From 463681d47fcc05fece8e0c8fcfb1b76d7de8e31f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Tue, 21 Sep 2010 05:41:37 +0200 Subject: [PATCH 01/10] pidl:NDR/Parser: fix range() for arrays metze (cherry picked from commit bea4948acb4bbee2fbf886adeb53edbc84de96da) --- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 33 +++++++++++++++++++++++++++++- 1 files changed, 32 insertions(+), 1 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index da536be..bd8d676 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -865,7 +865,10 @@ sub ParseDataPull($$$$$$$) $self->pidl("NDR_CHECK(".TypeFunctionName("ndr_pull", $l->{DATA_TYPE})."($ndr, $ndr_flags, $var_name));"); - if (my $range = has_property($e, "range")) { + my $pl = GetPrevLevel($e, $l); + + my $range = has_property($e, "range"); + if ($range and $pl->{TYPE} ne "ARRAY") { $var_name = get_value_of($var_name); my $signed = Parse::Pidl::Typelist::is_signed($l->{DATA_TYPE}); my ($low, $high) = split(/,/, $range, 2); @@ -1010,6 +1013,20 @@ sub ParseElementPullLevel } elsif ($l->{TYPE} eq "ARRAY") { my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); + if (my $range = has_property($e, "range")) { + my ($low, $high) = split(/,/, $range, 2); + if ($low < 0) { + warning(0, "$low is invalid for the range of an array size"); + } + if ($low == 0) { + $self->pidl("if ($length > $high) {"); + } else { + $self->pidl("if ($length < $low || $length > $high) {"); + } + $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); + $self->pidl("}"); + } + my $nl = GetNextLevel($e, $l); if (is_charset_array($e,$l)) { @@ -1073,6 +1090,20 @@ sub ParseElementPullLevel $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; } + if (my $range = has_property($e, "range")) { + my ($low, $high) = split(/,/, $range, 2); + if ($low < 0) { + warning(0, "$low is invalid for the range of an array size"); + } + if ($low == 0) { + $self->pidl("if ($length > $high) {"); + } else { + $self->pidl("if ($length < $low || $length > $high) {"); + } + $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); + $self->pidl("}"); + } + $var_name = get_array_element($var_name, $counter); $self->ParseMemCtxPullStart($e, $l, $ndr, $array_name); -- 1.7.4.1 From 10768bf2174f3168120e823cf32f19af96ccf92a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Thu, 15 Mar 2012 13:09:51 +0100 Subject: [PATCH 02/10] pidl/NDR/Parser: declare all union helper variables in ParseUnionPull() metze --- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index bd8d676..a4957bb 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -1845,8 +1845,6 @@ sub ParseUnionPullPrimitives($$$$$) if ($el->{TYPE} ne "EMPTY") { $self->indent; - $self->DeclarePtrVariables($el); - $self->DeclareArrayVariables($el); if (defined($e->{PROPERTIES}{relative_base})) { $self->pidl("NDR_CHECK(ndr_pull_align($ndr, $el->{ALIGN}));"); # set the current offset as base for relative pointers @@ -1923,6 +1921,8 @@ sub ParseUnionPull($$$$) next if ($el->{TYPE} eq "EMPTY"); next if ($double_cases{"$el->{NAME}"}); $self->DeclareMemCtxVariables($el); + $self->DeclarePtrVariables($el); + $self->DeclareArrayVariables($el); $double_cases{"$el->{NAME}"} = 1; } -- 1.7.4.1 From 374353e9987c901759461d4ace6c6324a7b97a3e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Thu, 15 Mar 2012 13:12:04 +0100 Subject: [PATCH 03/10] pidl/NDR/Parser: simplify logic in DeclareArrayVariables*() metze --- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 14 ++++++-------- 1 files changed, 6 insertions(+), 8 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index a4957bb..d1982f8 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -1514,11 +1514,10 @@ sub DeclareArrayVariables($$) my ($self,$e) = @_; foreach my $l (@{$e->{LEVELS}}) { + next if ($l->{TYPE} ne "ARRAY"); next if has_fast_array($e,$l); next if is_charset_array($e,$l); - if ($l->{TYPE} eq "ARRAY") { - $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); - } + $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); } } @@ -1527,15 +1526,14 @@ sub DeclareArrayVariablesNoZero($$$) my ($self,$e,$env) = @_; foreach my $l (@{$e->{LEVELS}}) { + next if ($l->{TYPE} ne "ARRAY"); next if has_fast_array($e,$l); next if is_charset_array($e,$l); - if ($l->{TYPE} eq "ARRAY") { - my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); - if ($length eq "0") { + my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); + if ($length eq "0") { warning($e->{ORIGINAL}, "pointless array cntr: 'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length"); - } else { + } else { $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); - } } } } -- 1.7.4.1 From f3ccdb86bf8278c370a32395f5e499553dadd9f1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Thu, 15 Mar 2012 13:05:39 +0100 Subject: [PATCH 04/10] pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength() metze --- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 55 +++++++++++++++++++++++------- 1 files changed, 42 insertions(+), 13 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index d1982f8..285a056 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -315,39 +315,68 @@ sub check_null_pointer($$$$) } } -##################################################################### -# parse an array - pull side -sub ParseArrayPullHeader($$$$$$) +sub ParseArrayPullGetSize($$$$$$) { my ($self,$e,$l,$ndr,$var_name,$env) = @_; - my $length; my $size; if ($l->{IS_CONFORMANT}) { - $length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; + $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; } elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays - $length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; + $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; } else { - $length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, + $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, check_null_pointer($e, $env, sub { $self->pidl(shift); }, "return ndr_pull_error($ndr, NDR_ERR_INVALID_POINTER, \"NULL Pointer for size_is()\");"), check_fully_dereferenced($e, $env)); } + my $array_size = $size; + + return $array_size; +} + +##################################################################### +# parse an array - pull side +sub ParseArrayPullGetLength($$$$$$;$) +{ + my ($self,$e,$l,$ndr,$var_name,$env,$array_size) = @_; + + if (not defined($array_size)) { + $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); + } + + my $array_length = $array_size; + if ($l->{IS_VARYING}) { + my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; + $array_length = $length; + } + + return $array_length; +} + +##################################################################### +# parse an array - pull side +sub ParseArrayPullHeader($$$$$$) +{ + my ($self,$e,$l,$ndr,$var_name,$env) = @_; + if ((!$l->{IS_SURROUNDING}) and $l->{IS_CONFORMANT}) { $self->pidl("NDR_CHECK(ndr_pull_array_size($ndr, " . get_pointer_to($var_name) . "));"); } if ($l->{IS_VARYING}) { $self->pidl("NDR_CHECK(ndr_pull_array_length($ndr, " . get_pointer_to($var_name) . "));"); - $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; } - if ($length ne $size) { - $self->pidl("if ($length > $size) {"); + my $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); + my $array_length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env, $array_size); + + if ($array_length ne $array_size) { + $self->pidl("if ($array_length > $array_size) {"); $self->indent; - $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $size, $length);"); + $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $array_size, $array_length);"); $self->deindent; $self->pidl("}"); } @@ -377,10 +406,10 @@ sub ParseArrayPullHeader($$$$$$) } if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) { - $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size); + $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$array_size); } - return $length; + return $array_length; } sub compression_alg($$) -- 1.7.4.1 From 3afef1549118254289821131cecd0a2b46b46332 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Thu, 15 Mar 2012 13:07:47 +0100 Subject: [PATCH 05/10] pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182) An anonymous researcher and Brian Gorenc (HP DVLabs) working with HP's Zero Day Initiative program have found this and notified us. metze --- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 +----- 1 files changed, 1 insertions(+), 5 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index 