Changeset 919 for vendor/current/librpc/ndr/ndr.c

Timestamp:

Jun 9, 2016, 2:17:22 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: apply latest security patches to vendor

File:

• vendor/current/librpc/ndr/ndr.c (modified) (8 diffs)

vendor/current/librpc/ndr/ndr.c

@@ -78 +78 @@
 }
 
+_PUBLIC_ enum ndr_err_code ndr_pull_append(struct ndr_pull *ndr, DATA_BLOB *blob)
+{
+        enum ndr_err_code ndr_err;
+        DATA_BLOB b;
+        uint32_t append = 0;
+        bool ok;
+
+        if (blob->length == 0) {
+                return NDR_ERR_SUCCESS;
+        }
+
+        ndr_err = ndr_token_retrieve(&ndr->array_size_list, ndr, &append);
+        if (ndr_err == NDR_ERR_TOKEN) {
+                append = 0;
+                ndr_err = NDR_ERR_SUCCESS;
+        }
+        NDR_CHECK(ndr_err);
+
+        if (ndr->data_size == 0) {
+                ndr->data = NULL;
+                append = UINT32_MAX;
+        }
+
+        if (append == UINT32_MAX) {
+                /*
+                 * append == UINT32_MAX means that
+                 * ndr->data is either NULL or a valid
+                 * talloc child of ndr, which means
+                 * we can use data_blob_append() without
+                 * data_blob_talloc() of the existing callers data
+                 */
+                b = data_blob_const(ndr->data, ndr->data_size);
+        } else {
+                b = data_blob_talloc(ndr, ndr->data, ndr->data_size);
+                if (b.data == NULL) {
+                        return ndr_pull_error(ndr, NDR_ERR_ALLOC, "%s", __location__);
+                }
+        }
+
+        ok = data_blob_append(ndr, &b, blob->data, blob->length);
+        if (!ok) {
+                return ndr_pull_error(ndr, NDR_ERR_ALLOC, "%s", __location__);
+        }
+
+        ndr->data = b.data;
+        ndr->data_size = b.length;
+
+        return ndr_token_store(ndr, &ndr->array_size_list, ndr, UINT32_MAX);
+}
+
+_PUBLIC_ enum ndr_err_code ndr_pull_pop(struct ndr_pull *ndr)
+{
+        uint32_t skip = 0;
+        uint32_t append = 0;
+
+        if (ndr->relative_base_offset != 0) {
+                return ndr_pull_error(ndr, NDR_ERR_RELATIVE,
+                                      "%s", __location__);
+        }
+        if (ndr->relative_highest_offset != 0) {
+                return ndr_pull_error(ndr, NDR_ERR_RELATIVE,
+                                      "%s", __location__);
+        }
+        if (ndr->relative_list != NULL) {
+                return ndr_pull_error(ndr, NDR_ERR_RELATIVE,
+                                      "%s", __location__);
+        }
+        if (ndr->relative_base_list != NULL) {
+                return ndr_pull_error(ndr, NDR_ERR_RELATIVE,
+                                      "%s", __location__);
+        }
+
+        /*
+         * we need to keep up to 7 bytes
+         * in order to get the aligment right.
+         */
+        skip = ndr->offset & 0xFFFFFFF8;
+
+        if (skip == 0) {
+                return NDR_ERR_SUCCESS;
+        }
+
+        ndr->offset -= skip;
+        ndr->data_size -= skip;
+
+        append = ndr_token_peek(&ndr->array_size_list, ndr);
+        if (append != UINT32_MAX) {
+                /*
+                 * here we assume, that ndr->data is not a
+                 * talloc child of ndr.
+                 */
+                ndr->data += skip;
+                return NDR_ERR_SUCCESS;
+        }
+
+        memmove(ndr->data, ndr->data + skip, ndr->data_size);
+
+        ndr->data = talloc_realloc(ndr, ndr->data, uint8_t, ndr->data_size);
+        if (ndr->data_size != 0 && ndr->data == NULL) {
+                return ndr_pull_error(ndr, NDR_ERR_ALLOC, "%s", __location__);
+        }
+
+        return NDR_ERR_SUCCESS;
+}
+
 /*
   advance by 'size' bytes
@@ -166 +271 @@
 
