pidl: Assert that python arrays will not overflow the C array
authorAndrew Bartlett <abartlet@samba.org>
Thu, 30 Jul 2015 02:28:48 +0000 (14:28 +1200)
committerStefan Metzmacher <metze@samba.org>
Mon, 24 Aug 2015 21:46:22 +0000 (23:46 +0200)
We do not write network services in Python, so this is not a security issue, but would cause
a crash or other odd behaviour if the length was changed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11430

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
pidl/lib/Parse/Pidl/Samba4/Python.pm

index a84c6f6..ad9ff88 100644 (file)
@@ -1223,6 +1223,13 @@ sub ConvertObjectFromPythonLevel($$$$$$$$)
                                $self->pidl("$var_name = talloc_array_ptrtype($mem_ctx, $var_name, PyList_GET_SIZE($py_var));");
                                $self->pidl("if (!$var_name) { $fail; }");
                                $self->pidl("talloc_set_name_const($var_name, \"ARRAY: $var_name\");");
+                       } else {
+                               $self->pidl("if (ARRAY_SIZE($var_name) != PyList_GET_SIZE($py_var)) {");
+                               $self->indent;
+                               $self->pidl("PyErr_Format(PyExc_TypeError, \"Expected list of type %s, length %zu, got %zd\", Py_TYPE($py_var)->tp_name, ARRAY_SIZE($var_name),  PyList_GET_SIZE($py_var));");
+                               $self->pidl("$fail");
+                               $self->deindent;
+                               $self->pidl("}");
                        }
                        $self->pidl("for ($counter = 0; $counter < PyList_GET_SIZE($py_var); $counter++) {");
                        $self->indent;