Changeset 590 for trunk/server/librpc/gen_ndr
- Timestamp:
- Jul 1, 2011, 8:40:10 AM (14 years ago)
- Location:
- trunk/server/librpc/gen_ndr
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/server/librpc/gen_ndr/cli_epmapper.c
r414 r590 381 381 *state->orig.out.entry_handle = *state->tmp.out.entry_handle; 382 382 *state->orig.out.num_ents = *state->tmp.out.num_ents; 383 memcpy(state->orig.out.entries, state->tmp.out.entries, (state->tmp.in.max_ents) * sizeof(*state->orig.out.entries)); 383 if ((*state->tmp.out.num_ents) > (state->tmp.in.max_ents)) { 384 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); 385 return; 386 } 387 memcpy(state->orig.out.entries, state->tmp.out.entries, (*state->tmp.out.num_ents) * sizeof(*state->orig.out.entries)); 384 388 385 389 /* Copy result */ … … 454 458 *entry_handle = *r.out.entry_handle; 455 459 *num_ents = *r.out.num_ents; 456 memcpy(entries, r.out.entries, (r.in.max_ents) * sizeof(*entries)); 460 if ((*r.out.num_ents) > (r.in.max_ents)) { 461 return NT_STATUS_INVALID_NETWORK_RESPONSE; 462 } 463 memcpy(entries, r.out.entries, (*r.out.num_ents) * sizeof(*entries)); 457 464 458 465 /* Return result */ … … 550 557 *state->orig.out.entry_handle = *state->tmp.out.entry_handle; 551 558 *state->orig.out.num_towers = *state->tmp.out.num_towers; 552 memcpy(state->orig.out.towers, state->tmp.out.towers, (state->tmp.in.max_towers) * sizeof(*state->orig.out.towers)); 559 if ((*state->tmp.out.num_towers) > (state->tmp.in.max_towers)) { 560 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); 561 return; 562 } 563 memcpy(state->orig.out.towers, state->tmp.out.towers, (*state->tmp.out.num_towers) * sizeof(*state->orig.out.towers)); 553 564 554 565 /* Copy result */ … … 619 630 *entry_handle = *r.out.entry_handle; 620 631 *num_towers = *r.out.num_towers; 621 memcpy(towers, r.out.towers, (r.in.max_towers) * sizeof(*towers)); 632 if ((*r.out.num_towers) > (r.in.max_towers)) { 633 return NT_STATUS_INVALID_NETWORK_RESPONSE; 634 } 635 memcpy(towers, r.out.towers, (*r.out.num_towers) * sizeof(*towers)); 622 636 623 637 /* Return result */ -
trunk/server/librpc/gen_ndr/cli_ntsvcs.c
r414 r590 1460 1460 1461 1461 /* Copy out parameters */ 1462 memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.length) * sizeof(*state->orig.out.buffer)); 1462 if ((*state->tmp.out.length) > (*state->tmp.in.length)) { 1463 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); 1464 return; 1465 } 1466 memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.length) * sizeof(*state->orig.out.buffer)); 1463 1467 *state->orig.out.length = *state->tmp.out.length; 1464 1468 … … 1526 1530 1527 1531 /* Return variables */ 1528 memcpy(buffer, r.out.buffer, (*r.in.length) * sizeof(*buffer)); 1532 if ((*r.out.length) > (*r.in.length)) { 1533 return NT_STATUS_INVALID_NETWORK_RESPONSE; 1534 } 1535 memcpy(buffer, r.out.buffer, (*r.out.length) * sizeof(*buffer)); 1529 1536 *length = *r.out.length; 1530 1537 … … 1919 1926 /* Copy out parameters */ 1920 1927 *state->orig.out.reg_data_type = *state->tmp.out.reg_data_type; 1921 memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.buffer_size) * sizeof(*state->orig.out.buffer)); 1928 if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) { 1929 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); 1930 return; 1931 } 1932 memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.buffer_size) * sizeof(*state->orig.out.buffer)); 1922 1933 *state->orig.out.buffer_size = *state->tmp.out.buffer_size; 1923 1934 *state->orig.out.needed = *state->tmp.out.needed; … … 1993 2004 /* Return variables */ 1994 2005 *reg_data_type = *r.out.reg_data_type; 1995 memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer)); 2006 if ((*r.out.buffer_size) > (*r.in.buffer_size)) { 2007 return NT_STATUS_INVALID_NETWORK_RESPONSE; 2008 } 2009 memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer)); 1996 2010 *buffer_size = *r.out.buffer_size; 1997 2011 *needed = *r.out.needed; -