         return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ void ndr_print_debugc_helper(struct ndr_print *ndr, const char *format, ...)
+{
+        va_list ap;
+        char *s = NULL;
+        uint32_t i;
+        int ret;
+        int dbgc_class;
+
+        va_start(ap, format);
+        ret = vasprintf(&s, format, ap);
+        va_end(ap);
+
+        if (ret == -1) {
+                return;
+        }
+
+        dbgc_class = *(int *)ndr->private_data;
+
+        if (ndr->no_newline) {
+                DEBUGADDC(dbgc_class, 1,("%s", s));
+                free(s);
+                return;
+        }
+
+        for (i=0;i<ndr->depth;i++) {
+                DEBUGADDC(dbgc_class, 1,("    "));
+        }
+
+        DEBUGADDC(dbgc_class, 1,("%s\n", s));
+        free(s);
 }
 
@@ -236 +373 @@
                                                                   "\n");
         }
+}
+
+/*
+  a useful helper function for printing idl structures via DEBUGC()
+*/
+_PUBLIC_ void ndr_print_debugc(int dbgc_class, ndr_print_fn_t fn, const char *name, void *ptr)
+{
+        struct ndr_print *ndr;
+
+        DEBUGC(dbgc_class, 1,(" "));
+
+        ndr = talloc_zero(NULL, struct ndr_print);
+        if (!ndr) return;
+        ndr->private_data = &dbgc_class;
+        ndr->print = ndr_print_debugc_helper;
+        ndr->depth = 1;
+        ndr->flags = 0;
+        fn(ndr, name, ptr);
+        talloc_free(ndr);
 }
 
@@ -403 +559 @@
         va_list ap;
         int ret;
+
+        if (ndr->flags & LIBNDR_FLAG_INCOMPLETE_BUFFER) {
+                switch (ndr_err) {
+                case NDR_ERR_BUFSIZE:
+                        return NDR_ERR_INCOMPLETE_BUFFER;
+                default:
+                        break;
+                }
+        }
 
         va_start(ap, format);
@@ -558 +723 @@
                 break;
         }
+        case 0xFFFFFFFF:
+                /*
+                 * a shallow copy like subcontext
+                 * useful for DCERPC pipe chunks.
+                 */
+                subndr = talloc_zero(ndr, struct ndr_pull);
+                NDR_ERR_HAVE_NO_MEMORY(subndr);
+
+                subndr->flags           = ndr->flags;
+                subndr->current_mem_ctx = ndr->current_mem_ctx;
+                subndr->data            = ndr->data;
+                subndr->offset          = ndr->offset;
+                subndr->data_size       = ndr->data_size;
+
+                *_subndr = subndr;
+                return NDR_ERR_SUCCESS;
+
         default:
                 return ndr_pull_error(ndr, NDR_ERR_SUBCONTEXT, "Bad subcontext (PULL) header_size %d", 
@@ -590 +772 @@
 {
         uint32_t advance;
-        if (size_is >= 0) {
+        uint32_t highest_ofs;
+
+        if (header_size == 0xFFFFFFFF) {
+                advance = subndr->offset - ndr->offset;
+        } else if (size_is >= 0) {
                 advance = size_is;
         } else if (header_size > 0) {
@@ -597 +783 @@
                 advance = subndr->offset;
         }
+
+        if (subndr->offset > ndr->relative_highest_offset) {
+                highest_ofs = subndr->offset;
+        } else {
+                highest_ofs = subndr->relative_highest_offset;
+        }
+        if (!(subndr->flags & LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES)) {
+                /*
+                 * avoid an error unless SUBCONTEXT_NO_UNREAD_BYTES is specified
+                 */
+                highest_ofs = advance;
+        }
+        if (highest_ofs < advance) {
+                return ndr_pull_error(subndr, NDR_ERR_UNREAD_BYTES,
+                                      "not all bytes consumed ofs[%u] advance[%u]",
+                                      highest_ofs, advance);
+        }
+
         NDR_CHECK(ndr_pull_advance(ndr, advance));
         return NDR_ERR_SUCCESS;
@@ -1441 +1645 @@
         { NDR_ERR_UNREAD_BYTES, "Unread Bytes" },
         { NDR_ERR_NDR64, "NDR64 assertion error" },
+        { NDR_ERR_INCOMPLETE_BUFFER, "Incomplete Buffer" },
         { 0, NULL }
 };