From 4908bc367020f040036f5ef1aa7aaa7aff28dbd1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 25 Aug 2010 11:25:03 +0200 Subject: [PATCH] librpc/gen_ndr --- source3/librpc/gen_ndr/ndr_dcom_c.c | 82 +++++++++++---- source3/librpc/gen_ndr/ndr_echo_c.c | 24 ++++- source3/librpc/gen_ndr/ndr_epmapper_c.c | 44 +++++--- source3/librpc/gen_ndr/ndr_eventlog_c.c | 24 ++++- source3/librpc/gen_ndr/ndr_frstrans_c.c | 44 +++++--- source3/librpc/gen_ndr/ndr_mgmt_c.c | 19 +++- source3/librpc/gen_ndr/ndr_ntsvcs_c.c | 44 +++++--- source3/librpc/gen_ndr/ndr_remact_c.c | 24 ++++- source3/librpc/gen_ndr/ndr_spoolss_c.c | 122 ++++++++++++++++++---- source3/librpc/gen_ndr/ndr_srvsvc_c.c | 12 ++- source3/librpc/gen_ndr/ndr_svcctl_c.c | 120 ++++++++++++++++++---- source3/librpc/gen_ndr/ndr_unixinfo_c.c | 22 ++-- source3/librpc/gen_ndr/ndr_winreg_c.c | 130 ++++++++++++++++-------- source3/librpc/gen_ndr/ndr_wmi_c.c | 34 +++++-- 14 files changed, 575 insertions(+), 170 deletions(-) diff --git a/source3/librpc/gen_ndr/ndr_dcom_c.c b/source3/librpc/gen_ndr/ndr_dcom_c.c index cde470c804ab..2b7e6e87ac7d 100644 --- a/source3/librpc/gen_ndr/ndr_dcom_c.c +++ b/source3/librpc/gen_ndr/ndr_dcom_c.c @@ -2422,7 +2422,11 @@ static void dcerpc_RemQueryInterface_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.ORPCthat = *state->tmp.out.ORPCthat; if (state->orig.out.ip && state->tmp.out.ip) { - memcpy(state->orig.out.ip, state->tmp.out.ip, (state->tmp.in.cIids) * sizeof(*state->orig.out.ip)); + { + size_t _copy_len_ip; + _copy_len_ip = state->tmp.in.cIids; + memcpy(state->orig.out.ip, state->tmp.out.ip, _copy_len_ip * sizeof(*state->orig.out.ip)); + } } /* Copy result */ @@ -2486,7 +2490,11 @@ NTSTATUS dcerpc_RemQueryInterface(struct dcerpc_binding_handle *h, /* Return variables */ *_ORPCthat = *r.out.ORPCthat; if (_ip && r.out.ip) { - memcpy(_ip, r.out.ip, (r.in.cIids) * sizeof(*_ip)); + { + size_t _copy_len_ip; + _copy_len_ip = r.in.cIids; + memcpy(_ip, r.out.ip, _copy_len_ip * sizeof(*_ip)); + } } /* Return result */ @@ -2672,7 +2680,11 @@ static void dcerpc_RemAddRef_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.ORPCthat = *state->tmp.out.ORPCthat; if (state->orig.out.pResults && state->tmp.out.pResults) { - memcpy(state->orig.out.pResults, state->tmp.out.pResults, (state->tmp.in.cInterfaceRefs) * sizeof(*state->orig.out.pResults)); + { + size_t _copy_len_pResults; + _copy_len_pResults = state->tmp.in.cInterfaceRefs; + memcpy(state->orig.out.pResults, state->tmp.out.pResults, _copy_len_pResults * sizeof(*state->orig.out.pResults)); + } } /* Copy result */ @@ -2732,7 +2744,11 @@ NTSTATUS dcerpc_RemAddRef(struct dcerpc_binding_handle *h, /* Return variables */ *_ORPCthat = *r.out.ORPCthat; if (_pResults && r.out.pResults) { - memcpy(_pResults, r.out.pResults, (r.in.cInterfaceRefs) * sizeof(*_pResults)); + { + size_t _copy_len_pResults; + _copy_len_pResults = r.in.cInterfaceRefs; + memcpy(_pResults, r.out.pResults, _copy_len_pResults * sizeof(*_pResults)); + } } /* Return result */ @@ -4309,10 +4325,18 @@ static void dcerpc_RemQueryInterface2_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.ORPCthat = *state->tmp.out.ORPCthat; if (state->orig.out.phr && state->tmp.out.phr) { - memcpy(state->orig.out.phr, state->tmp.out.phr, (state->tmp.in.cIids) * sizeof(*state->orig.out.phr)); + { + size_t _copy_len_phr; + _copy_len_phr = state->tmp.in.cIids; + memcpy(state->orig.out.phr, state->tmp.out.phr, _copy_len_phr * sizeof(*state->orig.out.phr)); + } } if (state->orig.out.ppMIF && state->tmp.out.ppMIF) { - memcpy(state->orig.out.ppMIF, state->tmp.out.ppMIF, (state->tmp.in.cIids) * sizeof(*state->orig.out.ppMIF)); + { + size_t _copy_len_ppMIF; + _copy_len_ppMIF = state->tmp.in.cIids; + memcpy(state->orig.out.ppMIF, state->tmp.out.ppMIF, _copy_len_ppMIF * sizeof(*state->orig.out.ppMIF)); + } } /* Copy result */ @@ -4375,10 +4399,18 @@ NTSTATUS dcerpc_RemQueryInterface2(struct dcerpc_binding_handle *h, /* Return variables */ *_ORPCthat = *r.out.ORPCthat; if (_phr && r.out.phr) { - memcpy(_phr, r.out.phr, (r.in.cIids) * sizeof(*_phr)); + { + size_t _copy_len_phr; + _copy_len_phr = r.in.cIids; + memcpy(_phr, r.out.phr, _copy_len_phr * sizeof(*_phr)); + } } if (_ppMIF && r.out.ppMIF) { - memcpy(_ppMIF, r.out.ppMIF, (r.in.cIids) * sizeof(*_ppMIF)); + { + size_t _copy_len_ppMIF; + _copy_len_ppMIF = r.in.cIids; + memcpy(_ppMIF, r.out.ppMIF, _copy_len_ppMIF * sizeof(*_ppMIF)); + } } /* Return result */ @@ -5052,7 +5084,11 @@ static void dcerpc_GetIDsOfNames_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.ORPCthat = *state->tmp.out.ORPCthat; if (state->orig.out.rgDispId && state->tmp.out.rgDispId) { - memcpy(state->orig.out.rgDispId, state->tmp.out.rgDispId, (state->tmp.in.cNames) * sizeof(*state->orig.out.rgDispId)); + { + size_t _copy_len_rgDispId; + _copy_len_rgDispId = state->tmp.in.cNames; + memcpy(state->orig.out.rgDispId, state->tmp.out.rgDispId, _copy_len_rgDispId * sizeof(*state->orig.out.rgDispId)); + } } /* Copy result */ @@ -5114,7 +5150,11 @@ NTSTATUS dcerpc_GetIDsOfNames(struct dcerpc_binding_handle *h, /* Return variables */ *_ORPCthat = *r.out.ORPCthat; if (_rgDispId && r.out.rgDispId) { - memcpy(_rgDispId, r.out.rgDispId, (r.in.cNames) * sizeof(*_rgDispId)); + { + size_t _copy_len_rgDispId; + _copy_len_rgDispId = r.in.cNames; + memcpy(_rgDispId, r.out.rgDispId, _copy_len_rgDispId * sizeof(*_rgDispId)); + } } /* Return result */ @@ -6281,11 +6321,15 @@ static void dcerpc_Read_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.ORPCthat = *state->tmp.out.ORPCthat; - if ((*state->tmp.out.num_read) > (state->tmp.in.num_requested)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_pv; + if ((*state->tmp.out.num_read) > (state->tmp.in.num_requested)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_pv = *state->tmp.out.num_read; + memcpy(state->orig.out.pv, state->tmp.out.pv, _copy_len_pv * sizeof(*state->orig.out.pv)); } - memcpy(state->orig.out.pv, state->tmp.out.pv, (*state->tmp.out.num_read) * sizeof(*state->orig.out.pv)); *state->orig.out.num_read = *state->tmp.out.num_read; /* Copy result */ @@ -6345,10 +6389,14 @@ NTSTATUS dcerpc_Read(struct dcerpc_binding_handle *h, /* Return variables */ *_ORPCthat = *r.out.ORPCthat; - if ((*r.out.num_read) > (r.in.num_requested)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_pv; + if ((*r.out.num_read) > (r.in.num_requested)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_pv = *r.out.num_read; + memcpy(_pv, r.out.pv, _copy_len_pv * sizeof(*_pv)); } - memcpy(_pv, r.out.pv, (*r.out.num_read) * sizeof(*_pv)); *_num_read = *r.out.num_read; /* Return result */ diff --git a/source3/librpc/gen_ndr/ndr_echo_c.c b/source3/librpc/gen_ndr/ndr_echo_c.c index 68b950aecb84..4c68b8506ecb 100644 --- a/source3/librpc/gen_ndr/ndr_echo_c.c +++ b/source3/librpc/gen_ndr/ndr_echo_c.c @@ -393,7 +393,11 @@ static void dcerpc_echo_EchoData_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.out_data, state->tmp.out.out_data, (state->tmp.in.len) * sizeof(*state->orig.out.out_data)); + { + size_t _copy_len_out_data; + _copy_len_out_data = state->tmp.in.len; + memcpy(state->orig.out.out_data, state->tmp.out.out_data, _copy_len_out_data * sizeof(*state->orig.out.out_data)); + } /* Reset temporary structure */ ZERO_STRUCT(state->tmp); @@ -439,7 +443,11 @@ NTSTATUS dcerpc_echo_EchoData(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_out_data, r.out.out_data, (r.in.len) * sizeof(*_out_data)); + { + size_t _copy_len_out_data; + _copy_len_out_data = r.in.len; + memcpy(_out_data, r.out.out_data, _copy_len_out_data * sizeof(*_out_data)); + } /* Return result */ @@ -818,7 +826,11 @@ static void dcerpc_echo_SourceData_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.in.len) * sizeof(*state->orig.out.data)); + { + size_t _copy_len_data; + _copy_len_data = state->tmp.in.len; + memcpy(state->orig.out.data, state->tmp.out.data, _copy_len_data * sizeof(*state->orig.out.data)); + } /* Reset temporary structure */ ZERO_STRUCT(state->tmp); @@ -862,7 +874,11 @@ NTSTATUS dcerpc_echo_SourceData(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_data, r.out.data, (r.in.len) * sizeof(*_data)); + { + size_t _copy_len_data; + _copy_len_data = r.in.len; + memcpy(_data, r.out.data, _copy_len_data * sizeof(*_data)); + } /* Return result */ diff --git a/source3/librpc/gen_ndr/ndr_epmapper_c.c b/source3/librpc/gen_ndr/ndr_epmapper_c.c index 6965ce14c480..8d0de6329f5c 100644 --- a/source3/librpc/gen_ndr/ndr_epmapper_c.c +++ b/source3/librpc/gen_ndr/ndr_epmapper_c.c @@ -632,11 +632,15 @@ static void dcerpc_epm_Lookup_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.entry_handle = *state->tmp.out.entry_handle; *state->orig.out.num_ents = *state->tmp.out.num_ents; - if ((*state->tmp.out.num_ents) > (state->tmp.in.max_ents)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_entries; + if ((*state->tmp.out.num_ents) > (state->tmp.in.max_ents)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_entries = *state->tmp.out.num_ents; + memcpy(state->orig.out.entries, state->tmp.out.entries, _copy_len_entries * sizeof(*state->orig.out.entries)); } - memcpy(state->orig.out.entries, state->tmp.out.entries, (*state->tmp.out.num_ents) * sizeof(*state->orig.out.entries)); /* Copy result */ state->orig.out.result = state->tmp.out.result; @@ -701,10 +705,14 @@ NTSTATUS dcerpc_epm_Lookup(struct dcerpc_binding_handle *h, /* Return variables */ *_entry_handle = *r.out.entry_handle; *_num_ents = *r.out.num_ents; - if ((*r.out.num_ents) > (r.in.max_ents)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_entries; + if ((*r.out.num_ents) > (r.in.max_ents)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_entries = *r.out.num_ents; + memcpy(_entries, r.out.entries, _copy_len_entries * sizeof(*_entries)); } - memcpy(_entries, r.out.entries, (*r.out.num_ents) * sizeof(*_entries)); /* Return result */ *result = r.out.result; @@ -892,11 +900,15 @@ static void dcerpc_epm_Map_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.entry_handle = *state->tmp.out.entry_handle; *state->orig.out.num_towers = *state->tmp.out.num_towers; - if ((*state->tmp.out.num_towers) > (state->tmp.in.max_towers)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_towers; + if ((*state->tmp.out.num_towers) > (state->tmp.in.max_towers)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_towers = *state->tmp.out.num_towers; + memcpy(state->orig.out.towers, state->tmp.out.towers, _copy_len_towers * sizeof(*state->orig.out.towers)); } - memcpy(state->orig.out.towers, state->tmp.out.towers, (*state->tmp.out.num_towers) * sizeof(*state->orig.out.towers)); /* Copy result */ state->orig.out.result = state->tmp.out.result; @@ -957,10 +969,14 @@ NTSTATUS dcerpc_epm_Map(struct dcerpc_binding_handle *h, /* Return variables */ *_entry_handle = *r.out.entry_handle; *_num_towers = *r.out.num_towers; - if ((*r.out.num_towers) > (r.in.max_towers)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_towers; + if ((*r.out.num_towers) > (r.in.max_towers)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_towers = *r.out.num_towers; + memcpy(_towers, r.out.towers, _copy_len_towers * sizeof(*_towers)); } - memcpy(_towers, r.out.towers, (*r.out.num_towers) * sizeof(*_towers)); /* Return result */ *result = r.out.result; diff --git a/source3/librpc/gen_ndr/ndr_eventlog_c.c b/source3/librpc/gen_ndr/ndr_eventlog_c.c index df6846a41a7f..19a2ce837222 100644 --- a/source3/librpc/gen_ndr/ndr_eventlog_c.c +++ b/source3/librpc/gen_ndr/ndr_eventlog_c.c @@ -2306,7 +2306,11 @@ static void dcerpc_eventlog_ReadEventLogW_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.in.number_of_bytes) * sizeof(*state->orig.out.data)); + { + size_t _copy_len_data; + _copy_len_data = state->tmp.in.number_of_bytes; + memcpy(state->orig.out.data, state->tmp.out.data, _copy_len_data * sizeof(*state->orig.out.data)); + } *state->orig.out.sent_size = *state->tmp.out.sent_size; *state->orig.out.real_size = *state->tmp.out.real_size; @@ -2368,7 +2372,11 @@ NTSTATUS dcerpc_eventlog_ReadEventLogW(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_data, r.out.data, (r.in.number_of_bytes) * sizeof(*_data)); + { + size_t _copy_len_data; + _copy_len_data = r.in.number_of_bytes; + memcpy(_data, r.out.data, _copy_len_data * sizeof(*_data)); + } *_sent_size = *r.out.sent_size; *_real_size = *r.out.real_size; @@ -2851,7 +2859,11 @@ static void dcerpc_eventlog_GetLogInformation_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (state->tmp.in.buf_size) * sizeof(*state->orig.out.buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = state->tmp.in.buf_size; + memcpy(state->orig.out.buffer, state->tmp.out.buffer, _copy_len_buffer * sizeof(*state->orig.out.buffer)); + } *state->orig.out.bytes_needed = *state->tmp.out.bytes_needed; /* Copy result */ @@ -2909,7 +2921,11 @@ NTSTATUS dcerpc_eventlog_GetLogInformation(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_buffer, r.out.buffer, (r.in.buf_size) * sizeof(*_buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = r.in.buf_size; + memcpy(_buffer, r.out.buffer, _copy_len_buffer * sizeof(*_buffer)); + } *_bytes_needed = *r.out.bytes_needed; /* Return result */ diff --git a/source3/librpc/gen_ndr/ndr_frstrans_c.c b/source3/librpc/gen_ndr/ndr_frstrans_c.c index f78100eae690..8d0fc17b7227 100644 --- a/source3/librpc/gen_ndr/ndr_frstrans_c.c +++ b/source3/librpc/gen_ndr/ndr_frstrans_c.c @@ -879,11 +879,15 @@ static void dcerpc_frstrans_RequestUpdates_done(struct tevent_req *subreq) } /* Copy out parameters */ - if ((*state->tmp.out.update_count) > (state->tmp.in.credits_available)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_frs_update; + if ((*state->tmp.out.update_count) > (state->tmp.in.credits_available)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_frs_update = *state->tmp.out.update_count; + memcpy(state->orig.out.frs_update, state->tmp.out.frs_update, _copy_len_frs_update * sizeof(*state->orig.out.frs_update)); } - memcpy(state->orig.out.frs_update, state->tmp.out.frs_update, (*state->tmp.out.update_count) * sizeof(*state->orig.out.frs_update)); *state->orig.out.update_count = *state->tmp.out.update_count; *state->orig.out.update_status = *state->tmp.out.update_status; *state->orig.out.gvsn_db_guid = *state->tmp.out.gvsn_db_guid; @@ -955,10 +959,14 @@ NTSTATUS dcerpc_frstrans_RequestUpdates(struct dcerpc_binding_handle *h, } /* Return variables */ - if ((*r.out.update_count) > (r.in.credits_available)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_frs_update; + if ((*r.out.update_count) > (r.in.credits_available)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_frs_update = *r.out.update_count; + memcpy(_frs_update, r.out.frs_update, _copy_len_frs_update * sizeof(*_frs_update)); } - memcpy(_frs_update, r.out.frs_update, (*r.out.update_count) * sizeof(*_frs_update)); *_update_count = *r.out.update_count; *_update_status = *r.out.update_status; *_gvsn_db_guid = *r.out.gvsn_db_guid; @@ -1624,11 +1632,15 @@ static void dcerpc_frstrans_InitializeFileTransferAsync_done(struct tevent_req * *state->orig.out.staging_policy = *state->tmp.out.staging_policy; *state->orig.out.server_context = *state->tmp.out.server_context; *state->orig.out.rdc_file_info = *state->tmp.out.rdc_file_info; - if ((*state->tmp.out.size_read) > (state->tmp.in.buffer_size)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_data_buffer; + if ((*state->tmp.out.size_read) > (state->tmp.in.buffer_size)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_data_buffer = *state->tmp.out.size_read; + memcpy(state->orig.out.data_buffer, state->tmp.out.data_buffer, _copy_len_data_buffer * sizeof(*state->orig.out.data_buffer)); } - memcpy(state->orig.out.data_buffer, state->tmp.out.data_buffer, (*state->tmp.out.size_read) * sizeof(*state->orig.out.data_buffer)); *state->orig.out.size_read = *state->tmp.out.size_read; *state->orig.out.is_end_of_file = *state->tmp.out.is_end_of_file; @@ -1698,10 +1710,14 @@ NTSTATUS dcerpc_frstrans_InitializeFileTransferAsync(struct dcerpc_binding_handl *_staging_policy = *r.out.staging_policy; *_server_context = *r.out.server_context; *_rdc_file_info = *r.out.rdc_file_info; - if ((*r.out.size_read) > (r.in.buffer_size)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_data_buffer; + if ((*r.out.size_read) > (r.in.buffer_size)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_data_buffer = *r.out.size_read; + memcpy(_data_buffer, r.out.data_buffer, _copy_len_data_buffer * sizeof(*_data_buffer)); } - memcpy(_data_buffer, r.out.data_buffer, (*r.out.size_read) * sizeof(*_data_buffer)); *_size_read = *r.out.size_read; *_is_end_of_file = *r.out.is_end_of_file; diff --git a/source3/librpc/gen_ndr/ndr_mgmt_c.c b/source3/librpc/gen_ndr/ndr_mgmt_c.c index c66e611ba83c..d6784d2c0fe6 100644 --- a/source3/librpc/gen_ndr/ndr_mgmt_c.c +++ b/source3/librpc/gen_ndr/ndr_mgmt_c.c @@ -1072,7 +1072,15 @@ static void dcerpc_mgmt_inq_princ_name_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(discard_const_p(uint8_t *, state->orig.out.princ_name), state->tmp.out.princ_name, (state->tmp.in.princ_name_size) * sizeof(*state->orig.out.princ_name)); + { + size_t _copy_len_princ_name; + _copy_len_princ_name = ndr_charset_length(state->tmp.out.princ_name, CH_UNIX); + if (_copy_len_princ_name > state->tmp.in.princ_name_size) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + memcpy(discard_const_p(uint8_t *, state->orig.out.princ_name), state->tmp.out.princ_name, _copy_len_princ_name * sizeof(*state->orig.out.princ_name)); + } /* Copy result */ state->orig.out.result = state->tmp.out.result; @@ -1126,7 +1134,14 @@ NTSTATUS dcerpc_mgmt_inq_princ_name(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(discard_const_p(uint8_t *, _princ_name), r.out.princ_name, (r.in.princ_name_size) * sizeof(*_princ_name)); + { + size_t _copy_len_princ_name; + _copy_len_princ_name = ndr_charset_length(r.out.princ_name, CH_UNIX); + if (_copy_len_princ_name > r.in.princ_name_size) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + memcpy(discard_const_p(uint8_t *, _princ_name), r.out.princ_name, _copy_len_princ_name * sizeof(*_princ_name)); + } /* Return result */ *result = r.out.result; diff --git a/source3/librpc/gen_ndr/ndr_ntsvcs_c.c b/source3/librpc/gen_ndr/ndr_ntsvcs_c.c index c4c58267f597..58823b392906 100644 --- a/source3/librpc/gen_ndr/ndr_ntsvcs_c.c +++ b/source3/librpc/gen_ndr/ndr_ntsvcs_c.c @@ -625,11 +625,15 @@ static void dcerpc_PNP_GetDeviceList_done(struct tevent_req *subreq) } /* Copy out parameters */ - if ((*state->tmp.out.length) > (*state->tmp.in.length)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_buffer; + if ((*state->tmp.out.length) > (*state->tmp.in.length)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_buffer = *state->tmp.out.length; + memcpy(state->orig.out.buffer, state->tmp.out.buffer, _copy_len_buffer * sizeof(*state->orig.out.buffer)); } - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.length) * sizeof(*state->orig.out.buffer)); *state->orig.out.length = *state->tmp.out.length; /* Copy result */ @@ -686,10 +690,14 @@ NTSTATUS dcerpc_PNP_GetDeviceList(struct dcerpc_binding_handle *h, } /* Return variables */ - if ((*r.out.length) > (*r.in.length)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_buffer; + if ((*r.out.length) > (*r.in.length)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_buffer = *r.out.length; + memcpy(_buffer, r.out.buffer, _copy_len_buffer * sizeof(*_buffer)); } - memcpy(_buffer, r.out.buffer, (*r.out.length) * sizeof(*_buffer)); *_length = *r.out.length; /* Return result */ @@ -1114,11 +1122,15 @@ static void dcerpc_PNP_GetDeviceRegProp_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.reg_data_type = *state->tmp.out.reg_data_type; - if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_buffer; + if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_buffer = *state->tmp.out.buffer_size; + memcpy(state->orig.out.buffer, state->tmp.out.buffer, _copy_len_buffer * sizeof(*state->orig.out.buffer)); } - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.buffer_size) * sizeof(*state->orig.out.buffer)); *state->orig.out.buffer_size = *state->tmp.out.buffer_size; *state->orig.out.needed = *state->tmp.out.needed; @@ -1183,10 +1195,14 @@ NTSTATUS dcerpc_PNP_GetDeviceRegProp(struct dcerpc_binding_handle *h, /* Return variables */ *_reg_data_type = *r.out.reg_data_type; - if ((*r.out.buffer_size) > (*r.in.buffer_size)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_buffer; + if ((*r.out.buffer_size) > (*r.in.buffer_size)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_buffer = *r.out.buffer_size; + memcpy(_buffer, r.out.buffer, _copy_len_buffer * sizeof(*_buffer)); } - memcpy(_buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*_buffer)); *_buffer_size = *r.out.buffer_size; *_needed = *r.out.needed; diff --git a/source3/librpc/gen_ndr/ndr_remact_c.c b/source3/librpc/gen_ndr/ndr_remact_c.c index dc2c719d8542..ecafc23b9213 100644 --- a/source3/librpc/gen_ndr/ndr_remact_c.c +++ b/source3/librpc/gen_ndr/ndr_remact_c.c @@ -218,8 +218,16 @@ static void dcerpc_RemoteActivation_done(struct tevent_req *subreq) *state->orig.out.AuthnHint = *state->tmp.out.AuthnHint; *state->orig.out.ServerVersion = *state->tmp.out.ServerVersion; *state->orig.out.hr = *state->tmp.out.hr; - memcpy(state->orig.out.ifaces, state->tmp.out.ifaces, (state->tmp.in.Interfaces) * sizeof(*state->orig.out.ifaces)); - memcpy(state->orig.out.results, state->tmp.out.results, (state->tmp.in.Interfaces) * sizeof(*state->orig.out.results)); + { + size_t _copy_len_ifaces; + _copy_len_ifaces = state->tmp.in.Interfaces; + memcpy(state->orig.out.ifaces, state->tmp.out.ifaces, _copy_len_ifaces * sizeof(*state->orig.out.ifaces)); + } + { + size_t _copy_len_results; + _copy_len_results = state->tmp.in.Interfaces; + memcpy(state->orig.out.results, state->tmp.out.results, _copy_len_results * sizeof(*state->orig.out.results)); + } /* Copy result */ state->orig.out.result = state->tmp.out.result; @@ -304,8 +312,16 @@ NTSTATUS dcerpc_RemoteActivation(struct dcerpc_binding_handle *h, *_AuthnHint = *r.out.AuthnHint; *_ServerVersion = *r.out.ServerVersion; *_hr = *r.out.hr; - memcpy(_ifaces, r.out.ifaces, (r.in.Interfaces) * sizeof(*_ifaces)); - memcpy(_results, r.out.results, (r.in.Interfaces) * sizeof(*_results)); + { + size_t _copy_len_ifaces; + _copy_len_ifaces = r.in.Interfaces; + memcpy(_ifaces, r.out.ifaces, _copy_len_ifaces * sizeof(*_ifaces)); + } + { + size_t _copy_len_results; + _copy_len_results = r.in.Interfaces; + memcpy(_results, r.out.results, _copy_len_results * sizeof(*_results)); + } /* Return result */ *result = r.out.result; diff --git a/source3/librpc/gen_ndr/ndr_spoolss_c.c b/source3/librpc/gen_ndr/ndr_spoolss_c.c index 8510802c445a..d36fe9f1b839 100644 --- a/source3/librpc/gen_ndr/ndr_spoolss_c.c +++ b/source3/librpc/gen_ndr/ndr_spoolss_c.c @@ -5405,7 +5405,11 @@ static void dcerpc_spoolss_ReadPrinter_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.in.data_size) * sizeof(*state->orig.out.data)); + { + size_t _copy_len_data; + _copy_len_data = state->tmp.in.data_size; + memcpy(state->orig.out.data, state->tmp.out.data, _copy_len_data * sizeof(*state->orig.out.data)); + } *state->orig.out._data_size = *state->tmp.out._data_size; /* Copy result */ @@ -5461,7 +5465,11 @@ NTSTATUS dcerpc_spoolss_ReadPrinter(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_data, r.out.data, (r.in.data_size) * sizeof(*_data)); + { + size_t _copy_len_data; + _copy_len_data = r.in.data_size; + memcpy(_data, r.out.data, _copy_len_data * sizeof(*_data)); + } *__data_size = *r.out._data_size; /* Return result */ @@ -5861,7 +5869,11 @@ static void dcerpc_spoolss_AddJob_done(struct tevent_req *subreq) /* Copy out parameters */ if (state->orig.out.buffer && state->tmp.out.buffer) { - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (state->tmp.in.offered) * sizeof(*state->orig.out.buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = state->tmp.in.offered; + memcpy(state->orig.out.buffer, state->tmp.out.buffer, _copy_len_buffer * sizeof(*state->orig.out.buffer)); + } } *state->orig.out.needed = *state->tmp.out.needed; @@ -5922,7 +5934,11 @@ NTSTATUS dcerpc_spoolss_AddJob(struct dcerpc_binding_handle *h, /* Return variables */ if (_buffer && r.out.buffer) { - memcpy(_buffer, r.out.buffer, (r.in.offered) * sizeof(*_buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = r.in.offered; + memcpy(_buffer, r.out.buffer, _copy_len_buffer * sizeof(*_buffer)); + } } *_needed = *r.out.needed; @@ -6328,7 +6344,11 @@ static void dcerpc_spoolss_GetPrinterData_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.type = *state->tmp.out.type; - memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.in.offered) * sizeof(*state->orig.out.data)); + { + size_t _copy_len_data; + _copy_len_data = state->tmp.in.offered; + memcpy(state->orig.out.data, state->tmp.out.data, _copy_len_data * sizeof(*state->orig.out.data)); + } *state->orig.out.needed = *state->tmp.out.needed; /* Copy result */ @@ -6388,7 +6408,11 @@ NTSTATUS dcerpc_spoolss_GetPrinterData(struct dcerpc_binding_handle *h, /* Return variables */ *_type = *r.out.type; - memcpy(_data, r.out.data, (r.in.offered) * sizeof(*_data)); + { + size_t _copy_len_data; + _copy_len_data = r.in.offered; + memcpy(_data, r.out.data, _copy_len_data * sizeof(*_data)); + } *_needed = *r.out.needed; /* Return result */ @@ -12263,10 +12287,22 @@ static void dcerpc_spoolss_EnumPrinterData_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(discard_const_p(uint8_t *, state->orig.out.value_name), state->tmp.out.value_name, (state->tmp.in.value_offered / 2) * sizeof(*state->orig.out.value_name)); + { + size_t _copy_len_value_name; + _copy_len_value_name = ndr_charset_length(state->tmp.out.value_name, CH_UNIX); + if (_copy_len_value_name > state->tmp.in.value_offered / 2) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + memcpy(discard_const_p(uint8_t *, state->orig.out.value_name), state->tmp.out.value_name, _copy_len_value_name * sizeof(*state->orig.out.value_name)); + } *state->orig.out.value_needed = *state->tmp.out.value_needed; *state->orig.out.type = *state->tmp.out.type; - memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.in.data_offered) * sizeof(*state->orig.out.data)); + { + size_t _copy_len_data; + _copy_len_data = state->tmp.in.data_offered; + memcpy(state->orig.out.data, state->tmp.out.data, _copy_len_data * sizeof(*state->orig.out.data)); + } *state->orig.out.data_needed = *state->tmp.out.data_needed; /* Copy result */ @@ -12329,10 +12365,21 @@ NTSTATUS dcerpc_spoolss_EnumPrinterData(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(discard_const_p(uint8_t *, _value_name), r.out.value_name, (r.in.value_offered / 2) * sizeof(*_value_name)); + { + size_t _copy_len_value_name; + _copy_len_value_name = ndr_charset_length(r.out.value_name, CH_UNIX); + if (_copy_len_value_name > r.in.value_offered / 2) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + memcpy(discard_const_p(uint8_t *, _value_name), r.out.value_name, _copy_len_value_name * sizeof(*_value_name)); + } *_value_needed = *r.out.value_needed; *_type = *r.out.type; - memcpy(_data, r.out.data, (r.in.data_offered) * sizeof(*_data)); + { + size_t _copy_len_data; + _copy_len_data = r.in.data_offered; + memcpy(_data, r.out.data, _copy_len_data * sizeof(*_data)); + } *_data_needed = *r.out.data_needed; /* Return result */ @@ -12973,7 +13020,11 @@ static void dcerpc_spoolss_GetPrinterDataEx_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.type = *state->tmp.out.type; - memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.in.offered) * sizeof(*state->orig.out.data)); + { + size_t _copy_len_data; + _copy_len_data = state->tmp.in.offered; + memcpy(state->orig.out.data, state->tmp.out.data, _copy_len_data * sizeof(*state->orig.out.data)); + } *state->orig.out.needed = *state->tmp.out.needed; /* Copy result */ @@ -13035,7 +13086,11 @@ NTSTATUS dcerpc_spoolss_GetPrinterDataEx(struct dcerpc_binding_handle *h, /* Return variables */ *_type = *r.out.type; - memcpy(_data, r.out.data, (r.in.offered) * sizeof(*_data)); + { + size_t _copy_len_data; + _copy_len_data = r.in.offered; + memcpy(_data, r.out.data, _copy_len_data * sizeof(*_data)); + } *_needed = *r.out.needed; /* Return result */ @@ -14390,7 +14445,11 @@ static void dcerpc_spoolss_XcvData_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.out_data, state->tmp.out.out_data, (state->tmp.in.out_data_size) * sizeof(*state->orig.out.out_data)); + { + size_t _copy_len_out_data; + _copy_len_out_data = state->tmp.in.out_data_size; + memcpy(state->orig.out.out_data, state->tmp.out.out_data, _copy_len_out_data * sizeof(*state->orig.out.out_data)); + } *state->orig.out.needed = *state->tmp.out.needed; *state->orig.out.status_code = *state->tmp.out.status_code; @@ -14455,7 +14514,11 @@ NTSTATUS dcerpc_spoolss_XcvData(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_out_data, r.out.out_data, (r.in.out_data_size) * sizeof(*_out_data)); + { + size_t _copy_len_out_data; + _copy_len_out_data = r.in.out_data_size; + memcpy(_out_data, r.out.out_data, _copy_len_out_data * sizeof(*_out_data)); + } *_needed = *r.out.needed; *_status_code = *r.out.status_code; @@ -14864,7 +14927,11 @@ static void dcerpc_spoolss_GetCorePrinterDrivers_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.core_printer_drivers, state->tmp.out.core_printer_drivers, (state->tmp.in.core_printer_driver_count) * sizeof(*state->orig.out.core_printer_drivers)); + { + size_t _copy_len_core_printer_drivers; + _copy_len_core_printer_drivers = state->tmp.in.core_printer_driver_count; + memcpy(state->orig.out.core_printer_drivers, state->tmp.out.core_printer_drivers, _copy_len_core_printer_drivers * sizeof(*state->orig.out.core_printer_drivers)); + } /* Copy result */ state->orig.out.result = state->tmp.out.result; @@ -14924,7 +14991,11 @@ NTSTATUS dcerpc_spoolss_GetCorePrinterDrivers(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_core_printer_drivers, r.out.core_printer_drivers, (r.in.core_printer_driver_count) * sizeof(*_core_printer_drivers)); + { + size_t _copy_len_core_printer_drivers; + _copy_len_core_printer_drivers = r.in.core_printer_driver_count; + memcpy(_core_printer_drivers, r.out.core_printer_drivers, _copy_len_core_printer_drivers * sizeof(*_core_printer_drivers)); + } /* Return result */ *result = r.out.result; @@ -15113,7 +15184,15 @@ static void dcerpc_spoolss_GetPrinterDriverPackagePath_done(struct tevent_req *s /* Copy out parameters */ if (state->orig.out.driver_package_cab && state->tmp.out.driver_package_cab) { - memcpy(discard_const_p(uint8_t *, state->orig.out.driver_package_cab), state->tmp.out.driver_package_cab, (state->tmp.in.driver_package_cab_size) * sizeof(*state->orig.out.driver_package_cab)); + { + size_t _copy_len_driver_package_cab; + _copy_len_driver_package_cab = ndr_charset_length(state->tmp.out.driver_package_cab, CH_UNIX); + if (_copy_len_driver_package_cab > ndr_charset_length(state->tmp.in.driver_package_cab, CH_UNIX)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + memcpy(discard_const_p(uint8_t *, state->orig.out.driver_package_cab), state->tmp.out.driver_package_cab, _copy_len_driver_package_cab * sizeof(*state->orig.out.driver_package_cab)); + } } *state->orig.out.required = *state->tmp.out.required; @@ -15178,7 +15257,14 @@ NTSTATUS dcerpc_spoolss_GetPrinterDriverPackagePath(struct dcerpc_binding_handle /* Return variables */ if (_driver_package_cab && r.out.driver_package_cab) { - memcpy(discard_const_p(uint8_t *, _driver_package_cab), r.out.driver_package_cab, (r.in.driver_package_cab_size) * sizeof(*_driver_package_cab)); + { + size_t _copy_len_driver_package_cab; + _copy_len_driver_package_cab = ndr_charset_length(r.out.driver_package_cab, CH_UNIX); + if (_copy_len_driver_package_cab > ndr_charset_length(r.in.driver_package_cab, CH_UNIX)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + memcpy(discard_const_p(uint8_t *, _driver_package_cab), r.out.driver_package_cab, _copy_len_driver_package_cab * sizeof(*_driver_package_cab)); + } } *_required = *r.out.required; diff --git a/source3/librpc/gen_ndr/ndr_srvsvc_c.c b/source3/librpc/gen_ndr/ndr_srvsvc_c.c index ab98165586ef..1180f890071f 100644 --- a/source3/librpc/gen_ndr/ndr_srvsvc_c.c +++ b/source3/librpc/gen_ndr/ndr_srvsvc_c.c @@ -7545,7 +7545,11 @@ static void dcerpc_srvsvc_NetPathCanonicalize_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.can_path, state->tmp.out.can_path, (state->tmp.in.maxbuf) * sizeof(*state->orig.out.can_path)); + { + size_t _copy_len_can_path; + _copy_len_can_path = state->tmp.in.maxbuf; + memcpy(state->orig.out.can_path, state->tmp.out.can_path, _copy_len_can_path * sizeof(*state->orig.out.can_path)); + } *state->orig.out.pathtype = *state->tmp.out.pathtype; /* Copy result */ @@ -7608,7 +7612,11 @@ NTSTATUS dcerpc_srvsvc_NetPathCanonicalize(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_can_path, r.out.can_path, (r.in.maxbuf) * sizeof(*_can_path)); + { + size_t _copy_len_can_path; + _copy_len_can_path = r.in.maxbuf; + memcpy(_can_path, r.out.can_path, _copy_len_can_path * sizeof(*_can_path)); + } *_pathtype = *r.out.pathtype; /* Return result */ diff --git a/source3/librpc/gen_ndr/ndr_svcctl_c.c b/source3/librpc/gen_ndr/ndr_svcctl_c.c index 3ec9351e0904..ec10a05df08a 100644 --- a/source3/librpc/gen_ndr/ndr_svcctl_c.c +++ b/source3/librpc/gen_ndr/ndr_svcctl_c.c @@ -1086,7 +1086,11 @@ static void dcerpc_svcctl_QueryServiceObjectSecurity_done(struct tevent_req *sub } /* Copy out parameters */ - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (state->tmp.in.offered) * sizeof(*state->orig.out.buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = state->tmp.in.offered; + memcpy(state->orig.out.buffer, state->tmp.out.buffer, _copy_len_buffer * sizeof(*state->orig.out.buffer)); + } *state->orig.out.needed = *state->tmp.out.needed; /* Copy result */ @@ -1144,7 +1148,11 @@ NTSTATUS dcerpc_svcctl_QueryServiceObjectSecurity(struct dcerpc_binding_handle * } /* Return variables */ - memcpy(_buffer, r.out.buffer, (r.in.offered) * sizeof(*_buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = r.in.offered; + memcpy(_buffer, r.out.buffer, _copy_len_buffer * sizeof(*_buffer)); + } *_needed = *r.out.needed; /* Return result */ @@ -2795,7 +2803,11 @@ static void dcerpc_svcctl_EnumDependentServicesW_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.service_status, state->tmp.out.service_status, (state->tmp.in.offered) * sizeof(*state->orig.out.service_status)); + { + size_t _copy_len_service_status; + _copy_len_service_status = state->tmp.in.offered; + memcpy(state->orig.out.service_status, state->tmp.out.service_status, _copy_len_service_status * sizeof(*state->orig.out.service_status)); + } *state->orig.out.needed = *state->tmp.out.needed; *state->orig.out.services_returned = *state->tmp.out.services_returned; @@ -2855,7 +2867,11 @@ NTSTATUS dcerpc_svcctl_EnumDependentServicesW(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_service_status, r.out.service_status, (r.in.offered) * sizeof(*_service_status)); + { + size_t _copy_len_service_status; + _copy_len_service_status = r.in.offered; + memcpy(_service_status, r.out.service_status, _copy_len_service_status * sizeof(*_service_status)); + } *_needed = *r.out.needed; *_services_returned = *r.out.services_returned; @@ -3047,7 +3063,11 @@ static void dcerpc_svcctl_EnumServicesStatusW_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.service, state->tmp.out.service, (state->tmp.in.offered) * sizeof(*state->orig.out.service)); + { + size_t _copy_len_service; + _copy_len_service = state->tmp.in.offered; + memcpy(state->orig.out.service, state->tmp.out.service, _copy_len_service * sizeof(*state->orig.out.service)); + } *state->orig.out.needed = *state->tmp.out.needed; *state->orig.out.services_returned = *state->tmp.out.services_returned; if (state->orig.out.resume_handle && state->tmp.out.resume_handle) { @@ -3114,7 +3134,11 @@ NTSTATUS dcerpc_svcctl_EnumServicesStatusW(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_service, r.out.service, (r.in.offered) * sizeof(*_service)); + { + size_t _copy_len_service; + _copy_len_service = r.in.offered; + memcpy(_service, r.out.service, _copy_len_service * sizeof(*_service)); + } *_needed = *r.out.needed; *_services_returned = *r.out.services_returned; if (_resume_handle && r.out.resume_handle) { @@ -5988,7 +6012,11 @@ static void dcerpc_svcctl_EnumServicesStatusA_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.service, state->tmp.out.service, (state->tmp.in.offered) * sizeof(*state->orig.out.service)); + { + size_t _copy_len_service; + _copy_len_service = state->tmp.in.offered; + memcpy(state->orig.out.service, state->tmp.out.service, _copy_len_service * sizeof(*state->orig.out.service)); + } *state->orig.out.needed = *state->tmp.out.needed; *state->orig.out.services_returned = *state->tmp.out.services_returned; if (state->orig.out.resume_handle && state->tmp.out.resume_handle) { @@ -6055,7 +6083,11 @@ NTSTATUS dcerpc_svcctl_EnumServicesStatusA(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_service, r.out.service, (r.in.offered) * sizeof(*_service)); + { + size_t _copy_len_service; + _copy_len_service = r.in.offered; + memcpy(_service, r.out.service, _copy_len_service * sizeof(*_service)); + } *_needed = *r.out.needed; *_services_returned = *r.out.services_returned; if (_resume_handle && r.out.resume_handle) { @@ -6700,7 +6732,11 @@ static void dcerpc_svcctl_QueryServiceConfigA_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.query, state->tmp.out.query, (state->tmp.in.offered) * sizeof(*state->orig.out.query)); + { + size_t _copy_len_query; + _copy_len_query = state->tmp.in.offered; + memcpy(state->orig.out.query, state->tmp.out.query, _copy_len_query * sizeof(*state->orig.out.query)); + } *state->orig.out.needed = *state->tmp.out.needed; /* Copy result */ @@ -6756,7 +6792,11 @@ NTSTATUS dcerpc_svcctl_QueryServiceConfigA(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_query, r.out.query, (r.in.offered) * sizeof(*_query)); + { + size_t _copy_len_query; + _copy_len_query = r.in.offered; + memcpy(_query, r.out.query, _copy_len_query * sizeof(*_query)); + } *_needed = *r.out.needed; /* Return result */ @@ -8332,7 +8372,11 @@ static void dcerpc_svcctl_QueryServiceConfig2A_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (state->tmp.in.offered) * sizeof(*state->orig.out.buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = state->tmp.in.offered; + memcpy(state->orig.out.buffer, state->tmp.out.buffer, _copy_len_buffer * sizeof(*state->orig.out.buffer)); + } *state->orig.out.needed = *state->tmp.out.needed; /* Copy result */ @@ -8390,7 +8434,11 @@ NTSTATUS dcerpc_svcctl_QueryServiceConfig2A(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_buffer, r.out.buffer, (r.in.offered) * sizeof(*_buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = r.in.offered; + memcpy(_buffer, r.out.buffer, _copy_len_buffer * sizeof(*_buffer)); + } *_needed = *r.out.needed; /* Return result */ @@ -8574,7 +8622,11 @@ static void dcerpc_svcctl_QueryServiceConfig2W_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (state->tmp.in.offered) * sizeof(*state->orig.out.buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = state->tmp.in.offered; + memcpy(state->orig.out.buffer, state->tmp.out.buffer, _copy_len_buffer * sizeof(*state->orig.out.buffer)); + } *state->orig.out.needed = *state->tmp.out.needed; /* Copy result */ @@ -8632,7 +8684,11 @@ NTSTATUS dcerpc_svcctl_QueryServiceConfig2W(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_buffer, r.out.buffer, (r.in.offered) * sizeof(*_buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = r.in.offered; + memcpy(_buffer, r.out.buffer, _copy_len_buffer * sizeof(*_buffer)); + } *_needed = *r.out.needed; /* Return result */ @@ -8816,7 +8872,11 @@ static void dcerpc_svcctl_QueryServiceStatusEx_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (state->tmp.in.offered) * sizeof(*state->orig.out.buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = state->tmp.in.offered; + memcpy(state->orig.out.buffer, state->tmp.out.buffer, _copy_len_buffer * sizeof(*state->orig.out.buffer)); + } *state->orig.out.needed = *state->tmp.out.needed; /* Copy result */ @@ -8874,7 +8934,11 @@ NTSTATUS dcerpc_svcctl_QueryServiceStatusEx(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_buffer, r.out.buffer, (r.in.offered) * sizeof(*_buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = r.in.offered; + memcpy(_buffer, r.out.buffer, _copy_len_buffer * sizeof(*_buffer)); + } *_needed = *r.out.needed; /* Return result */ @@ -9069,7 +9133,11 @@ static void dcerpc_EnumServicesStatusExA_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.services, state->tmp.out.services, (state->tmp.in.offered) * sizeof(*state->orig.out.services)); + { + size_t _copy_len_services; + _copy_len_services = state->tmp.in.offered; + memcpy(state->orig.out.services, state->tmp.out.services, _copy_len_services * sizeof(*state->orig.out.services)); + } *state->orig.out.needed = *state->tmp.out.needed; *state->orig.out.service_returned = *state->tmp.out.service_returned; if (state->orig.out.resume_handle && state->tmp.out.resume_handle) { @@ -9140,7 +9208,11 @@ NTSTATUS dcerpc_EnumServicesStatusExA(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_services, r.out.services, (r.in.offered) * sizeof(*_services)); + { + size_t _copy_len_services; + _copy_len_services = r.in.offered; + memcpy(_services, r.out.services, _copy_len_services * sizeof(*_services)); + } *_needed = *r.out.needed; *_service_returned = *r.out.service_returned; if (_resume_handle && r.out.resume_handle) { @@ -9340,7 +9412,11 @@ static void dcerpc_EnumServicesStatusExW_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.services, state->tmp.out.services, (state->tmp.in.offered) * sizeof(*state->orig.out.services)); + { + size_t _copy_len_services; + _copy_len_services = state->tmp.in.offered; + memcpy(state->orig.out.services, state->tmp.out.services, _copy_len_services * sizeof(*state->orig.out.services)); + } *state->orig.out.needed = *state->tmp.out.needed; *state->orig.out.service_returned = *state->tmp.out.service_returned; if (state->orig.out.resume_handle && state->tmp.out.resume_handle) { @@ -9411,7 +9487,11 @@ NTSTATUS dcerpc_EnumServicesStatusExW(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_services, r.out.services, (r.in.offered) * sizeof(*_services)); + { + size_t _copy_len_services; + _copy_len_services = r.in.offered; + memcpy(_services, r.out.services, _copy_len_services * sizeof(*_services)); + } *_needed = *r.out.needed; *_service_returned = *r.out.service_returned; if (_resume_handle && r.out.resume_handle) { diff --git a/source3/librpc/gen_ndr/ndr_unixinfo_c.c b/source3/librpc/gen_ndr/ndr_unixinfo_c.c index 2bdfc43a2a7e..b225d306a273 100644 --- a/source3/librpc/gen_ndr/ndr_unixinfo_c.c +++ b/source3/librpc/gen_ndr/ndr_unixinfo_c.c @@ -1117,11 +1117,15 @@ static void dcerpc_unixinfo_GetPWUid_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.count = *state->tmp.out.count; - if ((*state->tmp.out.count) > (*state->tmp.in.count)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_infos; + if ((*state->tmp.out.count) > (*state->tmp.in.count)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_infos = *state->tmp.out.count; + memcpy(state->orig.out.infos, state->tmp.out.infos, _copy_len_infos * sizeof(*state->orig.out.infos)); } - memcpy(state->orig.out.infos, state->tmp.out.infos, (*state->tmp.out.count) * sizeof(*state->orig.out.infos)); /* Copy result */ state->orig.out.result = state->tmp.out.result; @@ -1176,10 +1180,14 @@ NTSTATUS dcerpc_unixinfo_GetPWUid(struct dcerpc_binding_handle *h, /* Return variables */ *_count = *r.out.count; - if ((*r.out.count) > (*r.in.count)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_infos; + if ((*r.out.count) > (*r.in.count)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_infos = *r.out.count; + memcpy(_infos, r.out.infos, _copy_len_infos * sizeof(*_infos)); } - memcpy(_infos, r.out.infos, (*r.out.count) * sizeof(*_infos)); /* Return result */ *result = r.out.result; diff --git a/source3/librpc/gen_ndr/ndr_winreg_c.c b/source3/librpc/gen_ndr/ndr_winreg_c.c index 5877a44c1797..037d121170e9 100644 --- a/source3/librpc/gen_ndr/ndr_winreg_c.c +++ b/source3/librpc/gen_ndr/ndr_winreg_c.c @@ -2542,15 +2542,19 @@ static void dcerpc_winreg_EnumValue_done(struct tevent_req *subreq) *state->orig.out.type = *state->tmp.out.type; } if (state->orig.out.value && state->tmp.out.value) { - if ((state->tmp.out.size?*state->tmp.out.size:0) > (state->tmp.in.size?*state->tmp.in.size:0)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_value; + if ((state->tmp.out.size?*state->tmp.out.size:0) > (state->tmp.in.size?*state->tmp.in.size:0)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + if ((state->tmp.out.length?*state->tmp.out.length:0) > (state->tmp.out.size?*state->tmp.out.size:0)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_value = state->tmp.out.length?*state->tmp.out.length:0; + memcpy(state->orig.out.value, state->tmp.out.value, _copy_len_value * sizeof(*state->orig.out.value)); } - if ((state->tmp.out.length?*state->tmp.out.length:0) > (state->tmp.out.size?*state->tmp.out.size:0)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } - memcpy(state->orig.out.value, state->tmp.out.value, (state->tmp.out.length?*state->tmp.out.length:0) * sizeof(*state->orig.out.value)); } if (state->orig.out.size && state->tmp.out.size) { *state->orig.out.size = *state->tmp.out.size; @@ -2625,13 +2629,17 @@ NTSTATUS dcerpc_winreg_EnumValue(struct dcerpc_binding_handle *h, *_type = *r.out.type; } if (_value && r.out.value) { - if ((r.out.size?*r.out.size:0) > (r.in.size?*r.in.size:0)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; - } - if ((r.out.length?*r.out.length:0) > (r.out.size?*r.out.size:0)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_value; + if ((r.out.size?*r.out.size:0) > (r.in.size?*r.in.size:0)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if ((r.out.length?*r.out.length:0) > (r.out.size?*r.out.size:0)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_value = r.out.length?*r.out.length:0; + memcpy(_value, r.out.value, _copy_len_value * sizeof(*_value)); } - memcpy(_value, r.out.value, (r.out.length?*r.out.length:0) * sizeof(*_value)); } if (_size && r.out.size) { *_size = *r.out.size; @@ -4252,15 +4260,19 @@ static void dcerpc_winreg_QueryValue_done(struct tevent_req *subreq) *state->orig.out.type = *state->tmp.out.type; } if (state->orig.out.data && state->tmp.out.data) { - if ((state->tmp.out.data_size?*state->tmp.out.data_size:0) > (state->tmp.in.data_size?*state->tmp.in.data_size:0)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } - if ((state->tmp.out.data_length?*state->tmp.out.data_length:0) > (state->tmp.out.data_size?*state->tmp.out.data_size:0)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_data; + if ((state->tmp.out.data_size?*state->tmp.out.data_size:0) > (state->tmp.in.data_size?*state->tmp.in.data_size:0)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + if ((state->tmp.out.data_length?*state->tmp.out.data_length:0) > (state->tmp.out.data_size?*state->tmp.out.data_size:0)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_data = state->tmp.out.data_length?*state->tmp.out.data_length:0; + memcpy(state->orig.out.data, state->tmp.out.data, _copy_len_data * sizeof(*state->orig.out.data)); } - memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.out.data_length?