/* Copy out parameters */
*state->orig.out.entry_handle = *state->tmp.out.entry_handle;
*state->orig.out.num_ents = *state->tmp.out.num_ents;
- memcpy(state->orig.out.entries, state->tmp.out.entries, (state->tmp.in.max_ents) * sizeof(*state->orig.out.entries));
+ if ((*state->tmp.out.num_ents) > (state->tmp.in.max_ents)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+ memcpy(state->orig.out.entries, state->tmp.out.entries, (*state->tmp.out.num_ents) * sizeof(*state->orig.out.entries));
/* Copy result */
state->orig.out.result = state->tmp.out.result;
/* Return variables */
*entry_handle = *r.out.entry_handle;
*num_ents = *r.out.num_ents;
- memcpy(entries, r.out.entries, (r.in.max_ents) * sizeof(*entries));
+ if ((*r.out.num_ents) > (r.in.max_ents)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ memcpy(entries, r.out.entries, (*r.out.num_ents) * sizeof(*entries));
/* Return result */
return NT_STATUS_OK;
/* Copy out parameters */
*state->orig.out.entry_handle = *state->tmp.out.entry_handle;
*state->orig.out.num_towers = *state->tmp.out.num_towers;
- memcpy(state->orig.out.towers, state->tmp.out.towers, (state->tmp.in.max_towers) * sizeof(*state->orig.out.towers));
+ if ((*state->tmp.out.num_towers) > (state->tmp.in.max_towers)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+ memcpy(state->orig.out.towers, state->tmp.out.towers, (*state->tmp.out.num_towers) * sizeof(*state->orig.out.towers));
/* Copy result */
state->orig.out.result = state->tmp.out.result;
/* Return variables */
*entry_handle = *r.out.entry_handle;
*num_towers = *r.out.num_towers;
- memcpy(towers, r.out.towers, (r.in.max_towers) * sizeof(*towers));
+ if ((*r.out.num_towers) > (r.in.max_towers)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ memcpy(towers, r.out.towers, (*r.out.num_towers) * sizeof(*towers));
/* Return result */
return NT_STATUS_OK;
}
/* Copy out parameters */
- memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.length) * sizeof(*state->orig.out.buffer));
+ if ((*state->tmp.out.length) > (*state->tmp.in.length)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+ memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.length) * sizeof(*state->orig.out.buffer));
*state->orig.out.length = *state->tmp.out.length;
/* Copy result */
}
/* Return variables */
- memcpy(buffer, r.out.buffer, (*r.in.length) * sizeof(*buffer));
+ if ((*r.out.length) > (*r.in.length)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ memcpy(buffer, r.out.buffer, (*r.out.length) * sizeof(*buffer));
*length = *r.out.length;
/* Return result */
/* Copy out parameters */
*state->orig.out.reg_data_type = *state->tmp.out.reg_data_type;
- memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.buffer_size) * sizeof(*state->orig.out.buffer));
+ if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+ memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.buffer_size) * sizeof(*state->orig.out.buffer));
*state->orig.out.buffer_size = *state->tmp.out.buffer_size;
*state->orig.out.needed = *state->tmp.out.needed;
/* Return variables */
*reg_data_type = *r.out.reg_data_type;
- memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer));
+ if ((*r.out.buffer_size) > (*r.in.buffer_size)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer));
*buffer_size = *r.out.buffer_size;
*needed = *r.out.needed;
*state->orig.out.type = *state->tmp.out.type;
}
if (state->orig.out.value && state->tmp.out.value) {
- memcpy(state->orig.out.value, state->tmp.out.value, (*state->tmp.in.size) * sizeof(*state->orig.out.value));
+ if ((*state->tmp.out.size) > (*state->tmp.in.size)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+ if ((*state->tmp.out.length) > (*state->tmp.out.size)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+ memcpy(state->orig.out.value, state->tmp.out.value, (*state->tmp.out.length) * sizeof(*state->orig.out.value));
}
if (state->orig.out.size && state->tmp.out.size) {
*state->orig.out.size = *state->tmp.out.size;
*type = *r.out.type;
}
if (value && r.out.value) {
- memcpy(value, r.out.value, (*r.in.size) * sizeof(*value));
+ if ((*r.out.size) > (*r.in.size)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if ((*r.out.length) > (*r.out.size)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ memcpy(value, r.out.value, (*r.out.length) * sizeof(*value));
}
if (size && r.out.size) {
*size = *r.out.size;
*state->orig.out.type = *state->tmp.out.type;
}
if (state->orig.out.data && state->tmp.out.data) {
- memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.in.data_size?*state->tmp.in.data_size:0) * sizeof(*state->orig.out.data));
+ if ((state->tmp.out.data_size?*state->tmp.out.data_size:0) > (state->tmp.in.data_size?*state->tmp.in.data_size:0)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+ if ((state->tmp.out.data_length?*state->tmp.out.data_length:0) > (state->tmp.out.data_size?*state->tmp.out.data_size:0)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+ memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.out.data_length?*state->tmp.out.data_length:0) * sizeof(*state->orig.out.data));
}
if (state->orig.out.data_size && state->tmp.out.data_size) {
*state->orig.out.data_size = *state->tmp.out.data_size;
*type = *r.out.type;
}
if (data && r.out.data) {
- memcpy(data, r.out.data, (r.in.data_size?*r.in.data_size:0) * sizeof(*data));
+ if ((r.out.data_size?*r.out.data_size:0) > (r.in.data_size?*r.in.data_size:0)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if ((r.out.data_length?*r.out.data_length:0) > (r.out.data_size?*r.out.data_size:0)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ memcpy(data, r.out.data, (r.out.data_length?*r.out.data_length:0) * sizeof(*data));
}
if (data_size && r.out.data_size) {
*data_size = *r.out.data_size;
/* Copy out parameters */
memcpy(state->orig.out.values, state->tmp.out.values, (state->tmp.in.num_values) * sizeof(*state->orig.out.values));
if (state->orig.out.buffer && state->tmp.out.buffer) {
- memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.buffer_size) * sizeof(*state->orig.out.buffer));
+ if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+ memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.buffer_size) * sizeof(*state->orig.out.buffer));
}
*state->orig.out.buffer_size = *state->tmp.out.buffer_size;
/* Return variables */
memcpy(values, r.out.values, (r.in.num_values) * sizeof(*values));
if (buffer && r.out.buffer) {
- memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer));
+ if ((*r.out.buffer_size) > (*r.in.buffer_size)) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer));
}
*buffer_size = *r.out.buffer_size;
git.samba.org / samba.git / commitdiff