diff -Nru samba-3.6.3/debian/changelog samba-3.6.3/debian/changelog --- samba-3.6.3/debian/changelog 2012-03-18 23:57:39.000000000 -0500 +++ samba-3.6.3/debian/changelog 2012-04-12 12:22:08.000000000 -0500 @@ -1,3 +1,16 @@ +samba (2:3.6.3-2ubuntu2) precise; urgency=low + + * SECURITY UPDATE: Unauthenticated remote code execution via + RPC calls (LP: #978458) + - debian/patches/CVE-2012-1182-1.patch: Fix PIDL compiler to generate code + that uses the same value for array allocation and array length checks. + Based on upstream patch. + - debian/patches/CVE-2012-1182-2.patch: Regenerate PIDL generated files with + the patched PIDL compiler + - CVE-2012-1182 + + -- Tyler Hicks Thu, 12 Apr 2012 05:28:44 -0500 + samba (2:3.6.3-2ubuntu1) precise; urgency=low * Merge from Debian testing. (LP: #958534) diff -Nru samba-3.6.3/debian/patches/CVE-2012-1182-1.patch samba-3.6.3/debian/patches/CVE-2012-1182-1.patch --- samba-3.6.3/debian/patches/CVE-2012-1182-1.patch 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.6.3/debian/patches/CVE-2012-1182-1.patch 2012-04-12 12:09:53.000000000 -0500 @@ -0,0 +1,282 @@ +Description: Fix PIDL compiler to do proper array allocation and length checks +Bug: https://bugzilla.samba.org/show_bug.cgi?id=8815 +Origin: upstream, http://gitweb.samba.org/?p=samba.git;a=commit;h=94622cea2b2f4914b4ced35e952680c20cc4985b +Origin: upstream, http://gitweb.samba.org/?p=samba.git;a=commit;h=d15b71523d228f78f317f44181900dbf10b52e33 +Origin: upstream, http://gitweb.samba.org/?p=samba.git;a=commit;h=dc9c68c8992db8225c93043757c4d33b8814c428 +Origin: upstream, http://gitweb.samba.org/?p=samba.git;a=commit;h=8e99484dec90690ec1e00c17580150278963e063 +Origin: upstream, http://gitweb.samba.org/?p=samba.git;a=commit;h=25f68811af3399c6148fa5d31d932465e27a2125 +Origin: upstream, http://gitweb.samba.org/?p=samba.git;a=commit;h=e94415cf237d1e434daa5da70e6df0b4b6926bae +Origin: upstream, http://gitweb.samba.org/?p=samba.git;a=commit;h=3e0e6f56a671b40b21c37838ff292fe8902889bb +Origin: upstream, http://gitweb.samba.org/?p=samba.git;a=commit;h=0b9d59d256a74594e89467e5ebe4e62c25c9572e + +Index: samba-3.6.3/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +=================================================================== +--- samba-3.6.3.orig/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm 2012-01-29 13:40:43.000000000 -0600 ++++ samba-3.6.3/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm 2012-04-12 02:42:54.862479019 -0500 +@@ -315,39 +315,99 @@ + } + } + +-##################################################################### +-# parse an array - pull side +-sub ParseArrayPullHeader($$$$$$) ++sub ParseArrayPullGetSize($$$$$$) + { + my ($self,$e,$l,$ndr,$var_name,$env) = @_; + +- my $length; + my $size; + + if ($l->{IS_CONFORMANT}) { +- $length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; ++ $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")"; + } elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays +- $length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; ++ $size = "ndr_get_string_size($ndr, sizeof(*$var_name))"; + } else { +- $length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, ++ $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL}, + check_null_pointer($e, $env, sub { $self->pidl(shift); }, + "return ndr_pull_error($ndr, NDR_ERR_INVALID_POINTER, \"NULL Pointer for size_is()\");"), + check_fully_dereferenced($e, $env)); + } + ++ $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;"); ++ my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}"; ++ ++ if (my $range = has_property($e, "range")) { ++ my ($low, $high) = split(/,/, $range, 2); ++ if ($low < 0) { ++ warning(0, "$low is invalid for the range of an array size"); ++ } ++ if ($low == 0) { ++ $self->pidl("if ($array_size > $high) {"); ++ } else { ++ $self->pidl("if ($array_size < $low || $array_size > $high) {"); ++ } ++ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); ++ $self->pidl("}"); ++ } ++ ++ return $array_size; ++} ++ ++##################################################################### ++# parse an array - pull side ++sub ParseArrayPullGetLength($$$$$$;$) ++{ ++ my ($self,$e,$l,$ndr,$var_name,$env,$array_size) = @_; ++ ++ if (not defined($array_size)) { ++ $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); ++ } ++ ++ if (not $l->{IS_VARYING}) { ++ return $array_size; ++ } ++ ++ my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; ++ $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;"); ++ my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}"; ++ ++ if (my $range = has_property($e, "range")) { ++ my ($low, $high) = split(/,/, $range, 2); ++ if ($low < 0) { ++ warning(0, "$low is invalid for the range of an array size"); ++ } ++ if ($low == 0) { ++ $self->pidl("if ($array_length > $high) {"); ++ } else { ++ $self->pidl("if ($array_length < $low || $array_length > $high) {"); ++ } ++ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); ++ $self->pidl("}"); ++ } ++ ++ return $array_length; ++} ++ ++##################################################################### ++# parse an array - pull side ++sub ParseArrayPullHeader($$$$$$) ++{ ++ my ($self,$e,$l,$ndr,$var_name,$env) = @_; ++ + if ((!$l->{IS_SURROUNDING}) and $l->{IS_CONFORMANT}) { + $self->pidl("NDR_CHECK(ndr_pull_array_size($ndr, " . get_pointer_to($var_name) . "));"); + } + + if ($l->{IS_VARYING}) { + $self->pidl("NDR_CHECK(ndr_pull_array_length($ndr, " . get_pointer_to($var_name) . "));"); +- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; + } + +- if ($length ne $size) { +- $self->pidl("if ($length > $size) {"); ++ my $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env); ++ my $array_length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env, $array_size); ++ ++ if ($array_length ne $array_size) { ++ $self->pidl("if ($array_length > $array_size) {"); + $self->indent; +- $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $size, $length);"); ++ $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $array_size, $array_length);"); + $self->deindent; + $self->pidl("}"); + } +@@ -377,10 +437,10 @@ + } + + if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) { +- $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size); ++ $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$array_size); + } + +- return $length; ++ return $array_length; + } + + sub compression_alg($$) +@@ -999,6 +1059,7 @@ + my($self,$e,$l,$ndr,$var_name,$env,$primitives,$deferred) = @_; + + my $ndr_flags = CalcNdrFlags($l, $primitives, $deferred); ++ my $array_length = undef; + + if ($l->{TYPE} eq "ARRAY" and ($l->{IS_VARYING} or $l->{IS_CONFORMANT})) { + $var_name = get_pointer_to($var_name); +@@ -1012,20 +1073,7 @@ + $self->ParseSubcontextPullEnd($e, $l, $ndr, $env); + } elsif ($l->{TYPE} eq "ARRAY") { + my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env); +- +- if (my $range = has_property($e, "range")) { +- my ($low, $high) = split(/,/, $range, 2); +- if ($low < 0) { +- warning(0, "$low is invalid for the range of an array size"); +- } +- if ($low == 0) { +- $self->pidl("if ($length > $high) {"); +- } else { +- $self->pidl("if ($length < $low || $length > $high) {"); +- } +- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); +- $self->pidl("}"); +- } ++ $array_length = $length; + + my $nl = GetNextLevel($e, $l); + +@@ -1091,26 +1139,12 @@ + } + } elsif ($l->{TYPE} eq "ARRAY" and + not has_fast_array($e,$l) and not is_charset_array($e, $l)) { +- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); ++ my $length = $array_length; + my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}"; + my $array_name = $var_name; + +- if ($l->{IS_VARYING}) { +- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")"; +- } +- +- if (my $range = has_property($e, "range")) { +- my ($low, $high) = split(/,/, $range, 2); +- if ($low < 0) { +- warning(0, "$low is invalid for the range of an array size"); +- } +- if ($low == 0) { +- $self->pidl("if ($length > $high) {"); +- } else { +- $self->pidl("if ($length < $low || $length > $high) {"); +- } +- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");"); +- $self->pidl("}"); ++ if (not defined($length)) { ++ $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env); + } + + $var_name = get_array_element($var_name, $counter); +@@ -1527,16 +1561,21 @@ + } + } + +-sub DeclareArrayVariables($$) ++sub DeclareArrayVariables($$;$) + { +- my ($self,$e) = @_; ++ my ($self,$e,$pull) = @_; + + foreach my $l (@{$e->{LEVELS}}) { ++ next if ($l->{TYPE} ne "ARRAY"); ++ if (defined($pull)) { ++ $self->pidl("uint32_t size_$e->{NAME}_$l->{LEVEL_INDEX} = 0;"); ++ if ($l->{IS_VARYING}) { ++ $self->pidl("uint32_t length_$e->{NAME}_$l->{LEVEL_INDEX} = 0;"); ++ } ++ } + next if has_fast_array($e,$l); + next if is_charset_array($e,$l); +- if ($l->{TYPE} eq "ARRAY") { +- $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); +- } ++ $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); + } + } + +@@ -1545,15 +1584,14 @@ + my ($self,$e,$env) = @_; + + foreach my $l (@{$e->{LEVELS}}) { ++ next if ($l->{TYPE} ne "ARRAY"); + next if has_fast_array($e,$l); + next if is_charset_array($e,$l); +- if ($l->{TYPE} eq "ARRAY") { +- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); +- if ($length eq "0") { ++ my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL}); ++ if ($length eq "0") { + warning($e->{ORIGINAL}, "pointless array cntr: 'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length"); +- } else { ++ } else { + $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};"); +- } + } + } + } +@@ -1619,7 +1657,7 @@ + # declare any internal pointers we need + foreach my $e (@{$struct->{ELEMENTS}}) { + $self->DeclarePtrVariables($e); +- $self->DeclareArrayVariables($e); ++ $self->DeclareArrayVariables($e, "pull"); + $self->DeclareMemCtxVariables($e); + } + +@@ -1882,8 +1920,6 @@ + + if ($el->{TYPE} ne "EMPTY") { + $self->indent; +- $self->DeclarePtrVariables($el); +- $self->DeclareArrayVariables($el); + if (defined($e->{PROPERTIES}{relative_base})) { + $self->pidl("NDR_CHECK(ndr_pull_align($ndr, $el->{ALIGN}));"); + # set the current offset as base for relative pointers +@@ -1960,6 +1996,8 @@ + next if ($el->{TYPE} eq "EMPTY"); + next if ($double_cases{"$el->{NAME}"}); + $self->DeclareMemCtxVariables($el); ++ $self->DeclarePtrVariables($el); ++ $self->DeclareArrayVariables($el, "pull"); + $double_cases{"$el->{NAME}"} = 1; + } + +@@ -2325,7 +2363,7 @@ + # declare any internal pointers we need + foreach my $e (@{$fn->{ELEMENTS}}) { + $self->DeclarePtrVariables($e); +- $self->DeclareArrayVariables($e); ++ $self->DeclareArrayVariables($e, "pull"); + } + + my %double_cases = (); diff -Nru samba-3.6.3/debian/patches/CVE-2012-1182-2.patch samba-3.6.3/debian/patches/CVE-2012-1182-2.patch --- samba-3.6.3/debian/patches/CVE-2012-1182-2.patch 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.6.3/debian/patches/CVE-2012-1182-2.patch 2012-04-12 12:21:55.000000000 -0500 @@ -0,0 +1,34020 @@ +Description: Result of running 'make samba3-idl' after fixing the PIDL compiler +Origin: other, http://gitweb.samba.org/?p=samba.git;a=commit;h=566295fa13ff4a848fea517d41bc08aee87966ac +Bug: https://bugzilla.samba.org/show_bug.cgi?id=8815 + +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_atsvc.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_atsvc.c 2012-04-12 12:09:50.567287453 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_atsvc.c 2012-04-12 12:19:20.567300999 -0500 +@@ -134,6 +134,8 @@ + static enum ndr_err_code ndr_pull_atsvc_JobInfo(struct ndr_pull *ndr, int ndr_flags, struct atsvc_JobInfo *r) + { + uint32_t _ptr_command; ++ uint32_t size_command_1 = 0; ++ uint32_t length_command_1 = 0; + TALLOC_CTX *_mem_save_command_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -155,11 +157,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->command, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->command)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->command)); +- if (ndr_get_array_length(ndr, &r->command) > ndr_get_array_size(ndr, &r->command)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->command), ndr_get_array_length(ndr, &r->command)); ++ size_command_1 = ndr_get_array_size(ndr, &r->command); ++ length_command_1 = ndr_get_array_length(ndr, &r->command); ++ if (length_command_1 > size_command_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_command_1, length_command_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->command), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->command, ndr_get_array_length(ndr, &r->command), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_command_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->command, length_command_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_command_0, 0); + } + } +@@ -210,6 +214,8 @@ + static enum ndr_err_code ndr_pull_atsvc_JobEnumInfo(struct ndr_pull *ndr, int ndr_flags, struct atsvc_JobEnumInfo *r) + { + uint32_t _ptr_command; ++ uint32_t size_command_1 = 0; ++ uint32_t length_command_1 = 0; + TALLOC_CTX *_mem_save_command_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -232,11 +238,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->command, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->command)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->command)); +- if (ndr_get_array_length(ndr, &r->command) > ndr_get_array_size(ndr, &r->command)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->command), ndr_get_array_length(ndr, &r->command)); ++ size_command_1 = ndr_get_array_size(ndr, &r->command); ++ length_command_1 = ndr_get_array_length(ndr, &r->command); ++ if (length_command_1 > size_command_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_command_1, length_command_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->command), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->command, ndr_get_array_length(ndr, &r->command), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_command_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->command, length_command_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_command_0, 0); + } + } +@@ -288,6 +296,7 @@ + static enum ndr_err_code ndr_pull_atsvc_enum_ctr(struct ndr_pull *ndr, int ndr_flags, struct atsvc_enum_ctr *r) + { + uint32_t _ptr_first_entry; ++ uint32_t size_first_entry_1 = 0; + uint32_t cntr_first_entry_1; + TALLOC_CTX *_mem_save_first_entry_0; + TALLOC_CTX *_mem_save_first_entry_1; +@@ -307,13 +316,14 @@ + _mem_save_first_entry_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->first_entry, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->first_entry)); +- NDR_PULL_ALLOC_N(ndr, r->first_entry, ndr_get_array_size(ndr, &r->first_entry)); ++ size_first_entry_1 = ndr_get_array_size(ndr, &r->first_entry); ++ NDR_PULL_ALLOC_N(ndr, r->first_entry, size_first_entry_1); + _mem_save_first_entry_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->first_entry, 0); +- for (cntr_first_entry_1 = 0; cntr_first_entry_1 < r->entries_read; cntr_first_entry_1++) { ++ for (cntr_first_entry_1 = 0; cntr_first_entry_1 < size_first_entry_1; cntr_first_entry_1++) { + NDR_CHECK(ndr_pull_atsvc_JobEnumInfo(ndr, NDR_SCALARS, &r->first_entry[cntr_first_entry_1])); + } +- for (cntr_first_entry_1 = 0; cntr_first_entry_1 < r->entries_read; cntr_first_entry_1++) { ++ for (cntr_first_entry_1 = 0; cntr_first_entry_1 < size_first_entry_1; cntr_first_entry_1++) { + NDR_CHECK(ndr_pull_atsvc_JobEnumInfo(ndr, NDR_BUFFERS, &r->first_entry[cntr_first_entry_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_first_entry_1, 0); +@@ -375,6 +385,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_atsvc_JobAdd(struct ndr_pull *ndr, int flags, struct atsvc_JobAdd *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_job_info_0; + TALLOC_CTX *_mem_save_job_id_0; +@@ -392,11 +404,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -480,6 +494,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_atsvc_JobDel(struct ndr_pull *ndr, int flags, struct atsvc_JobDel *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); +@@ -493,11 +509,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.min_job_id)); +@@ -580,6 +598,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_atsvc_JobEnum(struct ndr_pull *ndr, int flags, struct atsvc_JobEnum *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_ctr_0; +@@ -599,11 +619,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -744,6 +766,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_atsvc_JobGetInfo(struct ndr_pull *ndr, int flags, struct atsvc_JobGetInfo *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_job_info; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_job_info_0; +@@ -762,11 +786,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.job_id)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_auth.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_auth.c 2012-04-12 12:09:51.663287479 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_auth.c 2012-04-12 12:19:20.567300999 -0500 +@@ -224,6 +224,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_auth_user_info_torture(struct ndr_pull *ndr, int ndr_flags, struct auth_user_info_torture *r) + { ++ uint32_t size_dc_sids_0 = 0; + uint32_t cntr_dc_sids_0; + TALLOC_CTX *_mem_save_dc_sids_0; + uint32_t _ptr_pac_srv_sig; +@@ -234,10 +235,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_dc_sids)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_sids)); +- NDR_PULL_ALLOC_N(ndr, r->dc_sids, ndr_get_array_size(ndr, &r->dc_sids)); ++ size_dc_sids_0 = ndr_get_array_size(ndr, &r->dc_sids); ++ NDR_PULL_ALLOC_N(ndr, r->dc_sids, size_dc_sids_0); + _mem_save_dc_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->dc_sids, 0); +- for (cntr_dc_sids_0 = 0; cntr_dc_sids_0 < r->num_dc_sids; cntr_dc_sids_0++) { ++ for (cntr_dc_sids_0 = 0; cntr_dc_sids_0 < size_dc_sids_0; cntr_dc_sids_0++) { + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->dc_sids[cntr_dc_sids_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_sids_0, 0); +@@ -384,6 +386,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_auth_user_info_dc(struct ndr_pull *ndr, int ndr_flags, struct auth_user_info_dc *r) + { ++ uint32_t size_sids_0 = 0; + uint32_t cntr_sids_0; + TALLOC_CTX *_mem_save_sids_0; + uint32_t _ptr_info; +@@ -392,10 +395,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_sids)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); +- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); ++ size_sids_0 = ndr_get_array_size(ndr, &r->sids); ++ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_0); + _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); +- for (cntr_sids_0 = 0; cntr_sids_0 < r->num_sids; cntr_sids_0++) { ++ for (cntr_sids_0 = 0; cntr_sids_0 < size_sids_0; cntr_sids_0++) { + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->sids[cntr_sids_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_backupkey.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_backupkey.c 2012-04-12 12:09:51.707287480 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_backupkey.c 2012-04-12 12:19:20.571301000 -0500 +@@ -278,10 +278,12 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_bkrp_dc_serverwrap_key(struct ndr_pull *ndr, int ndr_flags, struct bkrp_dc_serverwrap_key *r) + { ++ uint32_t size_key_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, 256)); ++ size_key_0 = 256; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, size_key_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -318,16 +320,20 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_bkrp_client_side_wrapped(struct ndr_pull *ndr, int ndr_flags, struct bkrp_client_side_wrapped *r) + { ++ uint32_t size_encrypted_secret_0 = 0; ++ uint32_t size_access_check_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->encrypted_secret_len)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_check_len)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->guid)); +- NDR_PULL_ALLOC_N(ndr, r->encrypted_secret, r->encrypted_secret_len); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->encrypted_secret, r->encrypted_secret_len)); +- NDR_PULL_ALLOC_N(ndr, r->access_check, r->access_check_len); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->access_check, r->access_check_len)); ++ size_encrypted_secret_0 = r->encrypted_secret_len; ++ NDR_PULL_ALLOC_N(ndr, r->encrypted_secret, size_encrypted_secret_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->encrypted_secret, size_encrypted_secret_0)); ++ size_access_check_0 = r->access_check_len; ++ NDR_PULL_ALLOC_N(ndr, r->access_check, size_access_check_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->access_check, size_access_check_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -427,13 +433,17 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_bkrp_encrypted_secret_v2(struct ndr_pull *ndr, int ndr_flags, struct bkrp_encrypted_secret_v2 *r) + { ++ uint32_t size_secret_0 = 0; ++ uint32_t size_payload_key_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->secret_len)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic)); +- NDR_PULL_ALLOC_N(ndr, r->secret, r->secret_len); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->secret, r->secret_len)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->payload_key, 32)); ++ size_secret_0 = r->secret_len; ++ NDR_PULL_ALLOC_N(ndr, r->secret, size_secret_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->secret, size_secret_0)); ++ size_payload_key_0 = 32; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->payload_key, size_payload_key_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -472,15 +482,19 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_bkrp_encrypted_secret_v3(struct ndr_pull *ndr, int ndr_flags, struct bkrp_encrypted_secret_v3 *r) + { ++ uint32_t size_secret_0 = 0; ++ uint32_t size_payload_key_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->secret_len)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic2)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic3)); +- NDR_PULL_ALLOC_N(ndr, r->secret, r->secret_len); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->secret, r->secret_len)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->payload_key, 48)); ++ size_secret_0 = r->secret_len; ++ NDR_PULL_ALLOC_N(ndr, r->secret, size_secret_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->secret, size_secret_0)); ++ size_payload_key_0 = 48; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->payload_key, size_payload_key_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -650,7 +664,9 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_bkrp_BackupKey(struct