librpc: Make CFDATA private to cab.idl and remove pull and push functions

We can do this because ndr_{pull,push}_CFDATA is unused.

The earlier commit 466d5e814727046dd630d5503b43874ec46a365e removed
the link between "uint16 cbData" and the size of "DATA_BLOB ab" so
when the new ndr_fuzz_X fusser pushed a new structure this allowed
a read beyond the end of allocated memory.

The ndr_push_cab_file() function is also manually written and
does not rely on the value of cbData to calculate the checksum.

Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer, which like ndrdump's struct mode uses the public structure
tables.  (This is how it found the unused functions to test).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/librpc/idl/cab.idl b/librpc/idl/cab.idl
index 8eaae591c1f027aff1a46a69142550226c0ac9e1..d08b53566dbe837f5384beb515c9697853d310f9 100644 (file)
--- a/librpc/idl/cab.idl
+++ b/librpc/idl/cab.idl
@@ -110,8 +110,8 @@ import "misc.idl";
                [flag(r->attribs & _A_NAME_IS_UTF ? STR_UTF8|STR_NULLTERM : STR_ASCII|STR_NULLTERM)] string szName;
        } CFFILE;
 
-       typedef [public,flag(NDR_PAHEX|NDR_LITTLE_ENDIAN|NDR_NOALIGN)] struct {
-               [value(ndr_cab_generate_checksum(r))] uint32 csum;              /* checksum of this CFDATA entry */
+       typedef [flag(NDR_PAHEX|NDR_LITTLE_ENDIAN|NDR_NOALIGN),nopull,nopush] struct {
+               uint32 csum;            /* checksum of this CFDATA entry */
                uint16 cbData;          /* number of compressed bytes in this block */
                uint16 cbUncomp;        /* number of uncompressed bytes in this block */
 #if 0