[samba4/f17] Fixes CVE-2012-1182.

asn asn at fedoraproject.org
Fri Apr 13 13:16:39 UTC 2012 

commit 04a7e6534feb18600cd0c15502d2aadcf423e852
Author: Andreas Schneider <asn at cryptomilk.org>
Date:   Fri Apr 13 11:03:23 2012 +0200

    Fixes CVE-2012-1182.

 samba4-4.0.0-alpha19-CVE-2012-1182.patch |  511 ++++++++++++++++++++++++++++++
 samba4.spec                              |    7 +-
 2 files changed, 517 insertions(+), 1 deletions(-)
---
diff --git a/samba4-4.0.0-alpha19-CVE-2012-1182.patch b/samba4-4.0.0-alpha19-CVE-2012-1182.patch
new file mode 100644
index 0000000..164effd
--- /dev/null
+++ b/samba4-4.0.0-alpha19-CVE-2012-1182.patch
@@ -0,0 +1,511 @@
+From 44bd0709f01861080496832590c395d688e28209 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Thu, 15 Mar 2012 13:09:51 +0100
+Subject: [PATCH 1/8] pidl/NDR/Parser: declare all union helper variables in ParseUnionPull()
+
+metze
+---
+ pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+index 2078f58..bcc854b 100644
+--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
++++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+@@ -1882,8 +1882,6 @@ sub ParseUnionPullPrimitives($$$$$)
+ 
+ 		if ($el->{TYPE} ne "EMPTY") {
+ 			$self->indent;
+-			$self->DeclarePtrVariables($el);
+-			$self->DeclareArrayVariables($el);
+ 			if (defined($e->{PROPERTIES}{relative_base})) {
+ 				$self->pidl("NDR_CHECK(ndr_pull_align($ndr, $el->{ALIGN}));");
+ 				# set the current offset as base for relative pointers
+@@ -1960,6 +1958,8 @@ sub ParseUnionPull($$$$)
+ 		next if ($el->{TYPE} eq "EMPTY");
+ 		next if ($double_cases{"$el->{NAME}"});
+ 		$self->DeclareMemCtxVariables($el);
++		$self->DeclarePtrVariables($el);
++		$self->DeclareArrayVariables($el);
+ 		$double_cases{"$el->{NAME}"} = 1;
+ 	}
+ 
+-- 
+1.7.4.1
+
+
+From 3bcecc42e23c274bf7460a1e88e1d1b0557612b4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Thu, 15 Mar 2012 13:12:04 +0100
+Subject: [PATCH 2/8] pidl/NDR/Parser: simplify logic in DeclareArrayVariables*()
+
+metze
+---
+ pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |   14 ++++++--------
+ 1 files changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+index bcc854b..acba0ba 100644
+--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
++++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+@@ -1532,11 +1532,10 @@ sub DeclareArrayVariables($$)
+ 	my ($self,$e) = @_;
+ 
+ 	foreach my $l (@{$e->{LEVELS}}) {
++		next if ($l->{TYPE} ne "ARRAY");
+ 		next if has_fast_array($e,$l);
+ 		next if is_charset_array($e,$l);
+-		if ($l->{TYPE} eq "ARRAY") {
+-			$self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
+-		}
++		$self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
+ 	}
+ }
+ 
+@@ -1545,15 +1544,14 @@ sub DeclareArrayVariablesNoZero($$$)
+ 	my ($self,$e,$env) = @_;
+ 
+ 	foreach my $l (@{$e->{LEVELS}}) {
++		next if ($l->{TYPE} ne "ARRAY");
+ 		next if has_fast_array($e,$l);
+ 		next if is_charset_array($e,$l);
+-		if ($l->{TYPE} eq "ARRAY") {
+-		    my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
+-		    if ($length eq "0") {
++		my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
++		if ($length eq "0") {
+ 			warning($e->{ORIGINAL}, "pointless array cntr: 'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length");
+-		    } else {
++		} else {
+ 			$self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
+-		    }
+ 		}
+ 	}
+ }
+-- 
+1.7.4.1
+
+
+From fa7a14151d8e2661edf26edb4cac31a3b7b72b6d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Thu, 15 Mar 2012 13:05:39 +0100
+Subject: [PATCH 3/8] pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength()
+
+metze
+---
+ pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |   55 +++++++++++++++++++++++-------
+ 1 files changed, 42 insertions(+), 13 deletions(-)
+
+diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+index acba0ba..e97c400 100644
+--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
++++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+@@ -315,39 +315,68 @@ sub check_null_pointer($$$$)
+ 	}
+ }
+ 
+-#####################################################################
+-# parse an array - pull side
+-sub ParseArrayPullHeader($$$$$$)
++sub ParseArrayPullGetSize($$$$$$)
+ {
+ 	my ($self,$e,$l,$ndr,$var_name,$env) = @_;
+ 
+-	my $length;
+ 	my $size;
+ 
+ 	if ($l->{IS_CONFORMANT}) {
+-		$length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")";
++		$size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")";
+ 	} elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays
+-		$length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))";
++		$size = "ndr_get_string_size($ndr, sizeof(*$var_name))";
+ 	} else {
+-		$length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL},
++		$size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL},
+ 			check_null_pointer($e, $env, sub { $self->pidl(shift); },
+ 					   "return ndr_pull_error($ndr, NDR_ERR_INVALID_POINTER, \"NULL Pointer for size_is()\");"),
+ 			check_fully_dereferenced($e, $env));
+ 	}
+ 
++	my $array_size = $size;
++
++	return $array_size;
++}
++
++#####################################################################
++# parse an array - pull side
++sub ParseArrayPullGetLength($$$$$$;$)
++{
++	my ($self,$e,$l,$ndr,$var_name,$env,$array_size) = @_;
++
++	if (not defined($array_size)) {
++		$array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env);
++	}
++
++	my $array_length = $array_size;
++	if ($l->{IS_VARYING}) {
++		my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
++		$array_length = $length;
++	}
++
++	return $array_length;
++}
++
++#####################################################################
++# parse an array - pull side
++sub ParseArrayPullHeader($$$$$$)
++{
++	my ($self,$e,$l,$ndr,$var_name,$env) = @_;
++
+ 	if ((!$l->{IS_SURROUNDING}) and $l->{IS_CONFORMANT}) {
+ 		$self->pidl("NDR_CHECK(ndr_pull_array_size($ndr, " . get_pointer_to($var_name) . "));");
+ 	}
+ 
+ 	if ($l->{IS_VARYING}) {
+ 		$self->pidl("NDR_CHECK(ndr_pull_array_length($ndr, " . get_pointer_to($var_name) . "));");
+-		$length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
+ 	}
+ 
+-	if ($length ne $size) {
+-		$self->pidl("if ($length > $size) {");
++	my $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env);
++	my $array_length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env, $array_size);
++
++	if ($array_length ne $array_size) {
++		$self->pidl("if ($array_length > $array_size) {");
+ 		$self->indent;
+-		$self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $size, $length);");
++		$self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $array_size, $array_length);");
+ 		$self->deindent;
+ 		$self->pidl("}");
+ 	}
+@@ -377,10 +406,10 @@ sub ParseArrayPullHeader($$$$$$)
+ 	}
+ 
+ 	if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) {
+-		$self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size);
++		$self->AllocateArrayLevel($e,$l,$ndr,$var_name,$array_size);
+ 	}
+ 
+-	return $length;
++	return $array_length;
+ }
+ 
+ sub compression_alg($$)
+-- 
+1.7.4.1
+
+
+From 48ac94d89e490dc561b1683103086c44be70e3ae Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Thu, 15 Mar 2012 13:07:47 +0100
+Subject: [PATCH 4/8] pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
+
+An anonymous researcher and Brian Gorenc (HP DVLabs) working