ndr_pull *ndr, int flags, struct bkrp_BackupKey *r) + { ++ uint32_t size_data_in_1 = 0; + uint32_t _ptr_data_out; ++ uint32_t size_data_out_2 = 0; + TALLOC_CTX *_mem_save_guidActionAgent_0; + TALLOC_CTX *_mem_save_data_out_0; + TALLOC_CTX *_mem_save_data_out_1; +@@ -666,10 +682,11 @@ + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, r->in.guidActionAgent)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_guidActionAgent_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data_in)); ++ size_data_in_1 = ndr_get_array_size(ndr, &r->in.data_in); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.data_in, ndr_get_array_size(ndr, &r->in.data_in)); ++ NDR_PULL_ALLOC_N(ndr, r->in.data_in, size_data_in_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data_in, ndr_get_array_size(ndr, &r->in.data_in))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data_in, size_data_in_1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.data_in_len)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.param)); + NDR_PULL_ALLOC(ndr, r->out.data_out); +@@ -696,8 +713,9 @@ + _mem_save_data_out_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.data_out, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.data_out)); +- NDR_PULL_ALLOC_N(ndr, *r->out.data_out, ndr_get_array_size(ndr, r->out.data_out)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.data_out, ndr_get_array_size(ndr, r->out.data_out))); ++ size_data_out_2 = ndr_get_array_size(ndr, r->out.data_out); ++ NDR_PULL_ALLOC_N(ndr, *r->out.data_out, size_data_out_2); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.data_out, size_data_out_2)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_out_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_out_0, LIBNDR_FLAG_REF_ALLOC); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_browser.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_browser.c 2012-04-12 12:09:51.743287481 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_browser.c 2012-04-12 12:19:20.571301000 -0500 +@@ -30,6 +30,7 @@ + static enum ndr_err_code ndr_pull_BrowserrSrvInfo100Ctr(struct ndr_pull *ndr, int ndr_flags, struct BrowserrSrvInfo100Ctr *r) + { + uint32_t _ptr_entries; ++ uint32_t size_entries_1 = 0; + uint32_t cntr_entries_1; + TALLOC_CTX *_mem_save_entries_0; + TALLOC_CTX *_mem_save_entries_1; +@@ -49,13 +50,14 @@ + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); ++ size_entries_1 = ndr_get_array_size(ndr, &r->entries); ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); + _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_1 = 0; cntr_entries_1 < r->entries_read; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSrvInfo100(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); + } +- for (cntr_entries_1 = 0; cntr_entries_1 < r->entries_read; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSrvInfo100(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); +@@ -115,6 +117,7 @@ + static enum ndr_err_code ndr_pull_BrowserrSrvInfo101Ctr(struct ndr_pull *ndr, int ndr_flags, struct BrowserrSrvInfo101Ctr *r) + { + uint32_t _ptr_entries; ++ uint32_t size_entries_1 = 0; + uint32_t cntr_entries_1; + TALLOC_CTX *_mem_save_entries_0; + TALLOC_CTX *_mem_save_entries_1; +@@ -134,13 +137,14 @@ + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); ++ size_entries_1 = ndr_get_array_size(ndr, &r->entries); ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); + _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_1 = 0; cntr_entries_1 < r->entries_read; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSrvInfo101(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); + } +- for (cntr_entries_1 = 0; cntr_entries_1 < r->entries_read; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSrvInfo101(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); +@@ -223,7 +227,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info100_0; ++ uint32_t _ptr_info100; + TALLOC_CTX *_mem_save_info101_0; ++ uint32_t _ptr_info101; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -234,7 +240,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 100: { +- uint32_t _ptr_info100; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info100)); + if (_ptr_info100) { + NDR_PULL_ALLOC(ndr, r->info100); +@@ -244,7 +249,6 @@ + break; } + + case 101: { +- uint32_t _ptr_info101; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info101)); + if (_ptr_info101) { + NDR_PULL_ALLOC(ndr, r->info101); +@@ -467,6 +471,8 @@ + static enum ndr_err_code ndr_pull_BrowserrQueryOtherDomains(struct ndr_pull *ndr, int flags, struct BrowserrQueryOtherDomains *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; + TALLOC_CTX *_mem_save_total_entries_0; +@@ -484,11 +490,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_dcerpc.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_dcerpc.c 2012-04-12 12:09:51.611287477 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_dcerpc.c 2012-04-12 12:19:20.579300999 -0500 +@@ -24,6 +24,7 @@ + + static enum ndr_err_code ndr_pull_dcerpc_ctx_list(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_ctx_list *r) + { ++ uint32_t size_transfer_syntaxes_0 = 0; + uint32_t cntr_transfer_syntaxes_0; + TALLOC_CTX *_mem_save_transfer_syntaxes_0; + if (ndr_flags & NDR_SCALARS) { +@@ -31,10 +32,11 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->context_id)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_transfer_syntaxes)); + NDR_CHECK(ndr_pull_ndr_syntax_id(ndr, NDR_SCALARS, &r->abstract_syntax)); +- NDR_PULL_ALLOC_N(ndr, r->transfer_syntaxes, r->num_transfer_syntaxes); ++ size_transfer_syntaxes_0 = r->num_transfer_syntaxes; ++ NDR_PULL_ALLOC_N(ndr, r->transfer_syntaxes, size_transfer_syntaxes_0); + _mem_save_transfer_syntaxes_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->transfer_syntaxes, 0); +- for (cntr_transfer_syntaxes_0 = 0; cntr_transfer_syntaxes_0 < r->num_transfer_syntaxes; cntr_transfer_syntaxes_0++) { ++ for (cntr_transfer_syntaxes_0 = 0; cntr_transfer_syntaxes_0 < size_transfer_syntaxes_0; cntr_transfer_syntaxes_0++) { + NDR_CHECK(ndr_pull_ndr_syntax_id(ndr, NDR_SCALARS, &r->transfer_syntaxes[cntr_transfer_syntaxes_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transfer_syntaxes_0, 0); +@@ -90,6 +92,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_bind(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind *r) + { ++ uint32_t size_ctx_list_0 = 0; + uint32_t cntr_ctx_list_0; + TALLOC_CTX *_mem_save_ctx_list_0; + if (ndr_flags & NDR_SCALARS) { +@@ -98,10 +101,11 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->max_recv_frag)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->assoc_group_id)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_contexts)); +- NDR_PULL_ALLOC_N(ndr, r->ctx_list, r->num_contexts); ++ size_ctx_list_0 = r->num_contexts; ++ NDR_PULL_ALLOC_N(ndr, r->ctx_list, size_ctx_list_0); + _mem_save_ctx_list_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ctx_list, 0); +- for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < r->num_contexts; cntr_ctx_list_0++) { ++ for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < size_ctx_list_0; cntr_ctx_list_0++) { + NDR_CHECK(ndr_pull_dcerpc_ctx_list(ndr, NDR_SCALARS, &r->ctx_list[cntr_ctx_list_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ctx_list_0, 0); +@@ -390,6 +394,8 @@ + + static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_ack *r) + { ++ uint32_t size_secondary_address_0 = 0; ++ uint32_t size_ctx_list_0 = 0; + uint32_t cntr_ctx_list_0; + TALLOC_CTX *_mem_save_ctx_list_0; + if (ndr_flags & NDR_SCALARS) { +@@ -398,7 +404,8 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->max_recv_frag)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->assoc_group_id)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->secondary_address_size)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->secondary_address, r->secondary_address_size, sizeof(uint8_t), CH_DOS)); ++ size_secondary_address_0 = r->secondary_address_size; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->secondary_address, size_secondary_address_0, sizeof(uint8_t), CH_DOS)); + { + uint32_t _flags_save_DATA_BLOB = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN4); +@@ -406,10 +413,11 @@ + ndr->flags = _flags_save_DATA_BLOB; + } + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_results)); +- NDR_PULL_ALLOC_N(ndr, r->ctx_list, r->num_results); ++ size_ctx_list_0 = r->num_results; ++ NDR_PULL_ALLOC_N(ndr, r->ctx_list, size_ctx_list_0); + _mem_save_ctx_list_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ctx_list, 0); +- for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < r->num_results; cntr_ctx_list_0++) { ++ for (cntr_ctx_list_0 = 0; cntr_ctx_list_0 < size_ctx_list_0; cntr_ctx_list_0++) { + NDR_CHECK(ndr_pull_dcerpc_ack_ctx(ndr, NDR_SCALARS, &r->ctx_list[cntr_ctx_list_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ctx_list_0, 0); +@@ -467,15 +475,17 @@ + + static enum ndr_err_code ndr_pull_dcerpc_bind_nak_versions(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_nak_versions *r) + { ++ uint32_t size_versions_0 = 0; + uint32_t cntr_versions_0; + TALLOC_CTX *_mem_save_versions_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_versions)); +- NDR_PULL_ALLOC_N(ndr, r->versions, r->num_versions); ++ size_versions_0 = r->num_versions; ++ NDR_PULL_ALLOC_N(ndr, r->versions, size_versions_0); + _mem_save_versions_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->versions, 0); +- for (cntr_versions_0 = 0; cntr_versions_0 < r->num_versions; cntr_versions_0++) { ++ for (cntr_versions_0 = 0; cntr_versions_0 < size_versions_0; cntr_versions_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->versions[cntr_versions_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_versions_0, 0); +@@ -1165,6 +1175,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_fack(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_fack *r) + { ++ uint32_t size_selack_0 = 0; + uint32_t cntr_selack_0; + TALLOC_CTX *_mem_save_selack_0; + if (ndr_flags & NDR_SCALARS) { +@@ -1176,10 +1187,11 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_frag_size)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->serial_no)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->selack_size)); +- NDR_PULL_ALLOC_N(ndr, r->selack, r->selack_size); ++ size_selack_0 = r->selack_size; ++ NDR_PULL_ALLOC_N(ndr, r->selack, size_selack_0); + _mem_save_selack_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->selack, 0); +- for (cntr_selack_0 = 0; cntr_selack_0 < r->selack_size; cntr_selack_0++) { ++ for (cntr_selack_0 = 0; cntr_selack_0 < size_selack_0; cntr_selack_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->selack[cntr_selack_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_selack_0, 0); +@@ -1494,12 +1506,14 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_ClientAddress(struct ndr_pull *ndr, int ndr_flags, struct ClientAddress *r) + { ++ uint32_t size_Padding_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_AddressType(ndr, NDR_SCALARS, &r->AddressType)); + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->ClientAddress, r->AddressType)); + NDR_CHECK(ndr_pull_ClientAddressType(ndr, NDR_SCALARS, &r->ClientAddress)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Padding, 12)); ++ size_Padding_0 = 12; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Padding, size_Padding_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1870,14 +1884,16 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_rts_cmd_Padding(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_rts_cmd_Padding *r) + { ++ uint32_t size_Padding_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ConformanceCount)); + if (r->ConformanceCount > 0xFFFF) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_PULL_ALLOC_N(ndr, r->Padding, r->ConformanceCount); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Padding, r->ConformanceCount)); ++ size_Padding_0 = r->ConformanceCount; ++ NDR_PULL_ALLOC_N(ndr, r->Padding, size_Padding_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Padding, size_Padding_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -2495,16 +2511,18 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_rts(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_rts *r) + { ++ uint32_t size_Commands_0 = 0; + uint32_t cntr_Commands_0; + TALLOC_CTX *_mem_save_Commands_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_dcerpc_rts_flags(ndr, NDR_SCALARS, &r->Flags)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->NumberOfCommands)); +- NDR_PULL_ALLOC_N(ndr, r->Commands, r->NumberOfCommands); ++ size_Commands_0 = r->NumberOfCommands; ++ NDR_PULL_ALLOC_N(ndr, r->Commands, size_Commands_0); + _mem_save_Commands_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->Commands, 0); +- for (cntr_Commands_0 = 0; cntr_Commands_0 < r->NumberOfCommands; cntr_Commands_0++) { ++ for (cntr_Commands_0 = 0; cntr_Commands_0 < size_Commands_0; cntr_Commands_0++) { + NDR_CHECK(ndr_pull_dcerpc_rts_cmd(ndr, NDR_SCALARS, &r->Commands[cntr_Commands_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Commands_0, 0); +@@ -3031,13 +3049,15 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_ncacn_packet(struct ndr_pull *ndr, int ndr_flags, struct ncacn_packet *r) + { ++ uint32_t size_drep_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers_minor)); + NDR_CHECK(ndr_pull_dcerpc_pkt_type(ndr, NDR_SCALARS, &r->ptype)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->pfc_flags)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, 4)); ++ size_drep_0 = 4; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, size_drep_0)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->frag_length)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->auth_length)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->call_id)); +@@ -3104,13 +3124,15 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_ncadg_packet(struct ndr_pull *ndr, int ndr_flags, struct ncadg_packet *r) + { ++ uint32_t size_drep_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->rpc_vers)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->ptype)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->pfc_flags)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->ncadg_flags)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, 3)); ++ size_drep_0 = 3; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->drep, size_drep_0)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->serial_high)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->object)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->iface)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_dcom.