witness.idl: Change array type in IDL for the print function

It is important that the generated print function checks r->messages before de-referencing r->messages[num] as r->num can be non-zero while r->messages is NULL. There is not witness server in Samba and print functions are only used during debugging and ndrdump in any case. The change in the IDL does not change the header and the IDL function is already nopull,nopush so only the print function changes. Found by Douglas Bagnall using Honggfuzz and a new fuzzer for Samba's NDR layer. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
samba-team · Nov 19, 2019 · 183da1f · 183da1f
1 parent c34ec00
commit 183da1f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/librpc/idl/witness.idl b/librpc/idl/witness.idl
@@ -123,7 +123,7 @@ interface witness
 		witness_notifyResponse_type type;
 		[value(ndr_size_witness_notifyResponse(r, ndr->flags)-20)] uint32 length;
 		uint32 num;
-		[subcontext(4), subcontext_size(length), flag(NDR_REMAINING), switch_is(type)] witness_notifyResponse_message messages[num];
+	        [subcontext(4), subcontext_size(length), flag(NDR_REMAINING), switch_is(type), size_is(num)] witness_notifyResponse_message *messages;
 	} witness_notifyResponse;
 
 	[public] WERROR witness_AsyncNotify(