+with HP's Zero Day Initiative program have found this and notified us.
+
+metze
+---
+ pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |    6 +-----
+ 1 files changed, 1 insertions(+), 5 deletions(-)
+
+diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+index e97c400..09ba723 100644
+--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
++++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+@@ -1120,14 +1120,10 @@ sub ParseElementPullLevel
+ 		}
+ 	} elsif ($l->{TYPE} eq "ARRAY" and 
+ 			not has_fast_array($e,$l) and not is_charset_array($e, $l)) {
+-		my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
++		my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
+ 		my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
+ 		my $array_name = $var_name;
+ 
+-		if ($l->{IS_VARYING}) {
+-			$length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
+-		}
+-
+ 		if (my $range = has_property($e, "range")) {
+ 			my ($low, $high) = split(/,/, $range, 2);
+ 			if ($low < 0) {
+-- 
+1.7.4.1
+
+
+From f5c8554f1d5994ad1d2c4ac11e31dd94cb35bb41 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Thu, 15 Mar 2012 15:07:08 +0100
+Subject: [PATCH 5/8] pidl/NDR/Parser: remember if we already know the array length
+
+metze
+---
+ pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |    8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+index 09ba723..8a69c25 100644
+--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
++++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+@@ -1028,6 +1028,7 @@ sub ParseElementPullLevel
+ 	my($self,$e,$l,$ndr,$var_name,$env,$primitives,$deferred) = @_;
+ 
+ 	my $ndr_flags = CalcNdrFlags($l, $primitives, $deferred);
++	my $array_length = undef;
+ 
+ 	if ($l->{TYPE} eq "ARRAY" and ($l->{IS_VARYING} or $l->{IS_CONFORMANT})) {
+ 		$var_name = get_pointer_to($var_name);
+@@ -1041,6 +1042,7 @@ sub ParseElementPullLevel
+ 			$self->ParseSubcontextPullEnd($e, $l, $ndr, $env);
+ 		} elsif ($l->{TYPE} eq "ARRAY") {
+ 			my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env);
++			$array_length = $length;
+ 
+ 			if (my $range = has_property($e, "range")) {
+ 				my ($low, $high) = split(/,/, $range, 2);
+@@ -1120,10 +1122,14 @@ sub ParseElementPullLevel
+ 		}
+ 	} elsif ($l->{TYPE} eq "ARRAY" and 
+ 			not has_fast_array($e,$l) and not is_charset_array($e, $l)) {
+-		my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
++		my $length = $array_length;
+ 		my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
+ 		my $array_name = $var_name;
+ 
++		if (not defined($length)) {
++			$length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
++		}
++
+ 		if (my $range = has_property($e, "range")) {
+ 			my ($low, $high) = split(/,/, $range, 2);
+ 			if ($low < 0) {
+-- 
+1.7.4.1
+
+
+From 0f03bfb34d68364454197fb18319dbff29d9210f Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Thu, 15 Mar 2012 13:13:20 +0100
+Subject: [PATCH 6/8] pidl/NDR/Parser: use helper variables for array size and length
+
+metze
+---
+ pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |   22 +++++++++++++++-------
+ 1 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+index 8a69c25..c712b9d 100644
+--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
++++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+@@ -332,7 +332,8 @@ sub ParseArrayPullGetSize($$$$$$)
+ 			check_fully_dereferenced($e, $env));
+ 	}
+ 
+-	my $array_size = $size;
++	$self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;");
++	my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}";
+ 
+ 	return $array_size;
+ }
+@@ -350,7 +351,8 @@ sub ParseArrayPullGetLength($$$$$$;$)
+ 	my $array_length = $array_size;
+ 	if ($l->{IS_VARYING}) {