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_dcom.c 2012-04-12 12:09:51.947287485 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_dcom.c 2012-04-12 12:19:20.579300999 -0500 +@@ -1037,8 +1037,10 @@ + { + uint32_t _ptr_ripid; + uint32_t _ptr_iids; ++ uint32_t size_iids_1 = 0; + uint32_t cntr_iids_1; + uint32_t _ptr_ip; ++ uint32_t size_ip_1 = 0; + uint32_t cntr_ip_1; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_ripid_0; +@@ -1074,10 +1076,11 @@ + _mem_save_iids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.iids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.iids)); +- NDR_PULL_ALLOC_N(ndr, r->in.iids, ndr_get_array_size(ndr, &r->in.iids)); ++ size_iids_1 = ndr_get_array_size(ndr, &r->in.iids); ++ NDR_PULL_ALLOC_N(ndr, r->in.iids, size_iids_1); + _mem_save_iids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.iids, 0); +- for (cntr_iids_1 = 0; cntr_iids_1 < r->in.cIids; cntr_iids_1++) { ++ for (cntr_iids_1 = 0; cntr_iids_1 < size_iids_1; cntr_iids_1++) { + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->in.iids[cntr_iids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_iids_1, 0); +@@ -1107,13 +1110,14 @@ + _mem_save_ip_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.ip, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.ip)); +- NDR_PULL_ALLOC_N(ndr, r->out.ip, ndr_get_array_size(ndr, &r->out.ip)); ++ size_ip_1 = ndr_get_array_size(ndr, &r->out.ip); ++ NDR_PULL_ALLOC_N(ndr, r->out.ip, size_ip_1); + _mem_save_ip_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.ip, 0); +- for (cntr_ip_1 = 0; cntr_ip_1 < r->in.cIids; cntr_ip_1++) { ++ for (cntr_ip_1 = 0; cntr_ip_1 < size_ip_1; cntr_ip_1++) { + NDR_CHECK(ndr_pull_MInterfacePointer(ndr, NDR_SCALARS, &r->out.ip[cntr_ip_1])); + } +- for (cntr_ip_1 = 0; cntr_ip_1 < r->in.cIids; cntr_ip_1++) { ++ for (cntr_ip_1 = 0; cntr_ip_1 < size_ip_1; cntr_ip_1++) { + NDR_CHECK(ndr_pull_MInterfacePointer(ndr, NDR_BUFFERS, &r->out.ip[cntr_ip_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ip_1, 0); +@@ -1217,8 +1221,10 @@ + + static enum ndr_err_code ndr_pull_RemAddRef(struct ndr_pull *ndr, int flags, struct RemAddRef *r) + { ++ uint32_t size_InterfaceRefs_0 = 0; + uint32_t cntr_InterfaceRefs_0; + uint32_t _ptr_pResults; ++ uint32_t size_pResults_1 = 0; + uint32_t cntr_pResults_1; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_InterfaceRefs_0; +@@ -1230,10 +1236,11 @@ + NDR_CHECK(ndr_pull_ORPCTHIS(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.ORPCthis)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.cInterfaceRefs)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.InterfaceRefs)); +- NDR_PULL_ALLOC_N(ndr, r->in.InterfaceRefs, ndr_get_array_size(ndr, &r->in.InterfaceRefs)); ++ size_InterfaceRefs_0 = ndr_get_array_size(ndr, &r->in.InterfaceRefs); ++ NDR_PULL_ALLOC_N(ndr, r->in.InterfaceRefs, size_InterfaceRefs_0); + _mem_save_InterfaceRefs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.InterfaceRefs, 0); +- for (cntr_InterfaceRefs_0 = 0; cntr_InterfaceRefs_0 < r->in.cInterfaceRefs; cntr_InterfaceRefs_0++) { ++ for (cntr_InterfaceRefs_0 = 0; cntr_InterfaceRefs_0 < size_InterfaceRefs_0; cntr_InterfaceRefs_0++) { + NDR_CHECK(ndr_pull_REMINTERFACEREF(ndr, NDR_SCALARS, &r->in.InterfaceRefs[cntr_InterfaceRefs_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_InterfaceRefs_0, 0); +@@ -1261,10 +1268,11 @@ + _mem_save_pResults_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.pResults, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.pResults)); +- NDR_PULL_ALLOC_N(ndr, r->out.pResults, ndr_get_array_size(ndr, &r->out.pResults)); ++ size_pResults_1 = ndr_get_array_size(ndr, &r->out.pResults); ++ NDR_PULL_ALLOC_N(ndr, r->out.pResults, size_pResults_1); + _mem_save_pResults_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.pResults, 0); +- for (cntr_pResults_1 = 0; cntr_pResults_1 < r->in.cInterfaceRefs; cntr_pResults_1++) { ++ for (cntr_pResults_1 = 0; cntr_pResults_1 < size_pResults_1; cntr_pResults_1++) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.pResults[cntr_pResults_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pResults_1, 0); +@@ -1348,6 +1356,7 @@ + + static enum ndr_err_code ndr_pull_RemRelease(struct ndr_pull *ndr, int flags, struct RemRelease *r) + { ++ uint32_t size_InterfaceRefs_0 = 0; + uint32_t cntr_InterfaceRefs_0; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_InterfaceRefs_0; +@@ -1357,10 +1366,11 @@ + NDR_CHECK(ndr_pull_ORPCTHIS(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.ORPCthis)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.cInterfaceRefs)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.InterfaceRefs)); +- NDR_PULL_ALLOC_N(ndr, r->in.InterfaceRefs, ndr_get_array_size(ndr, &r->in.InterfaceRefs)); ++ size_InterfaceRefs_0 = ndr_get_array_size(ndr, &r->in.InterfaceRefs); ++ NDR_PULL_ALLOC_N(ndr, r->in.InterfaceRefs, size_InterfaceRefs_0); + _mem_save_InterfaceRefs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.InterfaceRefs, 0); +- for (cntr_InterfaceRefs_0 = 0; cntr_InterfaceRefs_0 < r->in.cInterfaceRefs; cntr_InterfaceRefs_0++) { ++ for (cntr_InterfaceRefs_0 = 0; cntr_InterfaceRefs_0 < size_InterfaceRefs_0; cntr_InterfaceRefs_0++) { + NDR_CHECK(ndr_pull_REMINTERFACEREF(ndr, NDR_SCALARS, &r->in.InterfaceRefs[cntr_InterfaceRefs_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_InterfaceRefs_0, 0); +@@ -2112,10 +2122,13 @@ + { + uint32_t _ptr_ripid; + uint32_t _ptr_iids; ++ uint32_t size_iids_1 = 0; + uint32_t cntr_iids_1; + uint32_t _ptr_phr; ++ uint32_t size_phr_1 = 0; + uint32_t cntr_phr_1; + uint32_t _ptr_ppMIF; ++ uint32_t size_ppMIF_1 = 0; + uint32_t cntr_ppMIF_1; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_ripid_0; +@@ -2152,10 +2165,11 @@ + _mem_save_iids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.iids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.iids)); +- NDR_PULL_ALLOC_N(ndr, r->in.iids, ndr_get_array_size(ndr, &r->in.iids)); ++ size_iids_1 = ndr_get_array_size(ndr, &r->in.iids); ++ NDR_PULL_ALLOC_N(ndr, r->in.iids, size_iids_1); + _mem_save_iids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.iids, 0); +- for (cntr_iids_1 = 0; cntr_iids_1 < r->in.cIids; cntr_iids_1++) { ++ for (cntr_iids_1 = 0; cntr_iids_1 < size_iids_1; cntr_iids_1++) { + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->in.iids[cntr_iids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_iids_1, 0); +@@ -2185,10 +2199,11 @@ + _mem_save_phr_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.phr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.phr)); +- NDR_PULL_ALLOC_N(ndr, r->out.phr, ndr_get_array_size(ndr, &r->out.phr)); ++ size_phr_1 = ndr_get_array_size(ndr, &r->out.phr); ++ NDR_PULL_ALLOC_N(ndr, r->out.phr, size_phr_1); + _mem_save_phr_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.phr, 0); +- for (cntr_phr_1 = 0; cntr_phr_1 < r->in.cIids; cntr_phr_1++) { ++ for (cntr_phr_1 = 0; cntr_phr_1 < size_phr_1; cntr_phr_1++) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.phr[cntr_phr_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_phr_1, 0); +@@ -2204,13 +2219,14 @@ + _mem_save_ppMIF_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.ppMIF, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.ppMIF)); +- NDR_PULL_ALLOC_N(ndr, r->out.ppMIF, ndr_get_array_size(ndr, &r->out.ppMIF)); ++ size_ppMIF_1 = ndr_get_array_size(ndr, &r->out.ppMIF); ++ NDR_PULL_ALLOC_N(ndr, r->out.ppMIF, size_ppMIF_1); + _mem_save_ppMIF_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.ppMIF, 0); +- for (cntr_ppMIF_1 = 0; cntr_ppMIF_1 < r->in.cIids; cntr_ppMIF_1++) { ++ for (cntr_ppMIF_1 = 0; cntr_ppMIF_1 < size_ppMIF_1; cntr_ppMIF_1++) { + NDR_CHECK(ndr_pull_MInterfacePointer(ndr, NDR_SCALARS, &r->out.ppMIF[cntr_ppMIF_1])); + } +- for (cntr_ppMIF_1 = 0; cntr_ppMIF_1 < r->in.cIids; cntr_ppMIF_1++) { ++ for (cntr_ppMIF_1 = 0; cntr_ppMIF_1 < size_ppMIF_1; cntr_ppMIF_1++) { + NDR_CHECK(ndr_pull_MInterfacePointer(ndr, NDR_BUFFERS, &r->out.ppMIF[cntr_ppMIF_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ppMIF_1, 