trunk/server/librpc/gen_ndr/cli_winreg.c
r429 r590 1669 1669 } 1670 1670 if (state->orig.out.value && state->tmp.out.value) { 1671 memcpy(state->orig.out.value, state->tmp.out.value, (*state->tmp.in.size) * sizeof(*state->orig.out.value)); 1671 if ((*state->tmp.out.size) > (*state->tmp.in.size)) { 1672 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); 1673 return; 1674 } 1675 if ((*state->tmp.out.length) > (*state->tmp.out.size)) { 1676 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); 1677 return; 1678 } 1679 memcpy(state->orig.out.value, state->tmp.out.value, (*state->tmp.out.length) * sizeof(*state->orig.out.value)); 1672 1680 } 1673 1681 if (state->orig.out.size && state->tmp.out.size) { … … 1753 1761 } 1754 1762 if (value && r.out.value) { 1755 memcpy(value, r.out.value, (*r.in.size) * sizeof(*value)); 1763 if ((*r.out.size) > (*r.in.size)) { 1764 return NT_STATUS_INVALID_NETWORK_RESPONSE; 1765 } 1766 if ((*r.out.length) > (*r.out.size)) { 1767 return NT_STATUS_INVALID_NETWORK_RESPONSE; 1768 } 1769 memcpy(value, r.out.value, (*r.out.length) * sizeof(*value)); 1756 1770 } 1757 1771 if (size && r.out.size) { … … 2824 2838 } 2825 2839 if (state->orig.out.data && state->tmp.out.data) { 2826 memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.in.data_size?*state->tmp.in.data_size:0) * sizeof(*state->orig.out.data)); 2840 if ((state->tmp.out.data_size?*state->tmp.out.data_size:0) > (state->tmp.in.data_size?*state->tmp.in.data_size:0)) { 2841 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); 2842 return; 2843 } 2844 if ((state->tmp.out.data_length?*state->tmp.out.data_length:0) > (state->tmp.out.data_size?*state->tmp.out.data_size:0)) { 2845 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); 2846 return; 2847 } 2848 memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.out.data_length?*state->tmp.out.data_length:0) * sizeof(*state->orig.out.data)); 2827 2849 } 2828 2850 if (state->orig.out.data_size && state->tmp.out.data_size) { … … 2905 2927 } 2906 2928 if (data && r.out.data) { 2907 memcpy(data, r.out.data, (r.in.data_size?*r.in.data_size:0) * sizeof(*data)); 2929 if ((r.out.data_size?*r.out.data_size:0) > (r.in.data_size?*r.in.data_size:0)) { 2930 return NT_STATUS_INVALID_NETWORK_RESPONSE; 2931 } 2932 if ((r.out.data_length?*r.out.data_length:0) > (r.out.data_size?*r.out.data_size:0)) { 2933 return NT_STATUS_INVALID_NETWORK_RESPONSE; 2934 } 2935 memcpy(data, r.out.data, (r.out.data_length?*r.out.data_length:0) * sizeof(*data)); 2908 2936 } 2909 2937 if (data_size && r.out.data_size) { … … 4630 4658 memcpy(state->orig.out.values, state->tmp.out.values, (state->tmp.in.num_values) * sizeof(*state->orig.out.values)); 4631 4659 if (state->orig.out.buffer && state->tmp.out.buffer) { 4632 memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.buffer_size) * sizeof(*state->orig.out.buffer)); 4660 if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) { 4661 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); 4662 return; 4663 } 4664 memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.buffer_size) * sizeof(*state->orig.out.buffer)); 4633 4665 } 4634 4666 *state->orig.out.buffer_size = *state->tmp.out.buffer_size; … … 4702 4734 memcpy(values, r.out.values, (r.in.num_values) * sizeof(*values)); 4703 4735 if (buffer && r.out.buffer) { 4704 memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer)); 4736 if ((*r.out.buffer_size) > (*r.in.buffer_size)) { 4737 return NT_STATUS_INVALID_NETWORK_RESPONSE; 4738 } 4739 memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer)); 4705 4740 } 4706 4741 *buffer_size = *r.out.buffer_size;
Note:
See TracChangeset
for help on using the changeset viewer.