+ 		my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
+-		$array_length = $length;
++		$self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;");
++		$array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}";
+ 	}
+ 
+ 	return $array_length;
+@@ -1558,12 +1560,18 @@ sub DeclarePtrVariables($$)
+ 	}
+ }
+ 
+-sub DeclareArrayVariables($$)
++sub DeclareArrayVariables($$;$)
+ {
+-	my ($self,$e) = @_;
++	my ($self,$e,$pull) = @_;
+ 
+ 	foreach my $l (@{$e->{LEVELS}}) {
+ 		next if ($l->{TYPE} ne "ARRAY");
++		if (defined($pull)) {
++			$self->pidl("uint32_t size_$e->{NAME}_$l->{LEVEL_INDEX} = 0;");
++			if ($l->{IS_VARYING}) {
++				$self->pidl("uint32_t length_$e->{NAME}_$l->{LEVEL_INDEX} = 0;");
++			}
++		}
+ 		next if has_fast_array($e,$l);
+ 		next if is_charset_array($e,$l);
+ 		$self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
+@@ -1648,7 +1656,7 @@ sub ParseStructPull($$$$)
+ 	# declare any internal pointers we need
+ 	foreach my $e (@{$struct->{ELEMENTS}}) {
+ 		$self->DeclarePtrVariables($e);
+-		$self->DeclareArrayVariables($e);
++		$self->DeclareArrayVariables($e, "pull");
+ 		$self->DeclareMemCtxVariables($e);
+ 	}
+ 
+@@ -1988,7 +1996,7 @@ sub ParseUnionPull($$$$)
+ 		next if ($double_cases{"$el->{NAME}"});
+ 		$self->DeclareMemCtxVariables($el);
+ 		$self->DeclarePtrVariables($el);
+-		$self->DeclareArrayVariables($el);
++		$self->DeclareArrayVariables($el, "pull");
+ 		$double_cases{"$el->{NAME}"} = 1;
+ 	}
+ 
+@@ -2354,7 +2362,7 @@ sub ParseFunctionPull($$)
+ 	# declare any internal pointers we need
+ 	foreach my $e (@{$fn->{ELEMENTS}}) { 
+ 		$self->DeclarePtrVariables($e);
+-		$self->DeclareArrayVariables($e);
++		$self->DeclareArrayVariables($e, "pull");
+ 	}
+ 
+ 	my %double_cases = ();
+-- 
+1.7.4.1
+
+
+From fb8b5fbbc4013b0e3c9b36e6f2b225e7d1fd1c72 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Thu, 15 Mar 2012 13:14:48 +0100
+Subject: [PATCH 7/8] pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength()
+
+metze
+---
+ pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |   42 ++++++++++--------------------
+ 1 files changed, 14 insertions(+), 28 deletions(-)
+
+diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+index c712b9d..b6fcc5b 100644
+--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
++++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+@@ -355,6 +355,20 @@ sub ParseArrayPullGetLength($$$$$$;$)
+ 		$array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}";
+ 	}
+ 
++	if (my $range = has_property($e, "range")) {
++		my ($low, $high) = split(/,/, $range, 2);
++		if ($low < 0) {
++			warning(0, "$low is invalid for the range of an array size");
++		}
++		if ($low == 0) {
++			$self->pidl("if ($array_length > $high) {");
++		} else {
++			$self->pidl("if ($array_length < $low || $array_length > $high) {");
++		}
++		$self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
++		$self->pidl("}");
++	}
++
+ 	return $array_length;
+ }
+ 
+@@ -1046,20 +1060,6 @@ sub ParseElementPullLevel
+ 			my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env);
+ 			$array_length = $length;
+ 
+-			if (my $range = has_property($e, "range")) {
+-				my ($low, $high) = split(/,/, $range, 2);
+-				if ($low < 0) {
+-					warning(0, "$low is invalid for the range of an array size");
+-				}
+-				if ($low == 0) {
+-					$self->pidl("if ($length > $high) {");
+-				} else {
+-					$self->pidl("if ($length < $low || $length > $high) {");
+-				}
+-				$self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
+-				$self->pidl("}");
+-			}
+-
+ 			my $nl = GetNextLevel($e, $l);
+ 
+ 			if (is_charset_array($e,$l)) {
+@@ -1132,20 +1132,6 @@ sub ParseElementPullLevel
