From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 30 Oct 2019 20:35:19 +0000 (+1300)
Subject: pidl: check the size of pulled arrays of arrays
X-Git-Tag: ldb-2.1.0~656
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1aec742575252d1efcc47a8e9023889bfb0e5709;p=thirdparty%2Fsamba.git

pidl: check the size of pulled arrays of arrays

We were accidentally checking the memory just past the array instead of
checking each member.

This could have led to the size of some arrays not being checked.

Found by Michael Hanselmann using Honggfuzz and an fuzzer for Samba's
NDR layer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13877

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index 8759e46aedb..c1a2cc99cb7 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -1247,10 +1247,14 @@ sub ParseElementPullLevel
 
 		if ($deferred and ContainsDeferred($e, $l)) {
 			$self->pidl("for ($counter = 0; $counter < ($length); $counter++) {");
+			$self->defer("for ($counter = 0; $counter < ($length); $counter++) {");
+			$self->defer_indent;
 			$self->indent;
 			$self->ParseElementPullLevel($e,GetNextLevel($e,$l), $ndr, $var_name, $env, 0, 1);
 			$self->deindent;
+			$self->defer_deindent;
 			$self->pidl("}");
+			$self->defer("}");
 		}
 
 		$self->ParseMemCtxPullEnd($e, $l, $ndr);
diff --git a/selftest/knownfail.d/ndrdump b/selftest/knownfail.d/ndrdump
deleted file mode 100644
index 4c91544d37a..00000000000
--- a/selftest/knownfail.d/ndrdump
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_clusapi_QueryAllValues
\ No newline at end of file