From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 19 Nov 2019 03:07:50 +0000 (+1300)
Subject: librpc: Make CFDATA private to cab.idl and remove pull and push functions
X-Git-Tag: ldb-2.1.0~495
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bd81733bb7c5af3fb2f98bf475d53507c3955b31;p=thirdparty%2Fsamba.git

librpc: Make CFDATA private to cab.idl and remove pull and push functions

We can do this because ndr_{pull,push}_CFDATA is unused.

The earlier commit 466d5e814727046dd630d5503b43874ec46a365e removed
the link between "uint16 cbData" and the size of "DATA_BLOB ab" so
when the new ndr_fuzz_X fusser pushed a new structure this allowed
a read beyond the end of allocated memory.

The ndr_push_cab_file() function is also manually written and
does not rely on the value of cbData to calculate the checksum.

Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer, which like ndrdump's struct mode uses the public structure
tables.  (This is how it found the unused functions to test).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/librpc/idl/cab.idl b/librpc/idl/cab.idl
index 8eaae591c1f..d08b53566db 100644
--- a/librpc/idl/cab.idl
+++ b/librpc/idl/cab.idl
@@ -110,8 +110,8 @@ import "misc.idl";
 		[flag(r->attribs & _A_NAME_IS_UTF ? STR_UTF8|STR_NULLTERM : STR_ASCII|STR_NULLTERM)] string szName;
 	} CFFILE;
 
-	typedef [public,flag(NDR_PAHEX|NDR_LITTLE_ENDIAN|NDR_NOALIGN)] struct {
-		[value(ndr_cab_generate_checksum(r))] uint32 csum;		/* checksum of this CFDATA entry */
+	typedef [flag(NDR_PAHEX|NDR_LITTLE_ENDIAN|NDR_NOALIGN),nopull,nopush] struct {
+		uint32 csum;		/* checksum of this CFDATA entry */
 		uint16 cbData;		/* number of compressed bytes in this block */
 		uint16 cbUncomp;	/* number of uncompressed bytes in this block */
 #if 0