*state->tmp.out.data_length:0) * sizeof(*state->orig.out.data)); } if (state->orig.out.data_size && state->tmp.out.data_size) { *state->orig.out.data_size = *state->tmp.out.data_size; @@ -4332,13 +4344,17 @@ NTSTATUS dcerpc_winreg_QueryValue(struct dcerpc_binding_handle *h, *_type = *r.out.type; } if (_data && r.out.data) { - if ((r.out.data_size?*r.out.data_size:0) > (r.in.data_size?*r.in.data_size:0)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_data; + if ((r.out.data_size?*r.out.data_size:0) > (r.in.data_size?*r.in.data_size:0)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if ((r.out.data_length?*r.out.data_length:0) > (r.out.data_size?*r.out.data_size:0)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_data = r.out.data_length?*r.out.data_length:0; + memcpy(_data, r.out.data, _copy_len_data * sizeof(*_data)); } - if ((r.out.data_length?*r.out.data_length:0) > (r.out.data_size?*r.out.data_size:0)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; - } - memcpy(_data, r.out.data, (r.out.data_length?*r.out.data_length:0) * sizeof(*_data)); } if (_data_size && r.out.data_size) { *_data_size = *r.out.data_size; @@ -7011,13 +7027,21 @@ static void dcerpc_winreg_QueryMultipleValues_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.values_out, state->tmp.out.values_out, (state->tmp.in.num_values) * sizeof(*state->orig.out.values_out)); + { + size_t _copy_len_values_out; + _copy_len_values_out = state->tmp.in.num_values; + memcpy(state->orig.out.values_out, state->tmp.out.values_out, _copy_len_values_out * sizeof(*state->orig.out.values_out)); + } if (state->orig.out.buffer && state->tmp.out.buffer) { - if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_buffer; + if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_buffer = *state->tmp.out.buffer_size; + memcpy(state->orig.out.buffer, state->tmp.out.buffer, _copy_len_buffer * sizeof(*state->orig.out.buffer)); } - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.buffer_size) * sizeof(*state->orig.out.buffer)); } *state->orig.out.buffer_size = *state->tmp.out.buffer_size; @@ -7079,12 +7103,20 @@ NTSTATUS dcerpc_winreg_QueryMultipleValues(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_values_out, r.out.values_out, (r.in.num_values) * sizeof(*_values_out)); + { + size_t _copy_len_values_out; + _copy_len_values_out = r.in.num_values; + memcpy(_values_out, r.out.values_out, _copy_len_values_out * sizeof(*_values_out)); + } if (_buffer && r.out.buffer) { - if ((*r.out.buffer_size) > (*r.in.buffer_size)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_buffer; + if ((*r.out.buffer_size) > (*r.in.buffer_size)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_buffer = *r.out.buffer_size; + memcpy(_buffer, r.out.buffer, _copy_len_buffer * sizeof(*_buffer)); } - memcpy(_buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*_buffer)); } *_buffer_size = *r.out.buffer_size; @@ -8200,9 +8232,17 @@ static void dcerpc_winreg_QueryMultipleValues2_done(struct tevent_req *subreq) } /* Copy out parameters */ - memcpy(state->orig.out.values_out, state->tmp.out.values_out, (state->tmp.in.num_values) * sizeof(*state->orig.out.values_out)); + { + size_t _copy_len_values_out; + _copy_len_values_out = state->tmp.in.num_values; + memcpy(state->orig.out.values_out, state->tmp.out.values_out, _copy_len_values_out * sizeof(*state->orig.out.values_out)); + } if (state->orig.out.buffer && state->tmp.out.buffer) { - memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.offered) * sizeof(*state->orig.out.buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = *state->tmp.in.offered; + memcpy(state->orig.out.buffer, state->tmp.out.buffer, _copy_len_buffer * sizeof(*state->orig.out.buffer)); + } } *state->orig.out.needed = *state->tmp.out.needed; @@ -8265,9 +8305,17 @@ NTSTATUS dcerpc_winreg_QueryMultipleValues2(struct dcerpc_binding_handle *h, } /* Return variables */ - memcpy(_values_out, r.out.values_out, (r.in.num_values) * sizeof(*_values_out)); + { + size_t _copy_len_values_out; + _copy_len_values_out = r.in.num_values; + memcpy(_values_out, r.out.values_out, _copy_len_values_out * sizeof(*_values_out)); + } if (_buffer && r.out.buffer) { - memcpy(_buffer, r.out.buffer, (*r.in.offered) * sizeof(*_buffer)); + { + size_t _copy_len_buffer; + _copy_len_buffer = *r.in.offered; + memcpy(_buffer, r.out.buffer, _copy_len_buffer * sizeof(*_buffer)); + } } *_needed = *r.out.needed; diff --git a/source3/librpc/gen_ndr/ndr_wmi_c.c b/source3/librpc/gen_ndr/ndr_wmi_c.c index a2d1ee1895fd..4d05791b0f4c 100644 --- a/source3/librpc/gen_ndr/ndr_wmi_c.c +++ b/source3/librpc/gen_ndr/ndr_wmi_c.c @@ -6386,11 +6386,15 @@ static void dcerpc_IEnumWbemClassObject_Next_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.ORPCthat = *state->tmp.out.ORPCthat; - if ((*state->tmp.out.puReturned) > (state->tmp.in.uCount)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; + { + size_t _copy_len_apObjects; + if ((*state->tmp.out.puReturned) > (state->tmp.in.uCount)) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + _copy_len_apObjects = *state->tmp.out.puReturned; + memcpy(state->orig.out.apObjects, state->tmp.out.apObjects, _copy_len_apObjects * sizeof(*state->orig.out.apObjects)); } - memcpy(state->orig.out.apObjects, state->tmp.out.apObjects, (*state->tmp.out.puReturned) * sizeof(*state->orig.out.apObjects)); *state->orig.out.puReturned = *state->tmp.out.puReturned; /* Copy result */ @@ -6450,10 +6454,14 @@ NTSTATUS dcerpc_IEnumWbemClassObject_Next(struct dcerpc_binding_handle *h, /* Return variables */ *_ORPCthat = *r.out.ORPCthat; - if ((*r.out.puReturned) > (r.in.uCount)) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; + { + size_t _copy_len_apObjects; + if ((*r.out.puReturned) > (r.in.uCount)) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + _copy_len_apObjects = *r.out.puReturned; + memcpy(_apObjects, r.out.apObjects, _copy_len_apObjects * sizeof(*_apObjects)); } - memcpy(_apObjects, r.out.apObjects, (*r.out.puReturned) * sizeof(*_apObjects)); *_puReturned = *r.out.puReturned; /* Return result */ @@ -9662,7 +9670,11 @@ static void dcerpc_RequestChallenge_done(struct tevent_req *subreq) /* Copy out parameters */ *state->orig.out.ORPCthat = *state->tmp.out.ORPCthat; - memcpy(state->orig.out.Nonce, state->tmp.out.Nonce, (16) * sizeof(*state->orig.out.Nonce)); + { + size_t _copy_len_Nonce; + _copy_len_Nonce = 16; + memcpy(state->orig.out.Nonce, state->tmp.out.Nonce, _copy_len_Nonce * sizeof(*state->orig.out.Nonce)); + } /* Copy result */ state->orig.out.result = state->tmp.out.result; @@ -9720,7 +9732,11 @@ NTSTATUS dcerpc_RequestChallenge(struct dcerpc_binding_handle *h, /* Return variables */ *_ORPCthat = *r.out.ORPCthat; - memcpy(_Nonce, r.out.Nonce, (16) * sizeof(*_Nonce)); + { + size_t _copy_len_Nonce; + _copy_len_Nonce = 16; + memcpy(_Nonce, r.out.Nonce, _copy_len_Nonce * sizeof(*_Nonce)); + } /* Return result */ *result = r.out.result; -- 2.34.1