The Samba-Bugzilla – Attachment 7436 Details for
Bug 8815
PIDL based autogenerated code allows overwriting beyond of allocated array; CVE-2012-1182
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Assert array-lengths for NULL pointers to be 0
assert-array-lengths.patch (text/plain), 3.17 KB, created by
Andrew Bartlett
on 2012-04-06 05:07:16 UTC
(
hide
)
Description:
Assert array-lengths for NULL pointers to be 0
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2012-04-06 05:07:16 UTC
Size:
3.17 KB
patch
obsolete
>From 135aba581d54cd18929048269b203904e208d133 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 6 Apr 2012 14:56:21 +1000 >Subject: [PATCH 1/3] libndr: Add helper to assert that array lengths and size > are zero for NULL pointers > >This ensures that we can rely on a non-zero array length or size value >at the application layer as meaning that the associated pointer is also >non-NULL. > >Andrew Bartlett >--- > librpc/ndr/ndr.c | 13 +++++++++++-- > 1 files changed, 11 insertions(+), 2 deletions(-) > >diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c >index 2279d1c..27e37a7 100644 >--- a/librpc/ndr/ndr.c >+++ b/librpc/ndr/ndr.c >@@ -780,7 +780,12 @@ _PUBLIC_ uint32_t ndr_get_array_size(struct ndr_pull *ndr, const void *p) > _PUBLIC_ enum ndr_err_code ndr_check_array_size(struct ndr_pull *ndr, void *p, uint32_t size) > { > uint32_t stored; >- stored = ndr_token_peek(&ndr->array_size_list, p); >+ if (p) { >+ stored = ndr_token_peek(&ndr->array_size_list, p); >+ } else { >+ stored = 0; >+ } >+ > if (stored != size) { > return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, > "Bad array size - got %u expected %u\n", >@@ -818,7 +823,11 @@ _PUBLIC_ uint32_t ndr_get_array_length(struct ndr_pull *ndr, const void *p) > _PUBLIC_ enum ndr_err_code ndr_check_array_length(struct ndr_pull *ndr, void *p, uint32_t length) > { > uint32_t stored; >- stored = ndr_token_peek(&ndr->array_length_list, p); >+ if (p) { >+ stored = ndr_token_peek(&ndr->array_length_list, p); >+ } else { >+ stored = 0; >+ } > if (stored != length) { > return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, > "Bad array length - got %u expected %u\n", >-- >1.7.6.5 > >From ede0c79422a89355313d8b4af03d3397fb2ad3b7 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 6 Apr 2012 14:56:38 +1000 >Subject: [PATCH 2/3] pidl: Add check to assert that array lengths and size > are zero for NULL pointers > >This ensures that we can rely on a non-zero array length or size value >at the application layer as meaning that the associated pointer is also >non-NULL. > >Andrew Bartlett >--- > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 8 ++++++++ > 1 files changed, 8 insertions(+), 0 deletions(-) > >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 8eb935b..3385406 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -427,6 +427,10 @@ sub ParseArrayPullHeader($$$$$$) > check_fully_dereferenced($e, $env)); > $self->defer("NDR_CHECK(ndr_check_array_size($ndr, (void*)" . get_pointer_to($var_name) . ", $size));"); > $self->defer_deindent; >+ $self->defer("} else {"); >+ $self->defer_indent; >+ $self->defer("NDR_CHECK(ndr_check_array_size($ndr, NULL, $size));"); >+ $self->defer_deindent; > $self->defer("}"); > } > >@@ -439,6 +443,10 @@ sub ParseArrayPullHeader($$$$$$) > check_fully_dereferenced($e, $env)); > $self->defer("NDR_CHECK(ndr_check_array_length($ndr, (void*)" . get_pointer_to($var_name) . ", $length));"); > $self->defer_deindent; >+ $self->defer("} else {"); >+ $self->defer_indent; >+ $self->defer("NDR_CHECK(ndr_check_array_length($ndr, NULL, $length));"); >+ $self->defer_deindent; > $self->defer("}"); > } > >-- >1.7.6.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7436">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 8815
:
7389
|
7390
|
7391
|
7392
|
7393
|
7398
|
7399
|
7400
|
7418
|
7419
|
7420
|
7421
|
7426
|
7427
|
7428
|
7429
|
7430
|
7431
|
7432
|
7433
|
7436
|
7437