+ 			$length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
+ 		}
+ 
+-		if (my $range = has_property($e, "range")) {
+-			my ($low, $high) = split(/,/, $range, 2);
+-			if ($low < 0) {
+-				warning(0, "$low is invalid for the range of an array size");
+-			}
+-			if ($low == 0) {
+-				$self->pidl("if ($length > $high) {");
+-			} else {
+-				$self->pidl("if ($length < $low || $length > $high) {");
+-			}
+-			$self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
+-			$self->pidl("}");
+-		}
+-
+ 		$var_name = get_array_element($var_name, $counter);
+ 
+ 		$self->ParseMemCtxPullStart($e, $l, $ndr, $array_name);
+-- 
+1.7.4.1
+
+
+From 02b14d49a9a3ed581ea41f060ad7d1a69fd81373 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Thu, 15 Mar 2012 17:03:05 +0100
+Subject: [PATCH 8/8] pidl/NDR/Parser: also do range checks on the array size
+
+metze
+---
+ pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |   25 ++++++++++++++++++++-----
+ 1 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+index b6fcc5b..3676d6d 100644
+--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
++++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+@@ -335,6 +335,20 @@ sub ParseArrayPullGetSize($$$$$$)
+ 	$self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;");
+ 	my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}";
+ 
++	if (my $range = has_property($e, "range")) {
++		my ($low, $high) = split(/,/, $range, 2);
++		if ($low < 0) {
++			warning(0, "$low is invalid for the range of an array size");
++		}
++		if ($low == 0) {
++			$self->pidl("if ($array_size > $high) {");
++		} else {
++			$self->pidl("if ($array_size < $low || $array_size > $high) {");
++		}
++		$self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
++		$self->pidl("}");
++	}
++
+ 	return $array_size;
+ }
+ 
+@@ -348,13 +362,14 @@ sub ParseArrayPullGetLength($$$$$$;$)
+ 		$array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env);
+ 	}
+ 
+-	my $array_length = $array_size;
+-	if ($l->{IS_VARYING}) {
+-		my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
+-		$self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;");
+-		$array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}";
++	if (not $l->{IS_VARYING}) {
++		return $array_size;
+ 	}
+ 
++	my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
++	$self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;");
++	my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}";
++
+ 	if (my $range = has_property($e, "range")) {
+ 		my ($low, $high) = split(/,/, $range, 2);
+ 		if ($low < 0) {
+-- 
+1.7.4.1
+
diff --git a/samba4.spec b/samba4.spec
index 23620a7..fef0702 100644
--- a/samba4.spec
+++ b/samba4.spec
@@ -1,4 +1,4 @@
-%define main_release 39
+%define main_release 40
 
 %define samba_version 4.0.0
 %define talloc_version 2.0.7
@@ -72,6 +72,7 @@ Patch1: samba4-libpdb-soversion.patch
 Patch2: samba4-samr-lsa-session_key.patch
 Patch3: samba4-waf_target.patch
 Patch4: samba4-external_ldap_callback.patch
+Patch5: samba4-4.0.0-alpha19-CVE-2012-1182.patch
 
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
@@ -331,6 +332,7 @@ link against the SMB, RPC and other protocols.
 %patch2 -p1 -b .session_key
 %patch3 -p1 -b .waf_target
 %patch4 -p1 -b .external_callback
+%patch5 -p1 -b .CVE-2012-1182
 
 %build
 %define _talloc_lib %nil
@@ -1146,6 +1148,9 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/wbclient.pc
 
 %changelog
+* Fri Apr 13 2012 Andreas Schneider <asn at redhat.com> - 4.0.0-40.alpha18
+- Fixes CVE-2012-1182.
+
 * Tue Apr 03 2012 Andreas Schneider <asn at redhat.com> - 4.0.0-39.alpha18
 - Update to Samba4 alpha18.
 - Reorganize subpackages.

More information about the scm-commits mailing list