem_save_logon_0; >@@ -14772,11 +15260,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -14790,11 +15280,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonEx(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_LogonInfoClass(ndr, NDR_SCALARS, &r->in.logon_level)); >@@ -14931,6 +15423,8 @@ static enum ndr_err_code ndr_push_netr_DsrEnumerateDomainTrusts(struct ndr_push > static enum ndr_err_code ndr_pull_netr_DsrEnumerateDomainTrusts(struct ndr_pull *ndr, int flags, struct netr_DsrEnumerateDomainTrusts *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_trusts_0; > if (flags & NDR_IN) { >@@ -14947,11 +15441,13 @@ static enum ndr_err_code ndr_pull_netr_DsrEnumerateDomainTrusts(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_netr_TrustFlags(ndr, NDR_SCALARS, &r->in.trust_flags)); >@@ -15045,9 +15541,15 @@ static enum ndr_err_code ndr_push_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pull *ndr, int flags, struct netr_DsrDeregisterDNSHostRecords *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_domain; >+ uint32_t size_domain_1 = 0; >+ uint32_t length_domain_1 = 0; > uint32_t _ptr_domain_guid; > uint32_t _ptr_dsa_guid; >+ uint32_t size_dns_host_1 = 0; >+ uint32_t length_dns_host_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_domain_0; > TALLOC_CTX *_mem_save_domain_guid_0; >@@ -15064,11 +15566,13 @@ static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); >@@ -15082,11 +15586,13 @@ static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > NDR_PULL_SET_MEM_CTX(ndr, r->in.domain, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain)); >- if (ndr_get_array_length(ndr, &r->in.domain) > ndr_get_array_size(ndr, &r->in.domain)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain), ndr_get_array_length(ndr, &r->in.domain)); >+ size_domain_1 = ndr_get_array_size(ndr, &r->in.domain); >+ length_domain_1 = ndr_get_array_length(ndr, &r->in.domain); >+ if (length_domain_1 > size_domain_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); >@@ -15115,11 +15621,13 @@ static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pu > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_host)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_host)); >- if (ndr_get_array_length(ndr, &r->in.dns_host) > ndr_get_array_size(ndr, &r->in.dns_host)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_host), ndr_get_array_length(ndr, &r->in.dns_host)); >+ size_dns_host_1 = ndr_get_array_size(ndr, &r->in.dns_host); >+ length_dns_host_1 = ndr_get_array_length(ndr, &r->in.dns_host); >+ if (length_dns_host_1 > size_dns_host_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_host_1, length_dns_host_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_host), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_host, ndr_get_array_length(ndr, &r->in.dns_host), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_host_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_host, length_dns_host_1, sizeof(uint16_t), CH_UTF16)); > } > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); >@@ -15221,6 +15729,12 @@ static enum ndr_err_code ndr_push_netr_ServerTrustPasswordsGet(struct ndr_push * > static enum ndr_err_code ndr_pull_netr_ServerTrustPasswordsGet(struct ndr_pull *ndr, int flags, struct netr_ServerTrustPasswordsGet *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_0 = 0; >+ uint32_t length_account_name_0 = 0; >+ uint32_t size_computer_name_0 = 0; >+ uint32_t length_computer_name_0 = 0; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; > TALLOC_CTX *_mem_save_return_authenticator_0; >@@ -15240,28 +15754,34 @@ static enum ndr_err_code ndr_pull_netr_ServerTrustPasswordsGet(struct ndr_pull * > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_0 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_0 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_0 > size_account_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_0 > size_computer_name_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -15384,7 +15904,11 @@ static enum ndr_err_code ndr_push_netr_DsRGetForestTrustInformation(struct ndr_p > static enum ndr_err_code ndr_pull_netr_DsRGetForestTrustInformation(struct ndr_pull *ndr, int flags, struct netr_DsRGetForestTrustInformation *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_trusted_domain_name; >+ uint32_t size_trusted_domain_name_1 = 0; >+ uint32_t length_trusted_domain_name_1 = 0; > uint32_t _ptr_forest_trust_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_trusted_domain_name_0; >@@ -15404,11 +15928,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetForestTrustInformation(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_trusted_domain_name)); >@@ -15422,11 +15948,13 @@ static enum ndr_err_code ndr_pull_netr_DsRGetForestTrustInformation(struct ndr_p > NDR_PULL_SET_MEM_CTX(ndr, r->in.trusted_domain_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.trusted_domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.trusted_domain_name)); >- if (ndr_get_array_length(ndr, &r->in.trusted_domain_name) > ndr_get_array_size(ndr, &r->in.trusted_domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.trusted_domain_name), ndr_get_array_length(ndr, &r->in.trusted_domain_name)); >+ size_trusted_domain_name_1 = ndr_get_array_size(ndr, &r->in.trusted_domain_name); >+ length_trusted_domain_name_1 = ndr_get_array_length(ndr, &r->in.trusted_domain_name); >+ if (length_trusted_domain_name_1 > size_trusted_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_domain_name_1, length_trusted_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, length_trusted_domain_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_domain_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); >@@ -15543,6 +16071,10 @@ static enum ndr_err_code ndr_push_netr_GetForestTrustInformation(struct ndr_push > static enum ndr_err_code ndr_pull_netr_GetForestTrustInformation(struct ndr_pull *ndr, int flags, struct netr_GetForestTrustInformation *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_trusted_domain_name_1 = 0; >+ uint32_t length_trusted_domain_name_1 = 0; > uint32_t _ptr_forest_trust_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; >@@ -15563,20 +16095,24 @@ static enum ndr_err_code ndr_pull_netr_GetForestTrustInformation(struct ndr_pull > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.trusted_domain_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.trusted_domain_name)); >- if (ndr_get_array_length(ndr, &r->in.trusted_domain_name) > ndr_get_array_size(ndr, &r->in.trusted_domain_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.trusted_domain_name), ndr_get_array_length(ndr, &r->in.trusted_domain_name)); >+ size_trusted_domain_name_1 = ndr_get_array_size(ndr, &r->in.trusted_domain_name); >+ length_trusted_domain_name_1 = ndr_get_array_length(ndr, &r->in.trusted_domain_name); >+ if (length_trusted_domain_name_1 > size_trusted_domain_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_domain_name_1, length_trusted_domain_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_domain_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, length_trusted_domain_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >@@ -15733,7 +16269,11 @@ static enum ndr_err_code ndr_push_netr_LogonSamLogonWithFlags(struct ndr_push *n > static enum ndr_err_code ndr_pull_netr_LogonSamLogonWithFlags(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogonWithFlags *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > uint32_t _ptr_computer_name; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_credential; > uint32_t _ptr_return_authenticator; > TALLOC_CTX *_mem_save_server_name_0; >@@ -15758,11 +16298,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonWithFlags(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); >@@ -15776,11 +16318,13 @@ static enum ndr_err_code ndr_pull_netr_LogonSamLogonWithFlags(struct ndr_pull *n > NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); > } > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); >@@ -16004,6 +16548,12 @@ static enum ndr_err_code ndr_push_netr_ServerGetTrustInfo(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_netr_ServerGetTrustInfo(struct ndr_pull *ndr, int flags, struct netr_ServerGetTrustInfo *r) > { > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; >+ uint32_t size_account_name_1 = 0; >+ uint32_t length_account_name_1 = 0; >+ uint32_t size_computer_name_1 = 0; >+ uint32_t length_computer_name_1 = 0; > uint32_t _ptr_trust_info; > TALLOC_CTX *_mem_save_server_name_0; > TALLOC_CTX *_mem_save_credential_0; >@@ -16026,28 +16576,34 @@ static enum ndr_err_code ndr_pull_netr_ServerGetTrustInfo(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); >- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); >- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); >+ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); >+ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); >+ if (length_account_name_1 > size_account_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); >- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); >+ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); >+ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); >+ if (length_computer_name_1 > size_computer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.credential); > } >diff --git a/librpc/gen_ndr/ndr_ntsvcs.c b/librpc/gen_ndr/ndr_ntsvcs.c >index d317c9f..de3ac1a 100644 >--- a/librpc/gen_ndr/ndr_ntsvcs.c >+++ b/librpc/gen_ndr/ndr_ntsvcs.c >@@ -53,11 +53,13 @@ static enum ndr_err_code ndr_push_PNP_HwProfInfo(struct ndr_push *ndr, int ndr_f > > static enum ndr_err_code ndr_pull_PNP_HwProfInfo(struct ndr_pull *ndr, int ndr_flags, struct PNP_HwProfInfo *r) > { >+ uint32_t size_friendly_name_0 = 0; > uint32_t cntr_friendly_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->profile_handle)); >- for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < 80; cntr_friendly_name_0++) { >+ size_friendly_name_0 = 80; >+ for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < size_friendly_name_0; cntr_friendly_name_0++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->friendly_name[cntr_friendly_name_0])); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->flags)); >@@ -373,14 +375,18 @@ static enum ndr_err_code ndr_push_PNP_ValidateDeviceInstance(struct ndr_push *nd > > static enum ndr_err_code ndr_pull_PNP_ValidateDeviceInstance(struct ndr_pull *ndr, int flags, struct PNP_ValidateDeviceInstance *r) > { >+ uint32_t size_devicepath_1 = 0; >+ uint32_t length_devicepath_1 = 0; > if (flags & NDR_IN) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); >- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); >+ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); >+ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); >+ if (length_devicepath_1 > size_devicepath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); > } > if (flags & NDR_OUT) { >@@ -577,6 +583,10 @@ static enum ndr_err_code ndr_push_PNP_GetDeviceList(struct ndr_push *ndr, int fl > static enum ndr_err_code ndr_pull_PNP_GetDeviceList(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceList *r) > { > uint32_t _ptr_filter; >+ uint32_t size_filter_1 = 0; >+ uint32_t length_filter_1 = 0; >+ uint32_t size_buffer_1 = 0; >+ uint32_t length_buffer_1 = 0; > uint32_t cntr_buffer_1; > TALLOC_CTX *_mem_save_filter_0; > TALLOC_CTX *_mem_save_buffer_1; >@@ -595,11 +605,13 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceList(struct ndr_pull *ndr, int fl > NDR_PULL_SET_MEM_CTX(ndr, r->in.filter, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.filter)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.filter)); >- if (ndr_get_array_length(ndr, &r->in.filter) > ndr_get_array_size(ndr, &r->in.filter)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.filter), ndr_get_array_length(ndr, &r->in.filter)); >+ size_filter_1 = ndr_get_array_size(ndr, &r->in.filter); >+ length_filter_1 = ndr_get_array_length(ndr, &r->in.filter); >+ if (length_filter_1 > size_filter_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_filter_1, length_filter_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.filter), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.filter, ndr_get_array_length(ndr, &r->in.filter), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_filter_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.filter, length_filter_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_filter_0, 0); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >@@ -618,15 +630,17 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceList(struct ndr_pull *ndr, int fl > if (flags & NDR_OUT) { > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer)); >- if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); >+ length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer); >+ if (length_buffer_1 > size_buffer_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); > } > _mem_save_buffer_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->out.buffer, 0); >- for (cntr_buffer_1 = 0; cntr_buffer_1 < *r->out.length; cntr_buffer_1++) { >+ for (cntr_buffer_1 = 0; cntr_buffer_1 < length_buffer_1; cntr_buffer_1++) { > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.buffer[cntr_buffer_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_1, 0); >@@ -723,6 +737,8 @@ static enum ndr_err_code ndr_push_PNP_GetDeviceListSize(struct ndr_push *ndr, in > static enum ndr_err_code ndr_pull_PNP_GetDeviceListSize(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceListSize *r) > { > uint32_t _ptr_devicename; >+ uint32_t size_devicename_1 = 0; >+ uint32_t length_devicename_1 = 0; > TALLOC_CTX *_mem_save_devicename_0; > TALLOC_CTX *_mem_save_size_0; > if (flags & NDR_IN) { >@@ -739,11 +755,13 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceListSize(struct ndr_pull *ndr, in > NDR_PULL_SET_MEM_CTX(ndr, r->in.devicename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicename)); >- if (ndr_get_array_length(ndr, &r->in.devicename) > ndr_get_array_size(ndr, &r->in.devicename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicename), ndr_get_array_length(ndr, &r->in.devicename)); >+ size_devicename_1 = ndr_get_array_size(ndr, &r->in.devicename); >+ length_devicename_1 = ndr_get_array_length(ndr, &r->in.devicename); >+ if (length_devicename_1 > size_devicename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicename_1, length_devicename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicename, ndr_get_array_length(ndr, &r->in.devicename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicename, length_devicename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_devicename_0, 0); > } > NDR_CHECK(ndr_pull_PNP_GetIdListFlags(ndr, NDR_SCALARS, &r->in.flags)); >@@ -888,6 +906,10 @@ static enum ndr_err_code ndr_push_PNP_GetDeviceRegProp(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_PNP_GetDeviceRegProp(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceRegProp *r) > { >+ uint32_t size_devicepath_1 = 0; >+ uint32_t length_devicepath_1 = 0; >+ uint32_t size_buffer_1 = 0; >+ uint32_t length_buffer_1 = 0; > TALLOC_CTX *_mem_save_reg_data_type_0; > TALLOC_CTX *_mem_save_buffer_size_0; > TALLOC_CTX *_mem_save_needed_0; >@@ -896,11 +918,13 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceRegProp(struct ndr_pull *ndr, int > > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); >- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); >+ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); >+ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); >+ if (length_devicepath_1 > size_devicepath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.property)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.reg_data_type); >@@ -943,13 +967,15 @@ static enum ndr_err_code ndr_pull_PNP_GetDeviceRegProp(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reg_data_type_0, LIBNDR_FLAG_REF_ALLOC); > NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer)); >- if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer)); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); >+ length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer); >+ if (length_buffer_1 > size_buffer_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); > } > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { >- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); >+ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); > } >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_length(ndr, &r->out.buffer))); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, length_buffer_1)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->out.buffer_size); > } >@@ -2152,9 +2178,15 @@ static enum ndr_err_code ndr_push_PNP_HwProfFlags(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flags, struct PNP_HwProfFlags *r) > { >+ uint32_t size_devicepath_1 = 0; >+ uint32_t length_devicepath_1 = 0; > uint32_t _ptr_veto_type; > uint32_t _ptr_unknown5; >+ uint32_t size_unknown5_1 = 0; >+ uint32_t length_unknown5_1 = 0; > uint32_t _ptr_unknown5a; >+ uint32_t size_unknown5a_2 = 0; >+ uint32_t length_unknown5a_2 = 0; > TALLOC_CTX *_mem_save_profile_flags_0; > TALLOC_CTX *_mem_save_veto_type_0; > TALLOC_CTX *_mem_save_unknown5_0; >@@ -2166,11 +2198,13 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.action)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); >- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); >+ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); >+ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); >+ if (length_devicepath_1 > size_devicepath_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.config)); > if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { > NDR_PULL_ALLOC(ndr, r->in.profile_flags); >@@ -2202,11 +2236,13 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown5, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown5)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown5)); >- if (ndr_get_array_length(ndr, &r->in.unknown5) > ndr_get_array_size(ndr, &r->in.unknown5)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown5), ndr_get_array_length(ndr, &r->in.unknown5)); >+ size_unknown5_1 = ndr_get_array_size(ndr, &r->in.unknown5); >+ length_unknown5_1 = ndr_get_array_length(ndr, &r->in.unknown5); >+ if (length_unknown5_1 > size_unknown5_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown5_1, length_unknown5_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown5_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, length_unknown5_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_length)); >@@ -2254,11 +2290,13 @@ static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, *r->out.unknown5a, 0); > NDR_CHECK(ndr_pull_array_size(ndr, r->out.unknown5a)); > NDR_CHECK(ndr_pull_array_length(ndr, r->out.unknown5a)); >- if (ndr_get_array_length(ndr, r->out.unknown5a) > ndr_get_array_size(ndr, r->out.unknown5a)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.unknown5a), ndr_get_array_length(ndr, r->out.unknown5a)); >+ size_unknown5a_2 = ndr_get_array_size(ndr, r->out.unknown5a); >+ length_unknown5a_2 = ndr_get_array_length(ndr, r->out.unknown5a); >+ if (length_unknown5a_2 > size_unknown5a_2) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown5a_2, length_unknown5a_2); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.unknown5a), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.unknown5a, ndr_get_array_length(ndr, r->out.unknown5a), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown5a_2, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.unknown5a, length_unknown5a_2, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5a_1, 0); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5a_0, 0); >diff --git a/librpc/gen_ndr/ndr_samr.c b/librpc/gen_ndr/ndr_samr.c >index ab76f5a..2b93a89 100644 >--- a/librpc/gen_ndr/ndr_samr.c >+++ b/librpc/gen_ndr/ndr_samr.c >@@ -302,6 +302,7 @@ static enum ndr_err_code ndr_push_samr_SamArray(struct ndr_push *ndr, int ndr_fl > static enum ndr_err_code ndr_pull_samr_SamArray(struct ndr_pull *ndr, int ndr_flags, struct samr_SamArray *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -320,13 +321,14 @@ static enum ndr_err_code ndr_pull_samr_SamArray(struct ndr_pull *ndr, int ndr_fl > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_SamEntry(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_SamEntry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -1185,6 +1187,7 @@ static enum ndr_err_code ndr_push_samr_Ids(struct ndr_push *ndr, int ndr_flags, > static enum ndr_err_code ndr_pull_samr_Ids(struct ndr_pull *ndr, int ndr_flags, struct samr_Ids *r) > { > uint32_t _ptr_ids; >+ uint32_t size_ids_1 = 0; > uint32_t cntr_ids_1; > TALLOC_CTX *_mem_save_ids_0; > TALLOC_CTX *_mem_save_ids_1; >@@ -1206,10 +1209,11 @@ static enum ndr_err_code ndr_pull_samr_Ids(struct ndr_pull *ndr, int ndr_flags, > _mem_save_ids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->ids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->ids)); >- NDR_PULL_ALLOC_N(ndr, r->ids, ndr_get_array_size(ndr, &r->ids)); >+ size_ids_1 = ndr_get_array_size(ndr, &r->ids); >+ NDR_PULL_ALLOC_N(ndr, r->ids, size_ids_1); > _mem_save_ids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->ids, 0); >- for (cntr_ids_1 = 0; cntr_ids_1 < r->count; cntr_ids_1++) { >+ for (cntr_ids_1 = 0; cntr_ids_1 < size_ids_1; cntr_ids_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ids[cntr_ids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ids_1, 0); >@@ -1558,10 +1562,12 @@ static enum ndr_err_code ndr_push_samr_RidTypeArray(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_samr_RidTypeArray(struct ndr_pull *ndr, int ndr_flags, struct samr_RidTypeArray *r) > { > uint32_t _ptr_rids; >+ uint32_t size_rids_1 = 0; > uint32_t cntr_rids_1; > TALLOC_CTX *_mem_save_rids_0; > TALLOC_CTX *_mem_save_rids_1; > uint32_t _ptr_types; >+ uint32_t size_types_1 = 0; > uint32_t cntr_types_1; > TALLOC_CTX *_mem_save_types_0; > TALLOC_CTX *_mem_save_types_1; >@@ -1586,10 +1592,11 @@ static enum ndr_err_code ndr_pull_samr_RidTypeArray(struct ndr_pull *ndr, int nd > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); >- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); >+ size_rids_1 = ndr_get_array_size(ndr, &r->rids); >+ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); > _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); >- for (cntr_rids_1 = 0; cntr_rids_1 < r->count; cntr_rids_1++) { >+ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); >@@ -1599,10 +1606,11 @@ static enum ndr_err_code ndr_pull_samr_RidTypeArray(struct ndr_pull *ndr, int nd > _mem_save_types_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->types, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->types)); >- NDR_PULL_ALLOC_N(ndr, r->types, ndr_get_array_size(ndr, &r->types)); >+ size_types_1 = ndr_get_array_size(ndr, &r->types); >+ NDR_PULL_ALLOC_N(ndr, r->types, size_types_1); > _mem_save_types_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->types, 0); >- for (cntr_types_1 = 0; cntr_types_1 < r->count; cntr_types_1++) { >+ for (cntr_types_1 = 0; cntr_types_1 < size_types_1; cntr_types_1++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->types[cntr_types_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_types_1, 0); >@@ -1958,6 +1966,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_LogonHours(struct ndr_push *ndr, int nd > _PUBLIC_ enum ndr_err_code ndr_pull_samr_LogonHours(struct ndr_pull *ndr, int ndr_flags, struct samr_LogonHours *r) > { > uint32_t _ptr_bits; >+ uint32_t size_bits_1 = 0; >+ uint32_t length_bits_1 = 0; > TALLOC_CTX *_mem_save_bits_0; > { > uint32_t _flags_save_STRUCT = ndr->flags; >@@ -1978,11 +1988,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_LogonHours(struct ndr_pull *ndr, int nd > NDR_PULL_SET_MEM_CTX(ndr, r->bits, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->bits)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->bits)); >- if (ndr_get_array_length(ndr, &r->bits) > ndr_get_array_size(ndr, &r->bits)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->bits), ndr_get_array_length(ndr, &r->bits)); >+ size_bits_1 = ndr_get_array_size(ndr, &r->bits); >+ length_bits_1 = ndr_get_array_length(ndr, &r->bits); >+ if (length_bits_1 > size_bits_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_bits_1, length_bits_1); > } >- NDR_PULL_ALLOC_N(ndr, r->bits, ndr_get_array_size(ndr, &r->bits)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->bits, ndr_get_array_length(ndr, &r->bits))); >+ NDR_PULL_ALLOC_N(ndr, r->bits, size_bits_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->bits, length_bits_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_bits_0, 0); > } > if (r->bits) { >@@ -2618,12 +2630,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_Password(struct ndr_push *ndr, int ndr_ > > _PUBLIC_ enum ndr_err_code ndr_pull_samr_Password(struct ndr_pull *ndr, int ndr_flags, struct samr_Password *r) > { >+ uint32_t size_hash_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); >+ size_hash_0 = 16; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -2835,6 +2849,7 @@ static enum ndr_err_code ndr_push_samr_UserInfo21(struct ndr_push *ndr, int ndr_ > static enum ndr_err_code ndr_pull_samr_UserInfo21(struct ndr_pull *ndr, int ndr_flags, struct samr_UserInfo21 *r) > { > uint32_t _ptr_buffer; >+ uint32_t size_buffer_1 = 0; > TALLOC_CTX *_mem_save_buffer_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -2896,8 +2911,9 @@ static enum ndr_err_code ndr_pull_samr_UserInfo21(struct ndr_pull *ndr, int ndr_ > _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->buffer, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->buffer)); >- NDR_PULL_ALLOC_N(ndr, r->buffer, ndr_get_array_size(ndr, &r->buffer)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, ndr_get_array_size(ndr, &r->buffer))); >+ size_buffer_1 = ndr_get_array_size(ndr, &r->buffer); >+ NDR_PULL_ALLOC_N(ndr, r->buffer, size_buffer_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, size_buffer_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); > } > NDR_CHECK(ndr_pull_samr_LogonHours(ndr, NDR_BUFFERS, &r->logon_hours)); >@@ -2972,12 +2988,14 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_CryptPassword(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_samr_CryptPassword(struct ndr_pull *ndr, int ndr_flags, struct samr_CryptPassword *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 516)); >+ size_data_0 = 516; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -3085,12 +3103,14 @@ static enum ndr_err_code ndr_push_samr_CryptPasswordEx(struct ndr_push *ndr, int > > static enum ndr_err_code ndr_pull_samr_CryptPasswordEx(struct ndr_pull *ndr, int ndr_flags, struct samr_CryptPasswordEx *r) > { >+ uint32_t size_data_0 = 0; > { > uint32_t _flags_save_STRUCT = ndr->flags; > ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 1)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 532)); >+ size_data_0 = 532; >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); > } > if (ndr_flags & NDR_BUFFERS) { > } >@@ -3738,6 +3758,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_RidWithAttributeArray(struct ndr_push * > _PUBLIC_ enum ndr_err_code ndr_pull_samr_RidWithAttributeArray(struct ndr_pull *ndr, int ndr_flags, struct samr_RidWithAttributeArray *r) > { > uint32_t _ptr_rids; >+ uint32_t size_rids_1 = 0; > uint32_t cntr_rids_1; > TALLOC_CTX *_mem_save_rids_0; > TALLOC_CTX *_mem_save_rids_1; >@@ -3756,10 +3777,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_RidWithAttributeArray(struct ndr_pull * > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); >- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); >+ size_rids_1 = ndr_get_array_size(ndr, &r->rids); >+ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); > _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); >- for (cntr_rids_1 = 0; cntr_rids_1 < r->count; cntr_rids_1++) { >+ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { > NDR_CHECK(ndr_pull_samr_RidWithAttribute(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); >@@ -3872,6 +3894,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoGeneral(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_samr_DispInfoGeneral(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoGeneral *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -3890,13 +3913,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoGeneral(struct ndr_pull *ndr, int > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryGeneral(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryGeneral(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4004,6 +4028,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoFull(struct ndr_push *ndr, int nd > static enum ndr_err_code ndr_pull_samr_DispInfoFull(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoFull *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -4022,13 +4047,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoFull(struct ndr_pull *ndr, int nd > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFull(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFull(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4136,6 +4162,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoFullGroups(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_samr_DispInfoFullGroups(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoFullGroups *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -4154,13 +4181,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoFullGroups(struct ndr_pull *ndr, > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFullGroup(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryFullGroup(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4257,6 +4285,7 @@ static enum ndr_err_code ndr_push_samr_DispInfoAscii(struct ndr_push *ndr, int n > static enum ndr_err_code ndr_pull_samr_DispInfoAscii(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoAscii *r) > { > uint32_t _ptr_entries; >+ uint32_t size_entries_1 = 0; > uint32_t cntr_entries_1; > TALLOC_CTX *_mem_save_entries_0; > TALLOC_CTX *_mem_save_entries_1; >@@ -4275,13 +4304,14 @@ static enum ndr_err_code ndr_pull_samr_DispInfoAscii(struct ndr_pull *ndr, int n > _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); >- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); >+ size_entries_1 = ndr_get_array_size(ndr, &r->entries); >+ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); > _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryAscii(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); > } >- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { >+ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { > NDR_CHECK(ndr_pull_samr_DispEntryAscii(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); >@@ -4778,6 +4808,7 @@ static enum ndr_err_code ndr_push_samr_ValidationBlob(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_samr_ValidationBlob(struct ndr_pull *ndr, int ndr_flags, struct samr_ValidationBlob *r) > { > uint32_t _ptr_data; >+ uint32_t size_data_1 = 0; > TALLOC_CTX *_mem_save_data_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4794,8 +4825,9 @@ static enum ndr_err_code ndr_pull_samr_ValidationBlob(struct ndr_pull *ndr, int > _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); >- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); >- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); >+ size_data_1 = ndr_get_array_size(ndr, &r->data); >+ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); >+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); > } > if (r->data) { >@@ -4849,6 +4881,7 @@ static enum ndr_err_code ndr_push_samr_ValidatePasswordInfo(struct ndr_push *ndr > static enum ndr_err_code ndr_pull_samr_ValidatePasswordInfo(struct ndr_pull *ndr, int ndr_flags, struct samr_ValidatePasswordInfo *r) > { > uint32_t _ptr_pwd_history; >+ uint32_t size_pwd_history_1 = 0; > uint32_t cntr_pwd_history_1; > TALLOC_CTX *_mem_save_pwd_history_0; > TALLOC_CTX *_mem_save_pwd_history_1; >@@ -4872,13 +4905,14 @@ static enum ndr_err_code ndr_pull_samr_ValidatePasswordInfo(struct ndr_pull *ndr > _mem_save_pwd_history_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->pwd_history, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->pwd_history)); >- NDR_PULL_ALLOC_N(ndr, r->pwd_history, ndr_get_array_size(ndr, &r->pwd_history)); >+ size_pwd_history_1 = ndr_get_array_size(ndr, &r->pwd_history); >+ NDR_PULL_ALLOC_N(ndr, r->pwd_history, size_pwd_history_1); > _mem_save_pwd_history_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->pwd_history, 0); >- for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < r->pwd_history_len; cntr_pwd_history_1++) { >+ for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < size_pwd_history_1; cntr_pwd_history_1++) { > NDR_CHECK(ndr_pull_samr_ValidationBlob(ndr, NDR_SCALARS, &r->pwd_history[cntr_pwd_history_1])); > } >- for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < r->pwd_history_len; cntr_pwd_history_1++) { >+ for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < size_pwd_history_1; cntr_pwd_history_1++) { > NDR_CHECK(ndr_pull_samr_ValidationBlob(ndr, NDR_BUFFERS, &r->pwd_history[cntr_pwd_history_1])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pwd_history_1, 0); >@@ -7195,6 +7229,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_LookupNames(struct ndr_push *ndr, int f > > _PUBLIC_ enum ndr_err_code ndr_pull_samr_LookupNames(struct ndr_pull *ndr, int flags, struct samr_LookupNames *r) > { >+ uint32_t size_names_0 = 0; >+ uint32_t length_names_0 = 0; > uint32_t cntr_names_0; > TALLOC_CTX *_mem_save_domain_handle_0; > TALLOC_CTX *_mem_save_names_0; >@@ -7216,16 +7252,18 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_LookupNames(struct ndr_pull *ndr, int f > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.names)); >- if (ndr_get_array_length(ndr, &r->in.names) > ndr_get_array_size(ndr, &r->in.names)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.names), ndr_get_array_length(ndr, &r->in.names)); >+ size_names_0 = ndr_get_array_size(ndr, &r->in.names); >+ length_names_0 = ndr_get_array_length(ndr, &r->in.names); >+ if (length_names_0 > size_names_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_names_0, length_names_0); > } >- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); >+ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); > _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < length_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); > } >- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { >+ for (cntr_names_0 = 0; cntr_names_0 < length_names_0; cntr_names_0++) { > NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); >@@ -7337,6 +7375,8 @@ static enum ndr_err_code ndr_push_samr_LookupRids(struct ndr_push *ndr, int flag > > static enum ndr_err_code ndr_pull_samr_LookupRids(struct ndr_pull *ndr, int flags, struct samr_LookupRids *r) > { >+ uint32_t size_rids_0 = 0; >+ uint32_t length_rids_0 = 0; > uint32_t cntr_rids_0; > TALLOC_CTX *_mem_save_domain_handle_0; > TALLOC_CTX *_mem_save_rids_0; >@@ -7358,13 +7398,15 @@ static enum ndr_err_code ndr_pull_samr_LookupRids(struct ndr_pull *ndr, int flag > } > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rids)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rids)); >- if (ndr_get_array_length(ndr, &r->in.rids) > ndr_get_array_size(ndr, &r->in.rids)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rids), ndr_get_array_length(ndr, &r->in.rids)); >+ size_rids_0 = ndr_get_array_size(ndr, &r->in.rids); >+ length_rids_0 = ndr_get_array_length(ndr, &r->in.rids); >+ if (length_rids_0 > size_rids_0) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rids_0, length_rids_0); > } >- NDR_PULL_ALLOC_N(ndr, r->in.rids, ndr_get_array_size(ndr, &r->in.rids)); >+ NDR_PULL_ALLOC_N(ndr, r->in.rids, size_rids_0); > _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->in.rids, 0); >- for (cntr_rids_0 = 0; cntr_rids_0 < r->in.num_rids; cntr_rids_0++) { >+ for (cntr_rids_0 = 0; cntr_rids_0 < length_rids_0; cntr_rids_0++) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.rids[cntr_rids_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_0, 0); >@@ -11036,6 +11078,8 @@ static enum ndr_err_code ndr_push_samr_Connect2(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_samr_Connect2(struct ndr_pull *ndr, int flags, struct samr_Connect2 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_connect_handle_0; > if (flags & NDR_IN) { >@@ -11052,11 +11096,13 @@ static enum ndr_err_code ndr_pull_samr_Connect2(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_samr_ConnectAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); >@@ -11356,6 +11402,8 @@ static enum ndr_err_code ndr_push_samr_Connect3(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_samr_Connect3(struct ndr_pull *ndr, int flags, struct samr_Connect3 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_connect_handle_0; > if (flags & NDR_IN) { >@@ -11372,11 +11420,13 @@ static enum ndr_err_code ndr_pull_samr_Connect3(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown)); >@@ -11456,6 +11506,8 @@ static enum ndr_err_code ndr_push_samr_Connect4(struct ndr_push *ndr, int flags, > static enum ndr_err_code ndr_pull_samr_Connect4(struct ndr_pull *ndr, int flags, struct samr_Connect4 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_connect_handle_0; > if (flags & NDR_IN) { >@@ -11472,11 +11524,13 @@ static enum ndr_err_code ndr_pull_samr_Connect4(struct ndr_pull *ndr, int flags, > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_samr_ConnectVersion(ndr, NDR_SCALARS, &r->in.client_version)); >@@ -11854,6 +11908,8 @@ _PUBLIC_ enum ndr_err_code ndr_push_samr_Connect5(struct ndr_push *ndr, int flag > _PUBLIC_ enum ndr_err_code ndr_pull_samr_Connect5(struct ndr_pull *ndr, int flags, struct samr_Connect5 *r) > { > uint32_t _ptr_system_name; >+ uint32_t size_system_name_1 = 0; >+ uint32_t length_system_name_1 = 0; > TALLOC_CTX *_mem_save_system_name_0; > TALLOC_CTX *_mem_save_info_in_0; > TALLOC_CTX *_mem_save_level_out_0; >@@ -11873,11 +11929,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_samr_Connect5(struct ndr_pull *ndr, int flag > NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); >- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); >+ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); >+ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); >+ if (length_system_name_1 > size_system_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); > } > NDR_CHECK(ndr_pull_samr_ConnectAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); >diff --git a/librpc/gen_ndr/ndr_security.c b/librpc/gen_ndr/ndr_security.c >index 3ae6ec3..824f24b 100644 >--- a/librpc/gen_ndr/ndr_security.c >+++ b/librpc/gen_ndr/ndr_security.c >@@ -491,6 +491,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_security_acl(struct ndr_push *ndr, int ndr_f > > _PUBLIC_ enum ndr_err_code ndr_pull_security_acl(struct ndr_pull *ndr, int ndr_flags, struct security_acl *r) > { >+ uint32_t size_aces_0 = 0; > uint32_t cntr_aces_0; > TALLOC_CTX *_mem_save_aces_0; > if (ndr_flags & NDR_SCALARS) { >@@ -501,18 +502,20 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_acl(struct ndr_pull *ndr, int ndr_f > if (r->num_aces > 1000) { > return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); > } >- NDR_PULL_ALLOC_N(ndr, r->aces, r->num_aces); >+ size_aces_0 = r->num_aces; >+ NDR_PULL_ALLOC_N(ndr, r->aces, size_aces_0); > _mem_save_aces_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->aces, 0); >- for (cntr_aces_0 = 0; cntr_aces_0 < r->num_aces; cntr_aces_0++) { >+ for (cntr_aces_0 = 0; cntr_aces_0 < size_aces_0; cntr_aces_0++) { > NDR_CHECK(ndr_pull_security_ace(ndr, NDR_SCALARS, &r->aces[cntr_aces_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_aces_0, 0); > } > if (ndr_flags & NDR_BUFFERS) { >+ size_aces_0 = r->num_aces; > _mem_save_aces_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->aces, 0); >- for (cntr_aces_0 = 0; cntr_aces_0 < r->num_aces; cntr_aces_0++) { >+ for (cntr_aces_0 = 0; cntr_aces_0 < size_aces_0; cntr_aces_0++) { > NDR_CHECK(ndr_pull_security_ace(ndr, NDR_BUFFERS, &r->aces[cntr_aces_0])); > } > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_aces_0, 0); >@@ -878,6 +881,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct ndr_pull *ndr, int ndr > uint32_t _ptr_group_sid; > TALLOC_CTX *_mem_save_group_sid_0; > uint32_t _ptr_sids; >+ uint32_t size_sids_0 = 0; > uint32_t cntr_sids_0; > TALLOC_CTX *_mem_save_sids_0; > TALLOC_CTX *_mem_save_sids_1; >@@ -897,10 +901,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct ndr_pull *ndr, int ndr > } > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_sids)); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); >- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); >+ size_sids_0 = ndr_get_array_size(ndr, &r->sids); >+ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_0); > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_0 = 0; cntr_sids_0 < r->num_sids; cntr_sids_0++) { >+ for (cntr_sids_0 = 0; cntr_sids_0 < size_sids_0; cntr_sids_0++) { > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sids)); > if (_ptr_sids) { > NDR_PULL_ALLOC(ndr, r->sids[cntr_sids_0]); >@@ -927,9 +932,10 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct ndr_pull *ndr, int ndr > NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0); > } >+ size_sids_0 = ndr_get_array_size(ndr, &r->sids); > _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); >- for (cntr_sids_0 = 0; cntr_sids_0 < r->num_sids; cntr_sids_0++) { >+ for (cntr_sids_0 = 0; cntr_sids_0 < size_sids_0; cntr_sids_0++) { > if (r->sids[cntr_sids_0]) { > _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); > NDR_PULL_SET_MEM_CTX(ndr, r->sids[cntr_sids_0], 0); >diff --git a/librpc/gen_ndr/ndr_spoolss.c b/librpc/gen_ndr/ndr_spoolss.c >index ef3fd3d..8cd1f5d 100644 >--- a/librpc/gen_ndr/ndr_spoolss.c >+++ b/librpc/gen_ndr/ndr_spoolss.c >@@ -625,9 +625,12 @@ _PUBLIC_ enum ndr_err_code ndr_push_spoolss_DeviceMode(struct ndr_push *ndr, int > > _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_DeviceMode(struct ndr_pull *ndr, int ndr_flags, struct spoolss_DeviceMode *r) > { >+ uint32_t size_devicename_0 = 0; >+ uint32_t size_formname_0 = 0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->devicename, 32, sizeof(uint16_t), CH_UTF16)); >+ size_devicename_0 = 32; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->devicename, size_devicename_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->specversion)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->driverversion)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); >@@ -646,7 +649,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_DeviceMode(struct ndr_pull *ndr, int > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->yresolution)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->ttoption)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->collate)); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->formname, 32, sizeof(uint16_t), CH_UTF16)); >+ size_formname_0 = 32; >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->formname, size_formname_0, sizeof(uint16_t), CH_UTF16)); > NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->logpixels)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->bitsperpel)); > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->pelswidth)); >@@ -4530,16 +4534,28 @@ static enum ndr_err_code ndr_push_spoolss_SetJobInfo1(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetJobInfo1 *r) > { > uint32_t _ptr_printer_name; >+ uint32_t size_printer_name_1 = 0; >+ uint32_t length_printer_name_1 = 0; > TALLOC_CTX *_mem_save_printer_name_0; > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_user_name; >+ uint32_t size_user_name_1 = 0; >+ uint32_t length_user_name_1 = 0; > TALLOC_CTX *_mem_save_user_name_0; > uint32_t _ptr_document_name; >+ uint32_t size_document_name_1 = 0; >+ uint32_t length_document_name_1 = 0; > TALLOC_CTX *_mem_save_document_name_0; > uint32_t _ptr_data_type; >+ uint32_t size_data_type_1 = 0; >+ uint32_t length_data_type_1 = 0; > TALLOC_CTX *_mem_save_data_type_0; > uint32_t _ptr_text_status; >+ uint32_t size_text_status_1 = 0; >+ uint32_t length_text_status_1 = 0; > TALLOC_CTX *_mem_save_text_status_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4596,11 +4612,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->printer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printer_name)); >- if (ndr_get_array_length(ndr, &r->printer_name) > ndr_get_array_size(ndr, &r->printer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printer_name), ndr_get_array_length(ndr, &r->printer_name)); >+ size_printer_name_1 = ndr_get_array_size(ndr, &r->printer_name); >+ length_printer_name_1 = ndr_get_array_length(ndr, &r->printer_name); >+ if (length_printer_name_1 > size_printer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printer_name_1, length_printer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, length_printer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printer_name_0, 0); > } > if (r->server_name) { >@@ -4608,11 +4626,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->user_name) { >@@ -4620,11 +4640,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); >- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); >+ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); >+ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); >+ if (length_user_name_1 > size_user_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); > } > if (r->document_name) { >@@ -4632,11 +4654,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); >- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); >+ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); >+ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); >+ if (length_document_name_1 > size_document_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); > } > if (r->data_type) { >@@ -4644,11 +4668,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->data_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_type)); >- if (ndr_get_array_length(ndr, &r->data_type) > ndr_get_array_size(ndr, &r->data_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_type), ndr_get_array_length(ndr, &r->data_type)); >+ size_data_type_1 = ndr_get_array_size(ndr, &r->data_type); >+ length_data_type_1 = ndr_get_array_length(ndr, &r->data_type); >+ if (length_data_type_1 > size_data_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); > } > if (r->text_status) { >@@ -4656,11 +4682,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->text_status, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->text_status)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->text_status)); >- if (ndr_get_array_length(ndr, &r->text_status) > ndr_get_array_size(ndr, &r->text_status)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->text_status), ndr_get_array_length(ndr, &r->text_status)); >+ size_text_status_1 = ndr_get_array_size(ndr, &r->text_status); >+ length_text_status_1 = ndr_get_array_length(ndr, &r->text_status); >+ if (length_text_status_1 > size_text_status_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_text_status_1, length_text_status_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_text_status_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, length_text_status_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_text_status_0, 0); > } > } >@@ -4813,24 +4841,44 @@ static enum ndr_err_code ndr_push_spoolss_SetJobInfo2(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetJobInfo2 *r) > { > uint32_t _ptr_printer_name; >+ uint32_t size_printer_name_1 = 0; >+ uint32_t length_printer_name_1 = 0; > TALLOC_CTX *_mem_save_printer_name_0; > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_user_name; >+ uint32_t size_user_name_1 = 0; >+ uint32_t length_user_name_1 = 0; > TALLOC_CTX *_mem_save_user_name_0; > uint32_t _ptr_document_name; >+ uint32_t size_document_name_1 = 0; >+ uint32_t length_document_name_1 = 0; > TALLOC_CTX *_mem_save_document_name_0; > uint32_t _ptr_notify_name; >+ uint32_t size_notify_name_1 = 0; >+ uint32_t length_notify_name_1 = 0; > TALLOC_CTX *_mem_save_notify_name_0; > uint32_t _ptr_data_type; >+ uint32_t size_data_type_1 = 0; >+ uint32_t length_data_type_1 = 0; > TALLOC_CTX *_mem_save_data_type_0; > uint32_t _ptr_print_processor; >+ uint32_t size_print_processor_1 = 0; >+ uint32_t length_print_processor_1 = 0; > TALLOC_CTX *_mem_save_print_processor_0; > uint32_t _ptr_parameters; >+ uint32_t size_parameters_1 = 0; >+ uint32_t length_parameters_1 = 0; > TALLOC_CTX *_mem_save_parameters_0; > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_text_status; >+ uint32_t size_text_status_1 = 0; >+ uint32_t length_text_status_1 = 0; > TALLOC_CTX *_mem_save_text_status_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -4917,11 +4965,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->printer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printer_name)); >- if (ndr_get_array_length(ndr, &r->printer_name) > ndr_get_array_size(ndr, &r->printer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printer_name), ndr_get_array_length(ndr, &r->printer_name)); >+ size_printer_name_1 = ndr_get_array_size(ndr, &r->printer_name); >+ length_printer_name_1 = ndr_get_array_length(ndr, &r->printer_name); >+ if (length_printer_name_1 > size_printer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printer_name_1, length_printer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, length_printer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printer_name_0, 0); > } > if (r->server_name) { >@@ -4929,11 +4979,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->user_name) { >@@ -4941,11 +4993,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); >- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); >+ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); >+ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); >+ if (length_user_name_1 > size_user_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); > } > if (r->document_name) { >@@ -4953,11 +5007,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); >- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); >+ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); >+ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); >+ if (length_document_name_1 > size_document_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); > } > if (r->notify_name) { >@@ -4965,11 +5021,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->notify_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->notify_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->notify_name)); >- if (ndr_get_array_length(ndr, &r->notify_name) > ndr_get_array_size(ndr, &r->notify_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->notify_name), ndr_get_array_length(ndr, &r->notify_name)); >+ size_notify_name_1 = ndr_get_array_size(ndr, &r->notify_name); >+ length_notify_name_1 = ndr_get_array_length(ndr, &r->notify_name); >+ if (length_notify_name_1 > size_notify_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_notify_name_1, length_notify_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_notify_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, length_notify_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_notify_name_0, 0); > } > if (r->data_type) { >@@ -4977,11 +5035,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->data_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_type)); >- if (ndr_get_array_length(ndr, &r->data_type) > ndr_get_array_size(ndr, &r->data_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_type), ndr_get_array_length(ndr, &r->data_type)); >+ size_data_type_1 = ndr_get_array_size(ndr, &r->data_type); >+ length_data_type_1 = ndr_get_array_length(ndr, &r->data_type); >+ if (length_data_type_1 > size_data_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); > } > if (r->print_processor) { >@@ -4989,11 +5049,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->print_processor, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->print_processor)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->print_processor)); >- if (ndr_get_array_length(ndr, &r->print_processor) > ndr_get_array_size(ndr, &r->print_processor)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->print_processor), ndr_get_array_length(ndr, &r->print_processor)); >+ size_print_processor_1 = ndr_get_array_size(ndr, &r->print_processor); >+ length_print_processor_1 = ndr_get_array_length(ndr, &r->print_processor); >+ if (length_print_processor_1 > size_print_processor_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_1, length_print_processor_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, length_print_processor_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_print_processor_0, 0); > } > if (r->parameters) { >@@ -5001,11 +5063,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->parameters, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->parameters)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->parameters)); >- if (ndr_get_array_length(ndr, &r->parameters) > ndr_get_array_size(ndr, &r->parameters)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->parameters), ndr_get_array_length(ndr, &r->parameters)); >+ size_parameters_1 = ndr_get_array_size(ndr, &r->parameters); >+ length_parameters_1 = ndr_get_array_length(ndr, &r->parameters); >+ if (length_parameters_1 > size_parameters_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parameters_1, length_parameters_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_parameters_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, length_parameters_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parameters_0, 0); > } > if (r->driver_name) { >@@ -5013,11 +5077,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->text_status) { >@@ -5025,11 +5091,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->text_status, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->text_status)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->text_status)); >- if (ndr_get_array_length(ndr, &r->text_status) > ndr_get_array_size(ndr, &r->text_status)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->text_status), ndr_get_array_length(ndr, &r->text_status)); >+ size_text_status_1 = ndr_get_array_size(ndr, &r->text_status); >+ length_text_status_1 = ndr_get_array_length(ndr, &r->text_status); >+ if (length_text_status_1 > size_text_status_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_text_status_1, length_text_status_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_text_status_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, length_text_status_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_text_status_0, 0); > } > } >@@ -5213,24 +5281,44 @@ static enum ndr_err_code ndr_push_spoolss_SetJobInfo4(struct ndr_push *ndr, int > static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetJobInfo4 *r) > { > uint32_t _ptr_printer_name; >+ uint32_t size_printer_name_1 = 0; >+ uint32_t length_printer_name_1 = 0; > TALLOC_CTX *_mem_save_printer_name_0; > uint32_t _ptr_server_name; >+ uint32_t size_server_name_1 = 0; >+ uint32_t length_server_name_1 = 0; > TALLOC_CTX *_mem_save_server_name_0; > uint32_t _ptr_user_name; >+ uint32_t size_user_name_1 = 0; >+ uint32_t length_user_name_1 = 0; > TALLOC_CTX *_mem_save_user_name_0; > uint32_t _ptr_document_name; >+ uint32_t size_document_name_1 = 0; >+ uint32_t length_document_name_1 = 0; > TALLOC_CTX *_mem_save_document_name_0; > uint32_t _ptr_notify_name; >+ uint32_t size_notify_name_1 = 0; >+ uint32_t length_notify_name_1 = 0; > TALLOC_CTX *_mem_save_notify_name_0; > uint32_t _ptr_data_type; >+ uint32_t size_data_type_1 = 0; >+ uint32_t length_data_type_1 = 0; > TALLOC_CTX *_mem_save_data_type_0; > uint32_t _ptr_print_processor; >+ uint32_t size_print_processor_1 = 0; >+ uint32_t length_print_processor_1 = 0; > TALLOC_CTX *_mem_save_print_processor_0; > uint32_t _ptr_parameters; >+ uint32_t size_parameters_1 = 0; >+ uint32_t length_parameters_1 = 0; > TALLOC_CTX *_mem_save_parameters_0; > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_text_status; >+ uint32_t size_text_status_1 = 0; >+ uint32_t length_text_status_1 = 0; > TALLOC_CTX *_mem_save_text_status_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -5318,11 +5406,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->printer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printer_name)); >- if (ndr_get_array_length(ndr, &r->printer_name) > ndr_get_array_size(ndr, &r->printer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printer_name), ndr_get_array_length(ndr, &r->printer_name)); >+ size_printer_name_1 = ndr_get_array_size(ndr, &r->printer_name); >+ length_printer_name_1 = ndr_get_array_length(ndr, &r->printer_name); >+ if (length_printer_name_1 > size_printer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printer_name_1, length_printer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, length_printer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printer_name_0, 0); > } > if (r->server_name) { >@@ -5330,11 +5420,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); >- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); >+ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); >+ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); >+ if (length_server_name_1 > size_server_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); > } > if (r->user_name) { >@@ -5342,11 +5434,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); >- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); >+ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); >+ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); >+ if (length_user_name_1 > size_user_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); > } > if (r->document_name) { >@@ -5354,11 +5448,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); >- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); >+ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); >+ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); >+ if (length_document_name_1 > size_document_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); > } > if (r->notify_name) { >@@ -5366,11 +5462,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->notify_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->notify_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->notify_name)); >- if (ndr_get_array_length(ndr, &r->notify_name) > ndr_get_array_size(ndr, &r->notify_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->notify_name), ndr_get_array_length(ndr, &r->notify_name)); >+ size_notify_name_1 = ndr_get_array_size(ndr, &r->notify_name); >+ length_notify_name_1 = ndr_get_array_length(ndr, &r->notify_name); >+ if (length_notify_name_1 > size_notify_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_notify_name_1, length_notify_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_notify_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, length_notify_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_notify_name_0, 0); > } > if (r->data_type) { >@@ -5378,11 +5476,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->data_type, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_type)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_type)); >- if (ndr_get_array_length(ndr, &r->data_type) > ndr_get_array_size(ndr, &r->data_type)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_type), ndr_get_array_length(ndr, &r->data_type)); >+ size_data_type_1 = ndr_get_array_size(ndr, &r->data_type); >+ length_data_type_1 = ndr_get_array_length(ndr, &r->data_type); >+ if (length_data_type_1 > size_data_type_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); > } > if (r->print_processor) { >@@ -5390,11 +5490,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->print_processor, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->print_processor)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->print_processor)); >- if (ndr_get_array_length(ndr, &r->print_processor) > ndr_get_array_size(ndr, &r->print_processor)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->print_processor), ndr_get_array_length(ndr, &r->print_processor)); >+ size_print_processor_1 = ndr_get_array_size(ndr, &r->print_processor); >+ length_print_processor_1 = ndr_get_array_length(ndr, &r->print_processor); >+ if (length_print_processor_1 > size_print_processor_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_1, length_print_processor_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, length_print_processor_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_print_processor_0, 0); > } > if (r->parameters) { >@@ -5402,11 +5504,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->parameters, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->parameters)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->parameters)); >- if (ndr_get_array_length(ndr, &r->parameters) > ndr_get_array_size(ndr, &r->parameters)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->parameters), ndr_get_array_length(ndr, &r->parameters)); >+ size_parameters_1 = ndr_get_array_size(ndr, &r->parameters); >+ length_parameters_1 = ndr_get_array_length(ndr, &r->parameters); >+ if (length_parameters_1 > size_parameters_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parameters_1, length_parameters_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_parameters_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, length_parameters_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parameters_0, 0); > } > if (r->driver_name) { >@@ -5414,11 +5518,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->text_status) { >@@ -5426,11 +5532,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int > NDR_PULL_SET_MEM_CTX(ndr, r->text_status, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->text_status)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->text_status)); >- if (ndr_get_array_length(ndr, &r->text_status) > ndr_get_array_size(ndr, &r->text_status)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->text_status), ndr_get_array_length(ndr, &r->text_status)); >+ size_text_status_1 = ndr_get_array_size(ndr, &r->text_status); >+ length_text_status_1 = ndr_get_array_length(ndr, &r->text_status); >+ if (length_text_status_1 > size_text_status_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_text_status_1, length_text_status_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_text_status_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, length_text_status_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_text_status_0, 0); > } > } >@@ -5585,9 +5693,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetJobInfo(struct ndr_pull *ndr, int > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -5596,7 +5708,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetJobInfo(struct ndr_pull *ndr, int > } > switch (level) { > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -5606,7 +5717,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetJobInfo(struct ndr_pull *ndr, int > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -5616,7 +5726,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetJobInfo(struct ndr_pull *ndr, int > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -5626,7 +5735,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetJobInfo(struct ndr_pull *ndr, int > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -5886,8 +5994,12 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo0(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo0(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo0 *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > uint32_t _ptr_printername; >+ uint32_t size_printername_1 = 0; >+ uint32_t length_printername_1 = 0; > TALLOC_CTX *_mem_save_printername_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -5937,11 +6049,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo0(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->servername)); >- if (ndr_get_array_length(ndr, &r->servername) > ndr_get_array_size(ndr, &r->servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->servername), ndr_get_array_length(ndr, &r->servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > if (r->printername) { >@@ -5949,11 +6063,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo0(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); >- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); >+ size_printername_1 = ndr_get_array_size(ndr, &r->printername); >+ length_printername_1 = ndr_get_array_length(ndr, &r->printername); >+ if (length_printername_1 > size_printername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); > } > } >@@ -6041,10 +6157,16 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo1(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo1 *r) > { > uint32_t _ptr_description; >+ uint32_t size_description_1 = 0; >+ uint32_t length_description_1 = 0; > TALLOC_CTX *_mem_save_description_0; > uint32_t _ptr_name; >+ uint32_t size_name_1 = 0; >+ uint32_t length_name_1 = 0; > TALLOC_CTX *_mem_save_name_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6074,11 +6196,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->description, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->description)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->description)); >- if (ndr_get_array_length(ndr, &r->description) > ndr_get_array_size(ndr, &r->description)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->description), ndr_get_array_length(ndr, &r->description)); >+ size_description_1 = ndr_get_array_size(ndr, &r->description); >+ length_description_1 = ndr_get_array_length(ndr, &r->description); >+ if (length_description_1 > size_description_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_description_1, length_description_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->description), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->description, ndr_get_array_length(ndr, &r->description), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_description_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->description, length_description_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_description_0, 0); > } > if (r->name) { >@@ -6086,11 +6210,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); >- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); >+ size_name_1 = ndr_get_array_size(ndr, &r->name); >+ length_name_1 = ndr_get_array_length(ndr, &r->name); >+ if (length_name_1 > size_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); > } > if (r->comment) { >@@ -6098,11 +6224,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo1(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > } >@@ -6235,26 +6363,48 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo2(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo2 *r) > { > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > uint32_t _ptr_printername; >+ uint32_t size_printername_1 = 0; >+ uint32_t length_printername_1 = 0; > TALLOC_CTX *_mem_save_printername_0; > uint32_t _ptr_sharename; >+ uint32_t size_sharename_1 = 0; >+ uint32_t length_sharename_1 = 0; > TALLOC_CTX *_mem_save_sharename_0; > uint32_t _ptr_portname; >+ uint32_t size_portname_1 = 0; >+ uint32_t length_portname_1 = 0; > TALLOC_CTX *_mem_save_portname_0; > uint32_t _ptr_drivername; >+ uint32_t size_drivername_1 = 0; >+ uint32_t length_drivername_1 = 0; > TALLOC_CTX *_mem_save_drivername_0; > uint32_t _ptr_comment; >+ uint32_t size_comment_1 = 0; >+ uint32_t length_comment_1 = 0; > TALLOC_CTX *_mem_save_comment_0; > uint32_t _ptr_location; >+ uint32_t size_location_1 = 0; >+ uint32_t length_location_1 = 0; > TALLOC_CTX *_mem_save_location_0; > uint32_t _ptr_sepfile; >+ uint32_t size_sepfile_1 = 0; >+ uint32_t length_sepfile_1 = 0; > TALLOC_CTX *_mem_save_sepfile_0; > uint32_t _ptr_printprocessor; >+ uint32_t size_printprocessor_1 = 0; >+ uint32_t length_printprocessor_1 = 0; > TALLOC_CTX *_mem_save_printprocessor_0; > uint32_t _ptr_datatype; >+ uint32_t size_datatype_1 = 0; >+ uint32_t length_datatype_1 = 0; > TALLOC_CTX *_mem_save_datatype_0; > uint32_t _ptr_parameters; >+ uint32_t size_parameters_1 = 0; >+ uint32_t length_parameters_1 = 0; > TALLOC_CTX *_mem_save_parameters_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6344,11 +6494,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->servername)); >- if (ndr_get_array_length(ndr, &r->servername) > ndr_get_array_size(ndr, &r->servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->servername), ndr_get_array_length(ndr, &r->servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > if (r->printername) { >@@ -6356,11 +6508,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); >- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); >+ size_printername_1 = ndr_get_array_size(ndr, &r->printername); >+ length_printername_1 = ndr_get_array_length(ndr, &r->printername); >+ if (length_printername_1 > size_printername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); > } > if (r->sharename) { >@@ -6368,11 +6522,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->sharename, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sharename)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->sharename)); >- if (ndr_get_array_length(ndr, &r->sharename) > ndr_get_array_size(ndr, &r->sharename)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->sharename), ndr_get_array_length(ndr, &r->sharename)); >+ size_sharename_1 = ndr_get_array_size(ndr, &r->sharename); >+ length_sharename_1 = ndr_get_array_length(ndr, &r->sharename); >+ if (length_sharename_1 > size_sharename_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->sharename), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sharename, ndr_get_array_length(ndr, &r->sharename), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); > } > if (r->portname) { >@@ -6380,11 +6536,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->portname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->portname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->portname)); >- if (ndr_get_array_length(ndr, &r->portname) > ndr_get_array_size(ndr, &r->portname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->portname), ndr_get_array_length(ndr, &r->portname)); >+ size_portname_1 = ndr_get_array_size(ndr, &r->portname); >+ length_portname_1 = ndr_get_array_length(ndr, &r->portname); >+ if (length_portname_1 > size_portname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_portname_1, length_portname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_portname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, length_portname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_portname_0, 0); > } > if (r->drivername) { >@@ -6392,11 +6550,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->drivername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->drivername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->drivername)); >- if (ndr_get_array_length(ndr, &r->drivername) > ndr_get_array_size(ndr, &r->drivername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->drivername), ndr_get_array_length(ndr, &r->drivername)); >+ size_drivername_1 = ndr_get_array_size(ndr, &r->drivername); >+ length_drivername_1 = ndr_get_array_length(ndr, &r->drivername); >+ if (length_drivername_1 > size_drivername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_drivername_1, length_drivername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->drivername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->drivername, ndr_get_array_length(ndr, &r->drivername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_drivername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->drivername, length_drivername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_drivername_0, 0); > } > if (r->comment) { >@@ -6404,11 +6564,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); >- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); >+ size_comment_1 = ndr_get_array_size(ndr, &r->comment); >+ length_comment_1 = ndr_get_array_length(ndr, &r->comment); >+ if (length_comment_1 > size_comment_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); > } > if (r->location) { >@@ -6416,11 +6578,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->location, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->location)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->location)); >- if (ndr_get_array_length(ndr, &r->location) > ndr_get_array_size(ndr, &r->location)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->location), ndr_get_array_length(ndr, &r->location)); >+ size_location_1 = ndr_get_array_size(ndr, &r->location); >+ length_location_1 = ndr_get_array_length(ndr, &r->location); >+ if (length_location_1 > size_location_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_location_1, length_location_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->location), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->location, ndr_get_array_length(ndr, &r->location), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_location_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->location, length_location_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_location_0, 0); > } > if (r->sepfile) { >@@ -6428,11 +6592,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->sepfile, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->sepfile)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->sepfile)); >- if (ndr_get_array_length(ndr, &r->sepfile) > ndr_get_array_size(ndr, &r->sepfile)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->sepfile), ndr_get_array_length(ndr, &r->sepfile)); >+ size_sepfile_1 = ndr_get_array_size(ndr, &r->sepfile); >+ length_sepfile_1 = ndr_get_array_length(ndr, &r->sepfile); >+ if (length_sepfile_1 > size_sepfile_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sepfile_1, length_sepfile_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->sepfile), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sepfile, ndr_get_array_length(ndr, &r->sepfile), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_sepfile_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sepfile, length_sepfile_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sepfile_0, 0); > } > if (r->printprocessor) { >@@ -6440,11 +6606,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->printprocessor, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printprocessor)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printprocessor)); >- if (ndr_get_array_length(ndr, &r->printprocessor) > ndr_get_array_size(ndr, &r->printprocessor)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printprocessor), ndr_get_array_length(ndr, &r->printprocessor)); >+ size_printprocessor_1 = ndr_get_array_size(ndr, &r->printprocessor); >+ length_printprocessor_1 = ndr_get_array_length(ndr, &r->printprocessor); >+ if (length_printprocessor_1 > size_printprocessor_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printprocessor_1, length_printprocessor_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printprocessor), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printprocessor, ndr_get_array_length(ndr, &r->printprocessor), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printprocessor_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printprocessor, length_printprocessor_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printprocessor_0, 0); > } > if (r->datatype) { >@@ -6452,11 +6620,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->datatype)); >- if (ndr_get_array_length(ndr, &r->datatype) > ndr_get_array_size(ndr, &r->datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->datatype), ndr_get_array_length(ndr, &r->datatype)); >+ size_datatype_1 = ndr_get_array_size(ndr, &r->datatype); >+ length_datatype_1 = ndr_get_array_length(ndr, &r->datatype); >+ if (length_datatype_1 > size_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_datatype_1, length_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->datatype, ndr_get_array_length(ndr, &r->datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->datatype, length_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_datatype_0, 0); > } > if (r->parameters) { >@@ -6464,11 +6634,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->parameters, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->parameters)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->parameters)); >- if (ndr_get_array_length(ndr, &r->parameters) > ndr_get_array_size(ndr, &r->parameters)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->parameters), ndr_get_array_length(ndr, &r->parameters)); >+ size_parameters_1 = ndr_get_array_size(ndr, &r->parameters); >+ length_parameters_1 = ndr_get_array_length(ndr, &r->parameters); >+ if (length_parameters_1 > size_parameters_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parameters_1, length_parameters_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_parameters_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, length_parameters_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parameters_0, 0); > } > } >@@ -6616,8 +6788,12 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo4(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo4(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo4 *r) > { > uint32_t _ptr_printername; >+ uint32_t size_printername_1 = 0; >+ uint32_t length_printername_1 = 0; > TALLOC_CTX *_mem_save_printername_0; > uint32_t _ptr_servername; >+ uint32_t size_servername_1 = 0; >+ uint32_t length_servername_1 = 0; > TALLOC_CTX *_mem_save_servername_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6641,11 +6817,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo4(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); >- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); >+ size_printername_1 = ndr_get_array_size(ndr, &r->printername); >+ length_printername_1 = ndr_get_array_length(ndr, &r->printername); >+ if (length_printername_1 > size_printername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); > } > if (r->servername) { >@@ -6653,11 +6831,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo4(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->servername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->servername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->servername)); >- if (ndr_get_array_length(ndr, &r->servername) > ndr_get_array_size(ndr, &r->servername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->servername), ndr_get_array_length(ndr, &r->servername)); >+ size_servername_1 = ndr_get_array_size(ndr, &r->servername); >+ length_servername_1 = ndr_get_array_length(ndr, &r->servername); >+ if (length_servername_1 > size_servername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); > } > } >@@ -6714,8 +6894,12 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo5(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo5(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo5 *r) > { > uint32_t _ptr_printername; >+ uint32_t size_printername_1 = 0; >+ uint32_t length_printername_1 = 0; > TALLOC_CTX *_mem_save_printername_0; > uint32_t _ptr_portname; >+ uint32_t size_portname_1 = 0; >+ uint32_t length_portname_1 = 0; > TALLOC_CTX *_mem_save_portname_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6741,11 +6925,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo5(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); >- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); >+ size_printername_1 = ndr_get_array_size(ndr, &r->printername); >+ length_printername_1 = ndr_get_array_length(ndr, &r->printername); >+ if (length_printername_1 > size_printername_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); > } > if (r->portname) { >@@ -6753,11 +6939,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo5(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->portname, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->portname)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->portname)); >- if (ndr_get_array_length(ndr, &r->portname) > ndr_get_array_size(ndr, &r->portname)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->portname), ndr_get_array_length(ndr, &r->portname)); >+ size_portname_1 = ndr_get_array_size(ndr, &r->portname); >+ length_portname_1 = ndr_get_array_length(ndr, &r->portname); >+ if (length_portname_1 > size_portname_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_portname_1, length_portname_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_portname_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, length_portname_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_portname_0, 0); > } > } >@@ -6837,6 +7025,8 @@ static enum ndr_err_code ndr_push_spoolss_SetPrinterInfo7(struct ndr_push *ndr, > static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo7(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo7 *r) > { > uint32_t _ptr_guid; >+ uint32_t size_guid_1 = 0; >+ uint32_t length_guid_1 = 0; > TALLOC_CTX *_mem_save_guid_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -6854,11 +7044,13 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo7(struct ndr_pull *ndr, > NDR_PULL_SET_MEM_CTX(ndr, r->guid, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->guid)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->guid)); >- if (ndr_get_array_length(ndr, &r->guid) > ndr_get_array_size(ndr, &r->guid)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->guid), ndr_get_array_length(ndr, &r->guid)); >+ size_guid_1 = ndr_get_array_size(ndr, &r->guid); >+ length_guid_1 = ndr_get_array_length(ndr, &r->guid); >+ if (length_guid_1 > size_guid_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_guid_1, length_guid_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->guid), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guid, ndr_get_array_length(ndr, &r->guid), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_guid_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guid, length_guid_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_guid_0, 0); > } > } >@@ -7066,15 +7258,25 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > int level; > uint32_t _level; > TALLOC_CTX *_mem_save_info0_0; >+ uint32_t _ptr_info0; > TALLOC_CTX *_mem_save_info1_0; >+ uint32_t _ptr_info1; > TALLOC_CTX *_mem_save_info2_0; >+ uint32_t _ptr_info2; > TALLOC_CTX *_mem_save_info3_0; >+ uint32_t _ptr_info3; > TALLOC_CTX *_mem_save_info4_0; >+ uint32_t _ptr_info4; > TALLOC_CTX *_mem_save_info5_0; >+ uint32_t _ptr_info5; > TALLOC_CTX *_mem_save_info6_0; >+ uint32_t _ptr_info6; > TALLOC_CTX *_mem_save_info7_0; >+ uint32_t _ptr_info7; > TALLOC_CTX *_mem_save_info8_0; >+ uint32_t _ptr_info8; > TALLOC_CTX *_mem_save_info9_0; >+ uint32_t _ptr_info9; > level = ndr_pull_get_switch_value(ndr, r); > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &_level)); >@@ -7083,7 +7285,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > } > switch (level) { > case 0: { >- uint32_t _ptr_info0; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); > if (_ptr_info0) { > NDR_PULL_ALLOC(ndr, r->info0); >@@ -7093,7 +7294,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 1: { >- uint32_t _ptr_info1; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); > if (_ptr_info1) { > NDR_PULL_ALLOC(ndr, r->info1); >@@ -7103,7 +7303,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 2: { >- uint32_t _ptr_info2; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); > if (_ptr_info2) { > NDR_PULL_ALLOC(ndr, r->info2); >@@ -7113,7 +7312,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 3: { >- uint32_t _ptr_info3; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); > if (_ptr_info3) { > NDR_PULL_ALLOC(ndr, r->info3); >@@ -7123,7 +7321,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 4: { >- uint32_t _ptr_info4; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); > if (_ptr_info4) { > NDR_PULL_ALLOC(ndr, r->info4); >@@ -7133,7 +7330,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 5: { >- uint32_t _ptr_info5; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); > if (_ptr_info5) { > NDR_PULL_ALLOC(ndr, r->info5); >@@ -7143,7 +7339,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 6: { >- uint32_t _ptr_info6; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); > if (_ptr_info6) { > NDR_PULL_ALLOC(ndr, r->info6); >@@ -7153,7 +7348,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 7: { >- uint32_t _ptr_info7; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info7)); > if (_ptr_info7) { > NDR_PULL_ALLOC(ndr, r->info7); >@@ -7163,7 +7357,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 8: { >- uint32_t _ptr_info8; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info8)); > if (_ptr_info8) { > NDR_PULL_ALLOC(ndr, r->info8); >@@ -7173,7 +7366,6 @@ static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo(struct ndr_pull *ndr, i > break; } > > case 9: { >- uint32_t _ptr_info9; > NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info9)); > if (_ptr_info9) { > NDR_PULL_ALLOC(ndr, r->info9); >@@ -7490,6 +7682,8 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo1(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo1 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7506,11 +7700,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo1(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > } >@@ -7606,14 +7802,24 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo2(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo2 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > TALLOC_CTX *_mem_save_architecture_0; > uint32_t _ptr_driver_path; >+ uint32_t size_driver_path_1 = 0; >+ uint32_t length_driver_path_1 = 0; > TALLOC_CTX *_mem_save_driver_path_0; > uint32_t _ptr_data_file; >+ uint32_t size_data_file_1 = 0; >+ uint32_t length_data_file_1 = 0; > TALLOC_CTX *_mem_save_data_file_0; > uint32_t _ptr_config_file; >+ uint32_t size_config_file_1 = 0; >+ uint32_t length_config_file_1 = 0; > TALLOC_CTX *_mem_save_config_file_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 4)); >@@ -7655,11 +7861,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->architecture) { >@@ -7667,11 +7875,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); >- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > if (r->driver_path) { >@@ -7679,11 +7889,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); >- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); >+ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); >+ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); >+ if (length_driver_path_1 > size_driver_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); > } > if (r->data_file) { >@@ -7691,11 +7903,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); >- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); >+ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); >+ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); >+ if (length_data_file_1 > size_data_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); > } > if (r->config_file) { >@@ -7703,11 +7917,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); >- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); >+ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); >+ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); >+ if (length_config_file_1 > size_config_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); > } > } >@@ -7827,20 +8043,36 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo3(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo3 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > TALLOC_CTX *_mem_save_architecture_0; > uint32_t _ptr_driver_path; >+ uint32_t size_driver_path_1 = 0; >+ uint32_t length_driver_path_1 = 0; > TALLOC_CTX *_mem_save_driver_path_0; > uint32_t _ptr_data_file; >+ uint32_t size_data_file_1 = 0; >+ uint32_t length_data_file_1 = 0; > TALLOC_CTX *_mem_save_data_file_0; > uint32_t _ptr_config_file; >+ uint32_t size_config_file_1 = 0; >+ uint32_t length_config_file_1 = 0; > TALLOC_CTX *_mem_save_config_file_0; > uint32_t _ptr_help_file; >+ uint32_t size_help_file_1 = 0; >+ uint32_t length_help_file_1 = 0; > TALLOC_CTX *_mem_save_help_file_0; > uint32_t _ptr_monitor_name; >+ uint32_t size_monitor_name_1 = 0; >+ uint32_t length_monitor_name_1 = 0; > TALLOC_CTX *_mem_save_monitor_name_0; > uint32_t _ptr_default_datatype; >+ uint32_t size_default_datatype_1 = 0; >+ uint32_t length_default_datatype_1 = 0; > TALLOC_CTX *_mem_save_default_datatype_0; > uint32_t _ptr_dependent_files; > TALLOC_CTX *_mem_save_dependent_files_0; >@@ -7909,11 +8141,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->architecture) { >@@ -7921,11 +8155,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); >- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > if (r->driver_path) { >@@ -7933,11 +8169,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); >- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); >+ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); >+ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); >+ if (length_driver_path_1 > size_driver_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); > } > if (r->data_file) { >@@ -7945,11 +8183,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); >- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); >+ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); >+ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); >+ if (length_data_file_1 > size_data_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); > } > if (r->config_file) { >@@ -7957,11 +8197,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); >- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); >+ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); >+ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); >+ if (length_config_file_1 > size_config_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); > } > if (r->help_file) { >@@ -7969,11 +8211,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); >- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); >+ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); >+ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); >+ if (length_help_file_1 > size_help_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); > } > if (r->monitor_name) { >@@ -7981,11 +8225,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); >- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); >+ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); >+ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); >+ if (length_monitor_name_1 > size_monitor_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); > } > if (r->default_datatype) { >@@ -7993,11 +8239,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); >- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); >+ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); >+ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); >+ if (length_default_datatype_1 > size_default_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); > } > if (r->dependent_files) { >@@ -8153,20 +8401,36 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo4(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo4 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > TALLOC_CTX *_mem_save_architecture_0; > uint32_t _ptr_driver_path; >+ uint32_t size_driver_path_1 = 0; >+ uint32_t length_driver_path_1 = 0; > TALLOC_CTX *_mem_save_driver_path_0; > uint32_t _ptr_data_file; >+ uint32_t size_data_file_1 = 0; >+ uint32_t length_data_file_1 = 0; > TALLOC_CTX *_mem_save_data_file_0; > uint32_t _ptr_config_file; >+ uint32_t size_config_file_1 = 0; >+ uint32_t length_config_file_1 = 0; > TALLOC_CTX *_mem_save_config_file_0; > uint32_t _ptr_help_file; >+ uint32_t size_help_file_1 = 0; >+ uint32_t length_help_file_1 = 0; > TALLOC_CTX *_mem_save_help_file_0; > uint32_t _ptr_monitor_name; >+ uint32_t size_monitor_name_1 = 0; >+ uint32_t length_monitor_name_1 = 0; > TALLOC_CTX *_mem_save_monitor_name_0; > uint32_t _ptr_default_datatype; >+ uint32_t size_default_datatype_1 = 0; >+ uint32_t length_default_datatype_1 = 0; > TALLOC_CTX *_mem_save_default_datatype_0; > uint32_t _ptr_dependent_files; > TALLOC_CTX *_mem_save_dependent_files_0; >@@ -8244,11 +8508,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->architecture) { >@@ -8256,11 +8522,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); >- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > if (r->driver_path) { >@@ -8268,11 +8536,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); >- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); >+ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); >+ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); >+ if (length_driver_path_1 > size_driver_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); > } > if (r->data_file) { >@@ -8280,11 +8550,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); >- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); >+ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); >+ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); >+ if (length_data_file_1 > size_data_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); > } > if (r->config_file) { >@@ -8292,11 +8564,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); >- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); >+ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); >+ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); >+ if (length_config_file_1 > size_config_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); > } > if (r->help_file) { >@@ -8304,11 +8578,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); >- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); >+ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); >+ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); >+ if (length_help_file_1 > size_help_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); > } > if (r->monitor_name) { >@@ -8316,11 +8592,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); >- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); >+ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); >+ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); >+ if (length_monitor_name_1 > size_monitor_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); > } > if (r->default_datatype) { >@@ -8328,11 +8606,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); >- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); >+ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); >+ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); >+ if (length_default_datatype_1 > size_default_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); > } > if (r->dependent_files) { >@@ -8553,32 +8833,56 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo6(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo6 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > TALLOC_CTX *_mem_save_architecture_0; > uint32_t _ptr_driver_path; >+ uint32_t size_driver_path_1 = 0; >+ uint32_t length_driver_path_1 = 0; > TALLOC_CTX *_mem_save_driver_path_0; > uint32_t _ptr_data_file; >+ uint32_t size_data_file_1 = 0; >+ uint32_t length_data_file_1 = 0; > TALLOC_CTX *_mem_save_data_file_0; > uint32_t _ptr_config_file; >+ uint32_t size_config_file_1 = 0; >+ uint32_t length_config_file_1 = 0; > TALLOC_CTX *_mem_save_config_file_0; > uint32_t _ptr_help_file; >+ uint32_t size_help_file_1 = 0; >+ uint32_t length_help_file_1 = 0; > TALLOC_CTX *_mem_save_help_file_0; > uint32_t _ptr_monitor_name; >+ uint32_t size_monitor_name_1 = 0; >+ uint32_t length_monitor_name_1 = 0; > TALLOC_CTX *_mem_save_monitor_name_0; > uint32_t _ptr_default_datatype; >+ uint32_t size_default_datatype_1 = 0; >+ uint32_t length_default_datatype_1 = 0; > TALLOC_CTX *_mem_save_default_datatype_0; > uint32_t _ptr_dependent_files; > TALLOC_CTX *_mem_save_dependent_files_0; > uint32_t _ptr_previous_names; > TALLOC_CTX *_mem_save_previous_names_0; > uint32_t _ptr_manufacturer_name; >+ uint32_t size_manufacturer_name_1 = 0; >+ uint32_t length_manufacturer_name_1 = 0; > TALLOC_CTX *_mem_save_manufacturer_name_0; > uint32_t _ptr_manufacturer_url; >+ uint32_t size_manufacturer_url_1 = 0; >+ uint32_t length_manufacturer_url_1 = 0; > TALLOC_CTX *_mem_save_manufacturer_url_0; > uint32_t _ptr_hardware_id; >+ uint32_t size_hardware_id_1 = 0; >+ uint32_t length_hardware_id_1 = 0; > TALLOC_CTX *_mem_save_hardware_id_0; > uint32_t _ptr_provider; >+ uint32_t size_provider_1 = 0; >+ uint32_t length_provider_1 = 0; > TALLOC_CTX *_mem_save_provider_0; > if (ndr_flags & NDR_SCALARS) { > NDR_CHECK(ndr_pull_align(ndr, 8)); >@@ -8678,11 +8982,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->architecture) { >@@ -8690,11 +8996,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); >- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > if (r->driver_path) { >@@ -8702,11 +9010,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); >- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); >+ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); >+ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); >+ if (length_driver_path_1 > size_driver_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); > } > if (r->data_file) { >@@ -8714,11 +9024,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); >- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); >+ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); >+ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); >+ if (length_data_file_1 > size_data_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); > } > if (r->config_file) { >@@ -8726,11 +9038,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); >- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); >+ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); >+ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); >+ if (length_config_file_1 > size_config_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); > } > if (r->help_file) { >@@ -8738,11 +9052,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); >- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); >+ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); >+ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); >+ if (length_help_file_1 > size_help_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); > } > if (r->monitor_name) { >@@ -8750,11 +9066,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); >- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); >+ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); >+ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); >+ if (length_monitor_name_1 > size_monitor_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); > } > if (r->default_datatype) { >@@ -8762,11 +9080,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); >- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); >+ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); >+ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); >+ if (length_default_datatype_1 > size_default_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); > } > if (r->dependent_files) { >@@ -8786,11 +9106,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_name)); >- if (ndr_get_array_length(ndr, &r->manufacturer_name) > ndr_get_array_size(ndr, &r->manufacturer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_name), ndr_get_array_length(ndr, &r->manufacturer_name)); >+ size_manufacturer_name_1 = ndr_get_array_size(ndr, &r->manufacturer_name); >+ length_manufacturer_name_1 = ndr_get_array_length(ndr, &r->manufacturer_name); >+ if (length_manufacturer_name_1 > size_manufacturer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_name_1, length_manufacturer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, length_manufacturer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_name_0, 0); > } > if (r->manufacturer_url) { >@@ -8798,11 +9120,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_url, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_url)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_url)); >- if (ndr_get_array_length(ndr, &r->manufacturer_url) > ndr_get_array_size(ndr, &r->manufacturer_url)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_url), ndr_get_array_length(ndr, &r->manufacturer_url)); >+ size_manufacturer_url_1 = ndr_get_array_size(ndr, &r->manufacturer_url); >+ length_manufacturer_url_1 = ndr_get_array_length(ndr, &r->manufacturer_url); >+ if (length_manufacturer_url_1 > size_manufacturer_url_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_url_1, length_manufacturer_url_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_url_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, length_manufacturer_url_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_url_0, 0); > } > if (r->hardware_id) { >@@ -8810,11 +9134,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->hardware_id, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->hardware_id)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->hardware_id)); >- if (ndr_get_array_length(ndr, &r->hardware_id) > ndr_get_array_size(ndr, &r->hardware_id)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->hardware_id), ndr_get_array_length(ndr, &r->hardware_id)); >+ size_hardware_id_1 = ndr_get_array_size(ndr, &r->hardware_id); >+ length_hardware_id_1 = ndr_get_array_length(ndr, &r->hardware_id); >+ if (length_hardware_id_1 > size_hardware_id_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_hardware_id_1, length_hardware_id_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->hardware_id), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_id, ndr_get_array_length(ndr, &r->hardware_id), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_hardware_id_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_id, length_hardware_id_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_hardware_id_0, 0); > } > if (r->provider) { >@@ -8822,11 +9148,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->provider, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->provider)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->provider)); >- if (ndr_get_array_length(ndr, &r->provider) > ndr_get_array_size(ndr, &r->provider)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->provider), ndr_get_array_length(ndr, &r->provider)); >+ size_provider_1 = ndr_get_array_size(ndr, &r->provider); >+ length_provider_1 = ndr_get_array_length(ndr, &r->provider); >+ if (length_provider_1 > size_provider_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_provider_1, length_provider_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->provider), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->provider, ndr_get_array_length(ndr, &r->provider), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_provider_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->provider, length_provider_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_provider_0, 0); > } > } >@@ -9073,40 +9401,70 @@ static enum ndr_err_code ndr_push_spoolss_AddDriverInfo8(struct ndr_push *ndr, i > static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo8 *r) > { > uint32_t _ptr_driver_name; >+ uint32_t size_driver_name_1 = 0; >+ uint32_t length_driver_name_1 = 0; > TALLOC_CTX *_mem_save_driver_name_0; > uint32_t _ptr_architecture; >+ uint32_t size_architecture_1 = 0; >+ uint32_t length_architecture_1 = 0; > TALLOC_CTX *_mem_save_architecture_0; > uint32_t _ptr_driver_path; >+ uint32_t size_driver_path_1 = 0; >+ uint32_t length_driver_path_1 = 0; > TALLOC_CTX *_mem_save_driver_path_0; > uint32_t _ptr_data_file; >+ uint32_t size_data_file_1 = 0; >+ uint32_t length_data_file_1 = 0; > TALLOC_CTX *_mem_save_data_file_0; > uint32_t _ptr_config_file; >+ uint32_t size_config_file_1 = 0; >+ uint32_t length_config_file_1 = 0; > TALLOC_CTX *_mem_save_config_file_0; > uint32_t _ptr_help_file; >+ uint32_t size_help_file_1 = 0; >+ uint32_t length_help_file_1 = 0; > TALLOC_CTX *_mem_save_help_file_0; > uint32_t _ptr_monitor_name; >+ uint32_t size_monitor_name_1 = 0; >+ uint32_t length_monitor_name_1 = 0; > TALLOC_CTX *_mem_save_monitor_name_0; > uint32_t _ptr_default_datatype; >+ uint32_t size_default_datatype_1 = 0; >+ uint32_t length_default_datatype_1 = 0; > TALLOC_CTX *_mem_save_default_datatype_0; > uint32_t _ptr_dependent_files; > TALLOC_CTX *_mem_save_dependent_files_0; > uint32_t _ptr_previous_names; > TALLOC_CTX *_mem_save_previous_names_0; > uint32_t _ptr_manufacturer_name; >+ uint32_t size_manufacturer_name_1 = 0; >+ uint32_t length_manufacturer_name_1 = 0; > TALLOC_CTX *_mem_save_manufacturer_name_0; > uint32_t _ptr_manufacturer_url; >+ uint32_t size_manufacturer_url_1 = 0; >+ uint32_t length_manufacturer_url_1 = 0; > TALLOC_CTX *_mem_save_manufacturer_url_0; > uint32_t _ptr_hardware_id; >+ uint32_t size_hardware_id_1 = 0; >+ uint32_t length_hardware_id_1 = 0; > TALLOC_CTX *_mem_save_hardware_id_0; > uint32_t _ptr_provider; >+ uint32_t size_provider_1 = 0; >+ uint32_t length_provider_1 = 0; > TALLOC_CTX *_mem_save_provider_0; > uint32_t _ptr_print_processor; >+ uint32_t size_print_processor_1 = 0; >+ uint32_t length_print_processor_1 = 0; > TALLOC_CTX *_mem_save_print_processor_0; > uint32_t _ptr_vendor_setup; >+ uint32_t size_vendor_setup_1 = 0; >+ uint32_t length_vendor_setup_1 = 0; > TALLOC_CTX *_mem_save_vendor_setup_0; > uint32_t _ptr_color_profiles; > TALLOC_CTX *_mem_save_color_profiles_0; > uint32_t _ptr_inf_path; >+ uint32_t size_inf_path_1 = 0; >+ uint32_t length_inf_path_1 = 0; > TALLOC_CTX *_mem_save_inf_path_0; > uint32_t _ptr_core_driver_dependencies; > TALLOC_CTX *_mem_save_core_driver_dependencies_0; >@@ -9243,11 +9601,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); >- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); >+ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); >+ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); >+ if (length_driver_name_1 > size_driver_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); > } > if (r->architecture) { >@@ -9255,11 +9615,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); >- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); >+ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); >+ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); >+ if (length_architecture_1 > size_architecture_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); > } > if (r->driver_path) { >@@ -9267,11 +9629,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); >- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); >+ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); >+ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); >+ if (length_driver_path_1 > size_driver_path_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); > } > if (r->data_file) { >@@ -9279,11 +9643,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); >- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); >+ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); >+ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); >+ if (length_data_file_1 > size_data_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); > } > if (r->config_file) { >@@ -9291,11 +9657,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); >- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); >+ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); >+ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); >+ if (length_config_file_1 > size_config_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); > } > if (r->help_file) { >@@ -9303,11 +9671,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); >- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); >+ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); >+ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); >+ if (length_help_file_1 > size_help_file_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); > } > if (r->monitor_name) { >@@ -9315,11 +9685,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); >- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); >+ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); >+ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); >+ if (length_monitor_name_1 > size_monitor_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); > } > if (r->default_datatype) { >@@ -9327,11 +9699,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); >- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); >+ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); >+ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); >+ if (length_default_datatype_1 > size_default_datatype_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); > } > if (r->dependent_files) { >@@ -9351,11 +9725,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_name, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_name)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_name)); >- if (ndr_get_array_length(ndr, &r->manufacturer_name) > ndr_get_array_size(ndr, &r->manufacturer_name)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_name), ndr_get_array_length(ndr, &r->manufacturer_name)); >+ size_manufacturer_name_1 = ndr_get_array_size(ndr, &r->manufacturer_name); >+ length_manufacturer_name_1 = ndr_get_array_length(ndr, &r->manufacturer_name); >+ if (length_manufacturer_name_1 > size_manufacturer_name_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_name_1, length_manufacturer_name_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_name_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, length_manufacturer_name_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_name_0, 0); > } > if (r->manufacturer_url) { >@@ -9363,11 +9739,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_url, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_url)); > NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_url)); >- if (ndr_get_array_length(ndr, &r->manufacturer_url) > ndr_get_array_size(ndr, &r->manufacturer_url)) { >- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_url), ndr_get_array_length(ndr, &r->manufacturer_url)); >+ size_manufacturer_url_1 = ndr_get_array_size(ndr, &r->manufacturer_url); >+ length_manufacturer_url_1 = ndr_get_array_length(ndr, &r->manufacturer_url); >+ if (length_manufacturer_url_1 > size_manufacturer_url_1) { >+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_url_1, length_manufacturer_url_1); > } >- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t))); >- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t), CH_UTF16)); >+ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_url_1, sizeof(uint16_t))); >+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, length_manufacturer_url_1, sizeof(uint16_t), CH_UTF16)); > NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_url_0, 0); > } > if (r->hardware_id) { >@@ -9375,11 +9753,13 @@ static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, i > NDR_PULL_SET_MEM_CTX(ndr, r->hardware_id, 0); > NDR_CHECK(ndr_pull_array_size(ndr, &r->hardware_id)); > NDR_CHECK(ndr_pull_array_length(