From 183da1f9fda6f58cdff5cefad133a86462d5942a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 18 Nov 2019 16:02:39 +1300 Subject: [PATCH] witness.idl: Change array type in IDL for the print function It is important that the generated print function checks r->messages before de-referencing r->messages[num] as r->num can be non-zero while r->messages is NULL. There is not witness server in Samba and print functions are only used during debugging and ndrdump in any case. The change in the IDL does not change the header and the IDL function is already nopull,nopush so only the print function changes. Found by Douglas Bagnall using Honggfuzz and a new fuzzer for Samba's NDR layer. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider --- librpc/idl/witness.idl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/librpc/idl/witness.idl b/librpc/idl/witness.idl index 1557badeb24..e230a5ea709 100644 --- a/librpc/idl/witness.idl +++ b/librpc/idl/witness.idl @@ -123,7 +123,7 @@ interface witness witness_notifyResponse_type type; [value(ndr_size_witness_notifyResponse(r, ndr->flags)-20)] uint32 length; uint32 num; - [subcontext(4), subcontext_size(length), flag(NDR_REMAINING), switch_is(type)] witness_notifyResponse_message messages[num]; + [subcontext(4), subcontext_size(length), flag(NDR_REMAINING), switch_is(type), size_is(num)] witness_notifyResponse_message *messages; } witness_notifyResponse; [public] WERROR witness_AsyncNotify( -- 2.47.3