0); +@@ -2692,6 +2708,7 @@ + { + uint32_t _ptr_riid; + uint32_t _ptr_rgDispId; ++ uint32_t size_rgDispId_1 = 0; + uint32_t cntr_rgDispId_1; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_riid_0; +@@ -2736,10 +2753,11 @@ + _mem_save_rgDispId_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.rgDispId, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.rgDispId)); +- NDR_PULL_ALLOC_N(ndr, r->out.rgDispId, ndr_get_array_size(ndr, &r->out.rgDispId)); ++ size_rgDispId_1 = ndr_get_array_size(ndr, &r->out.rgDispId); ++ NDR_PULL_ALLOC_N(ndr, r->out.rgDispId, size_rgDispId_1); + _mem_save_rgDispId_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.rgDispId, 0); +- for (cntr_rgDispId_1 = 0; cntr_rgDispId_1 < r->in.cNames; cntr_rgDispId_1++) { ++ for (cntr_rgDispId_1 = 0; cntr_rgDispId_1 < size_rgDispId_1; cntr_rgDispId_1++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->out.rgDispId[cntr_rgDispId_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rgDispId_1, 0); +@@ -3298,6 +3316,8 @@ + + static enum ndr_err_code ndr_pull_MakeCoffee(struct ndr_pull *ndr, int flags, struct MakeCoffee *r) + { ++ uint32_t size_flavor_1 = 0; ++ uint32_t length_flavor_1 = 0; + TALLOC_CTX *_mem_save_ORPCthat_0; + if (flags & NDR_IN) { + ZERO_STRUCT(r->out); +@@ -3305,11 +3325,13 @@ + NDR_CHECK(ndr_pull_ORPCTHIS(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.ORPCthis)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.flavor)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.flavor)); +- if (ndr_get_array_length(ndr, &r->in.flavor) > ndr_get_array_size(ndr, &r->in.flavor)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.flavor), ndr_get_array_length(ndr, &r->in.flavor)); ++ size_flavor_1 = ndr_get_array_size(ndr, &r->in.flavor); ++ length_flavor_1 = ndr_get_array_length(ndr, &r->in.flavor); ++ if (length_flavor_1 > size_flavor_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_flavor_1, length_flavor_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.flavor), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.flavor, ndr_get_array_length(ndr, &r->in.flavor), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_flavor_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.flavor, length_flavor_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_ALLOC(ndr, r->out.ORPCthat); + ZERO_STRUCTP(r->out.ORPCthat); + } +@@ -3433,6 +3455,8 @@ + + static enum ndr_err_code ndr_pull_Read(struct ndr_pull *ndr, int flags, struct Read *r) + { ++ uint32_t size_pv_0 = 0; ++ uint32_t length_pv_0 = 0; + uint32_t _ptr_num_readx; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_num_readx_0; +@@ -3469,11 +3493,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ORPCthat_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.pv)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.pv)); +- if (ndr_get_array_length(ndr, &r->out.pv) > ndr_get_array_size(ndr, &r->out.pv)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.pv), ndr_get_array_length(ndr, &r->out.pv)); ++ size_pv_0 = ndr_get_array_size(ndr, &r->out.pv); ++ length_pv_0 = ndr_get_array_length(ndr, &r->out.pv); ++ if (length_pv_0 > size_pv_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_pv_0, length_pv_0); + } +- NDR_PULL_ALLOC_N(ndr, r->out.pv, ndr_get_array_size(ndr, &r->out.pv)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.pv, ndr_get_array_length(ndr, &r->out.pv))); ++ NDR_PULL_ALLOC_N(ndr, r->out.pv, size_pv_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.pv, length_pv_0)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.num_read); + } +@@ -3559,6 +3585,7 @@ + static enum ndr_err_code ndr_pull_Write(struct ndr_pull *ndr, int flags, struct Write *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_data_0; + TALLOC_CTX *_mem_save_num_written_0; +@@ -3576,8 +3603,9 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); +- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); ++ size_data_1 = ndr_get_array_size(ndr, &r->in.data); ++ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.num_requested)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_dfsblobs.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_dfsblobs.c 2012-04-12 12:09:50.787287457 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_dfsblobs.c 2012-04-12 12:19:20.579300999 -0500 +@@ -799,12 +799,14 @@ + static enum ndr_err_code ndr_pull_dfs_padding(struct ndr_pull *ndr, int ndr_flags, union dfs_padding *r) + { + uint32_t level; ++ uint32_t size_value_0 = 0; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 1)); + switch (level) { + case 16: { +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->value, 16)); ++ size_value_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->value, size_value_0)); + break; } + + default: { +@@ -1234,6 +1236,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_dfs_referral_resp(struct ndr_pull *ndr, int ndr_flags, struct dfs_referral_resp *r) + { ++ uint32_t size_referral_entries_0 = 0; + uint32_t cntr_referral_entries_0; + TALLOC_CTX *_mem_save_referral_entries_0; + if (ndr_flags & NDR_SCALARS) { +@@ -1241,19 +1244,21 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->path_consumed)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->nb_referrals)); + NDR_CHECK(ndr_pull_DFS_HEADER_FLAG(ndr, NDR_SCALARS, &r->header_flags)); +- NDR_PULL_ALLOC_N(ndr, r->referral_entries, r->nb_referrals); ++ size_referral_entries_0 = r->nb_referrals; ++ NDR_PULL_ALLOC_N(ndr, r->referral_entries, size_referral_entries_0); + _mem_save_referral_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->referral_entries, 0); +- for (cntr_referral_entries_0 = 0; cntr_referral_entries_0 < r->nb_referrals; cntr_referral_entries_0++) { ++ for (cntr_referral_entries_0 = 0; cntr_referral_entries_0 < size_referral_entries_0; cntr_referral_entries_0++) { + NDR_CHECK(ndr_pull_dfs_referral_type(ndr, NDR_SCALARS, &r->referral_entries[cntr_referral_entries_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_referral_entries_0, 0); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_referral_entries_0 = r->nb_referrals; + _mem_save_referral_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->referral_entries, 0); +- for (cntr_referral_entries_0 = 0; cntr_referral_entries_0 < r->nb_referrals; cntr_referral_entries_0++) { ++ for (cntr_referral_entries_0 = 0; cntr_referral_entries_0 < size_referral_entries_0; cntr_referral_entries_0++) { + NDR_CHECK(ndr_pull_dfs_referral_type(ndr, NDR_BUFFERS, &r->referral_entries[cntr_referral_entries_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_referral_entries_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_dfs.