Skip to content

Commit

Permalink
pidl: check the size of pulled arrays of arrays
Browse files Browse the repository at this point in the history 
We were accidentally checking the memory just past the array instead of
checking each member.

This could have led to the size of some arrays not being checked.

Found by Michael Hanselmann using Honggfuzz and an fuzzer for Samba's
NDR layer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13877

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
  • Loading branch information
@douglasbagnall @abartlet
douglasbagnall authored and abartlet committed Nov 20, 2019
1 parent 536a849 commit 1aec742
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
4 changes: 4 additions & 0 deletions pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1247,10 +1247,14 @@ sub ParseElementPullLevel

if ($deferred and ContainsDeferred($e, $l)) {
$self->pidl("for ($counter = 0; $counter < ($length); $counter++) {");
$self->defer("for ($counter = 0; $counter < ($length); $counter++) {");
$self->defer_indent;
$self->indent;
$self->ParseElementPullLevel($e,GetNextLevel($e,$l), $ndr, $var_name, $env, 0, 1);
$self->deindent;
$self->defer_deindent;
$self->pidl("}");
$self->defer("}");
}

$self->ParseMemCtxPullEnd($e, $l, $ndr);
Expand Down
1 change: 0 additions & 1 deletion selftest/knownfail.d/ndrdump
View file

This file was deleted.

0 comments on commit 1aec742

Please sign in to comment.