285a056..e398cae 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -1111,14 +1111,10 @@ sub ParseElementPullLevel } } elsif ($l->{TYPE} eq "ARRAY" and not has_fast_array($e,$l) and not is_charset_array($e, $l)) { - my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); + my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; my $array_name = $var_name; - if ($l->{IS_VARYING}) { - $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; - } - if (my $range = has_property($e, "range")) { my ($low, $high) = split(/,/, $range, 2); if ($low < 0) { -- 1.7.4.1 From d1847c51531f1283fddcf8fe64cccf4cd23518a0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Thu, 15 Mar 2012 15:07:08 +0100 Subject: [PATCH 06/10] pidl/NDR/Parser: remember if we already know the array length metze --- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index e398cae..ff1f0c1 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -1028,6 +1028,7 @@ sub ParseElementPullLevel my($self,$e,$l,$ndr,$var_name,$env,$primitives,$deferred) = @_; my $ndr_flags = CalcNdrFlags($l, $primitives, $deferred); + my $array_length = undef; if ($l->{TYPE} eq "ARRAY" and ($l->{IS_VARYING} or $l->{IS_CONFORMANT})) { $var_name = get_pointer_to($var_name); @@ -1041,6 +1042,7 @@ sub ParseElementPullLevel $self->ParseSubcontextPullEnd($e, $l, $ndr, $env); } elsif ($l->{TYPE} eq "ARRAY") { my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); + $array_length = $length; if (my $range = has_property($e, "range")) { my ($low, $high) = split(/,/, $range, 2); @@ -1111,10 +1113,14 @@ sub ParseElementPullLevel } } elsif ($l->{TYPE} eq "ARRAY" and not has_fast_array($e,$l) and not is_charset_array($e, $l)) { - my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); + my $length = $array_length; my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; my $array_name = $var_name; + if (not defined($length)) { + $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); + } + if (my $range = has_property($e, "range")) { my ($low, $high) = split(/,/, $range, 2); if ($low < 0) { -- 1.7.4.1 From 0daa94c88e0098831467283725b943f9d8e2cb34 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Thu, 15 Mar 2012 13:13:20 +0100 Subject: [PATCH 07/10] pidl/NDR/Parser: use helper variables for array size and length metze --- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 22 +++++++++++++++------- 1 files changed, 15 insertions(+), 7 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index ff1f0c1..a98ec6e 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -332,7 +332,8 @@ sub ParseArrayPullGetSize($$$$$$) check_fully_dereferenced($e, $env)); } - my $array_size = $size; + $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;"); + my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}"; return $array_size; } @@ -350,7 +351,8 @@ sub ParseArrayPullGetLength($$$$$$;$) my $array_length = $array_size; if ($l->{IS_VARYING}) { my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; - $array_length = $length; + $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); + $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; } return $array_length; @@ -1540,12 +1542,18 @@ sub DeclarePtrVariables($$) } } -sub DeclareArrayVariables($$) +sub DeclareArrayVariables($$;$) { - my ($self,$e) = @_; + my ($self,$e,$pull) = @_; foreach my $l (@{$e->{LEVELS}}) { next if ($l->{TYPE} ne "ARRAY"); + if (defined($pull)) { + $self->pidl("uint32_t size_$e->{NAME}_$l->{LEVEL_INDEX} = 0;"); + if ($l->{IS_VARYING}) { + $self->pidl("uint32_t length_$e->{NAME}_$l->{LEVEL_INDEX} = 0;"); + } + } next if has_fast_array($e,$l); next if is_charset_array($e,$l); $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); @@ -1630,7 +1638,7 @@ sub ParseStructPull($$$$) # declare any internal pointers we need foreach my $e (@{$struct->{ELEMENTS}}) { $self->DeclarePtrVariables($e); - $self->DeclareArrayVariables($e); + $self->DeclareArrayVariables($e, "pull"); $self->DeclareMemCtxVariables($e); } @@ -1951,7 +1959,7 @@ sub ParseUnionPull($$$$) next if ($double_cases{"$el->{NAME}"}); $self->DeclareMemCtxVariables($el); $self->DeclarePtrVariables($el); - $self->DeclareArrayVariables($el); + $self->DeclareArrayVariables($el, "pull"); $double_cases{"$el->{NAME}"} = 