witness.idl: Change array type in IDL for the print function

It is important that the generated print function checks r->messages
before de-referencing r->messages[num] as r->num can be non-zero
while r->messages is NULL.

There is not witness server in Samba and print functions are only
used during debugging and ndrdump in any case.

The change in the IDL does not change the header and the IDL
function is already nopull,nopush so only the print function changes.

Found by Douglas Bagnall using Honggfuzz and a new fuzzer for
Samba's NDR layer.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/librpc/idl/witness.idl b/librpc/idl/witness.idl
index 1557badeb2473ce645f999ea0b7a63f51ada766c..e230a5ea709bfa9fbeabdefa4204318c8afcfc7a 100644 (file)
--- a/librpc/idl/witness.idl
+++ b/librpc/idl/witness.idl
@@ -123,7 +123,7 @@ interface witness
                witness_notifyResponse_type type;
                [value(ndr_size_witness_notifyResponse(r, ndr->flags)-20)] uint32 length;
                uint32 num;
-               [subcontext(4), subcontext_size(length), flag(NDR_REMAINING), switch_is(type)] witness_notifyResponse_message messages[num];
+               [subcontext(4), subcontext_size(length), flag(NDR_REMAINING), switch_is(type), size_is(num)] witness_notifyResponse_message *messages;
        } witness_notifyResponse;
 
        [public] WERROR witness_AsyncNotify(