rerun: make samba3-idl

metze
(cherry picked from commit 9b9b46252ecf426467205908cb7ba487b7774b5b)

diff --git a/librpc/gen_ndr/cli_epmapper.c b/librpc/gen_ndr/cli_epmapper.c
index 65621d384841220c2aa84a3e4e81bc41d4b56d64..eef91393249f3bfcdf986ca58b24c78b7275dee8 100644 (file)
--- a/librpc/gen_ndr/cli_epmapper.c
+++ b/librpc/gen_ndr/cli_epmapper.c
@@ -135,7 +135,10 @@ NTSTATUS rpccli_epm_Lookup(struct rpc_pipe_client *cli,
        /* Return variables */
        *entry_handle = *r.out.entry_handle;
        *num_ents = *r.out.num_ents;
-       memcpy(entries, r.out.entries, (r.in.max_ents) * sizeof(*entries));
+       if ((*r.out.num_ents) > (r.in.max_ents)) {
+               return NT_STATUS_INVALID_NETWORK_RESPONSE;
+       }
+       memcpy(entries, r.out.entries, (*r.out.num_ents) * sizeof(*entries));
 
        /* Return result */
        return NT_STATUS_OK;
@@ -184,7 +187,10 @@ NTSTATUS rpccli_epm_Map(struct rpc_pipe_client *cli,
        /* Return variables */
        *entry_handle = *r.out.entry_handle;
        *num_towers = *r.out.num_towers;
-       memcpy(towers, r.out.towers, (r.in.max_towers) * sizeof(*towers));
+       if ((*r.out.num_towers) > (r.in.max_towers)) {
+               return NT_STATUS_INVALID_NETWORK_RESPONSE;
+       }
+       memcpy(towers, r.out.towers, (*r.out.num_towers) * sizeof(*towers));
 
        /* Return result */
        return NT_STATUS_OK;

diff --git a/librpc/gen_ndr/cli_ntsvcs.c b/librpc/gen_ndr/cli_ntsvcs.c
index 8f98278552965cac254ae7b4713bc8aa404239e2..e9c3d4c4a5693b43c3a30255161f9dbdf670fe94 100644 (file)
--- a/librpc/gen_ndr/cli_ntsvcs.c
+++ b/librpc/gen_ndr/cli_ntsvcs.c
@@ -461,7 +461,10 @@ NTSTATUS rpccli_PNP_GetDeviceList(struct rpc_pipe_client *cli,
        }
 
        /* Return variables */
-       memcpy(buffer, r.out.buffer, (*r.in.length) * sizeof(*buffer));
+       if ((*r.out.length) > (*r.in.length)) {
+               return NT_STATUS_INVALID_NETWORK_RESPONSE;
+       }
+       memcpy(buffer, r.out.buffer, (*r.out.length) * sizeof(*buffer));
        *length = *r.out.length;
 
        /* Return result */
@@ -606,7 +609,10 @@ NTSTATUS rpccli_PNP_GetDeviceRegProp(struct rpc_pipe_client *cli,
 
        /* Return variables */
        *reg_data_type = *r.out.reg_data_type;
-       memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer));
+       if ((*r.out.buffer_size) > (*r.in.buffer_size)) {
+               return NT_STATUS_INVALID_NETWORK_RESPONSE;
+       }
+       memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer));
        *buffer_size = *r.out.buffer_size;
        *needed = *r.out.needed;
 

diff --git a/librpc/gen_ndr/cli_winreg.c b/librpc/gen_ndr/cli_winreg.c
index c5d19be5f1fb158d9d09b7d36dd591b36ea3e1ad..93f969d34f3f90d67c7d89e43644586a47440756 100644 (file)
--- a/librpc/gen_ndr/cli_winreg.c
+++ b/librpc/gen_ndr/cli_winreg.c
@@ -544,7 +544,13 @@ NTSTATUS rpccli_winreg_EnumValue(struct rpc_pipe_client *cli,
                *type = *r.out.type;
        }
        if (value && r.out.value) {
-               memcpy(value, r.out.value, (*r.in.size) * sizeof(*value));
+               if ((*r.out.size) > (*r.in.size)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+               if ((*r.out.length) > (*r.out.size)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+               memcpy(value, r.out.value, (*r.out.length) * sizeof(*value));
        }
        if (size && r.out.size) {
                *size = *r.out.size;
@@ -915,7 +921,13 @@ NTSTATUS rpccli_winreg_QueryValue(struct rpc_pipe_client *cli,
                *type = *r.out.type;
        }
        if (data && r.out.data) {
-               memcpy(data, r.out.data, (*r.in.data_size) * sizeof(*data));
+               if ((*r.out.data_size) > (*r.in.data_size)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+               if ((*r.out.data_length) > (*r.out.data_size)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+               memcpy(data, r.out.data, (*r.out.data_length) * sizeof(*data));
        }
        if (data_size && r.out.data_size) {
                *data_size = *r.out.data_size;
@@ -1483,7 +1495,10 @@ NTSTATUS rpccli_winreg_QueryMultipleValues(struct rpc_pipe_client *cli,
        /* Return variables */
        memcpy(values, r.out.values, (r.in.num_values) * sizeof(*values));
        if (buffer && r.out.buffer) {
-               memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer));
+               if ((*r.out.buffer_size) > (*r.in.buffer_size)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+               memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer));
        }
        *buffer_size = *r.out.buffer_size;