1; } @@ -2223,7 +2231,7 @@ sub ParseFunctionPull($$) # declare any internal pointers we need foreach my $e (@{$fn->{ELEMENTS}}) { $self->DeclarePtrVariables($e); - $self->DeclareArrayVariables($e); + $self->DeclareArrayVariables($e, "pull"); } my %double_cases = (); -- 1.7.4.1 From dbf4a376011fff07e67fe097255043d406dc2723 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Thu, 15 Mar 2012 13:14:48 +0100 Subject: [PATCH 08/10] pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength() metze --- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 42 ++++++++++-------------------- 1 files changed, 14 insertions(+), 28 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index a98ec6e..48a94ef 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -355,6 +355,20 @@ sub ParseArrayPullGetLength($$$$$$;$) $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; } + if (my $range = has_property($e, "range")) { + my ($low, $high) = split(/,/, $range, 2); + if ($low < 0) { + warning(0, "$low is invalid for the range of an array size"); + } + if ($low == 0) { + $self->pidl("if ($array_length > $high) {"); + } else { + $self->pidl("if ($array_length < $low || $array_length > $high) {"); + } + $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); + $self->pidl("}"); + } + return $array_length; } @@ -1046,20 +1060,6 @@ sub ParseElementPullLevel my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); $array_length = $length; - if (my $range = has_property($e, "range")) { - my ($low, $high) = split(/,/, $range, 2); - if ($low < 0) { - warning(0, "$low is invalid for the range of an array size"); - } - if ($low == 0) { - $self->pidl("if ($length > $high) {"); - } else { - $self->pidl("if ($length < $low || $length > $high) {"); - } - $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); - $self->pidl("}"); - } - my $nl = GetNextLevel($e, $l); if (is_charset_array($e,$l)) { @@ -1123,20 +1123,6 @@ sub ParseElementPullLevel $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); } - if (my $range = has_property($e, "range")) { - my ($low, $high) = split(/,/, $range, 2); - if ($low < 0) { - warning(0, "$low is invalid for the range of an array size"); - } - if ($low == 0) { - $self->pidl("if ($length > $high) {"); - } else { - $self->pidl("if ($length < $low || $length > $high) {"); - } - $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); - $self->pidl("}"); - } - $var_name = get_array_element($var_name, $counter); $self->ParseMemCtxPullStart($e, $l, $ndr, $array_name); -- 1.7.4.1 From a15404044986635d4b89fccca8e5087492a0ef78 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Thu, 15 Mar 2012 17:03:05 +0100 Subject: [PATCH 09/10] pidl/NDR/Parser: also do range checks on the array size metze --- pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index 48a94ef..1543984 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -335,6 +335,20 @@ sub ParseArrayPullGetSize($$$$$$) $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;"); my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}"; + if (my $range = has_property($e, "range")) { + my ($low, $high) = split(/,/, $range, 2); + if ($low < 0) { + warning(0, "$low is invalid for the range of an array size"); + } + if ($low == 0) { + $self->pidl("if ($array_size > $high) {"); + } else { + $self->pidl("if ($array_size < $low || $array_size > $high) {"); + } + $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); + $self->pidl("}"); + } + return $array_size; } @@ -348,13 +362,14 @@ sub ParseArrayPullGetLength($$$$$$;$) $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); } - my $array_length = $array_size; - if ($l->{IS_VARYING}) { - my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; - $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); - $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; + if (not $l->{IS_VARYING}) { + return $array_size; } + my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; + $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); + my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; + if (my $range = has_property($e, "range")) { my ($low, $high) = split(/,/, $range, 2); if ($low < 0) { -- 1.7.4.1