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_dfs.c 2012-04-12 12:09:50.579287453 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_dfs.c 2012-04-12 12:19:20.583300999 -0500 +@@ -82,6 +82,8 @@ + static enum ndr_err_code ndr_pull_dfs_Info1(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info1 *r) + { + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + TALLOC_CTX *_mem_save_path_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -99,11 +101,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); +- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->path); ++ length_path_1 = ndr_get_array_length(ndr, &r->path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + } +@@ -181,8 +185,12 @@ + static enum ndr_err_code ndr_pull_dfs_Info2(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info2 *r) + { + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + TALLOC_CTX *_mem_save_path_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -208,11 +216,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); +- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->path); ++ length_path_1 = ndr_get_array_length(ndr, &r->path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + if (r->comment) { +@@ -220,11 +230,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + } +@@ -306,8 +318,12 @@ + static enum ndr_err_code ndr_pull_dfs_StorageInfo(struct ndr_pull *ndr, int ndr_flags, struct dfs_StorageInfo *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; + TALLOC_CTX *_mem_save_server_0; + uint32_t _ptr_share; ++ uint32_t size_share_1 = 0; ++ uint32_t length_share_1 = 0; + TALLOC_CTX *_mem_save_share_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -332,11 +348,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server)); +- if (ndr_get_array_length(ndr, &r->server) > ndr_get_array_size(ndr, &r->server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server), ndr_get_array_length(ndr, &r->server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->server); ++ length_server_1 = ndr_get_array_length(ndr, &r->server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, ndr_get_array_length(ndr, &r->server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + if (r->share) { +@@ -344,11 +362,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->share, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->share)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->share)); +- if (ndr_get_array_length(ndr, &r->share) > ndr_get_array_size(ndr, &r->share)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->share), ndr_get_array_length(ndr, &r->share)); ++ size_share_1 = ndr_get_array_size(ndr, &r->share); ++ length_share_1 = ndr_get_array_length(ndr, &r->share); ++ if (length_share_1 > size_share_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, length_share_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); + } + } +@@ -417,10 +437,15 @@ + static enum ndr_err_code ndr_pull_dfs_Info3(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info3 *r) + { + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + TALLOC_CTX *_mem_save_path_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + uint32_t _ptr_stores; ++ uint32_t size_stores_1 = 0; + uint32_t cntr_stores_1; + TALLOC_CTX *_mem_save_stores_0; + TALLOC_CTX *_mem_save_stores_1; +@@ -454,11 +479,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); +- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->path); ++ length_path_1 = ndr_get_array_length(ndr, &r->path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + if (r->comment) { +@@ -466,24 +493,27 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + if (r->stores) { + _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); +- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); ++ size_stores_1 = ndr_get_array_size(ndr, &r->stores); ++ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); + _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); +- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { ++ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { + NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); + } +- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { ++ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { + NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); +@@ -573,10 +603,15 @@ + static enum ndr_err_code ndr_pull_dfs_Info4(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info4 *r) + { + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + TALLOC_CTX *_mem_save_path_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + uint32_t _ptr_stores; ++ uint32_t size_stores_1 = 0; + uint32_t cntr_stores_1; + TALLOC_CTX *_mem_save_stores_0; + TALLOC_CTX *_mem_save_stores_1; +@@ -612,11 +647,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); +- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->path); ++ length_path_1 = ndr_get_array_length(ndr, &r->path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + if (r->comment) { +@@ -624,24 +661,27 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + if (r->stores) { + _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); +- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); ++ size_stores_1 = ndr_get_array_size(ndr, &r->stores); ++ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); + _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); +- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { ++ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { + NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); + } +- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { ++ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { + NDR_CHECK(ndr_pull_dfs_StorageInfo(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); +@@ -750,8 +790,12 @@ + static enum ndr_err_code ndr_pull_dfs_Info5(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info5 *r) + { + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + TALLOC_CTX *_mem_save_path_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -781,11 +825,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); +- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->path); ++ length_path_1 = ndr_get_array_length(ndr, &r->path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + if (r->comment) { +@@ -793,11 +839,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + } +@@ -981,10 +1029,15 @@ + static enum ndr_err_code ndr_pull_dfs_Info6(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info6 *r) + { + uint32_t _ptr_entry_path; ++ uint32_t size_entry_path_1 = 0; ++ uint32_t length_entry_path_1 = 0; + TALLOC_CTX *_mem_save_entry_path_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + uint32_t _ptr_stores; ++ uint32_t size_stores_1 = 0; + uint32_t cntr_stores_1; + TALLOC_CTX *_mem_save_stores_0; + TALLOC_CTX *_mem_save_stores_1; +@@ -1022,11 +1075,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->entry_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entry_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->entry_path)); +- if (ndr_get_array_length(ndr, &r->entry_path) > ndr_get_array_size(ndr, &r->entry_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->entry_path), ndr_get_array_length(ndr, &r->entry_path)); ++ size_entry_path_1 = ndr_get_array_size(ndr, &r->entry_path); ++ length_entry_path_1 = ndr_get_array_length(ndr, &r->entry_path); ++ if (length_entry_path_1 > size_entry_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_entry_path_1, length_entry_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->entry_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->entry_path, ndr_get_array_length(ndr, &r->entry_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_entry_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->entry_path, length_entry_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entry_path_0, 0); + } + if (r->comment) { +@@ -1034,24 +1089,27 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + if (r->stores) { + _mem_save_stores_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->stores)); +- NDR_PULL_ALLOC_N(ndr, r->stores, ndr_get_array_size(ndr, &r->stores)); ++ size_stores_1 = ndr_get_array_size(ndr, &r->stores); ++ NDR_PULL_ALLOC_N(ndr, r->stores, size_stores_1); + _mem_save_stores_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->stores, 0); +- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { ++ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { + NDR_CHECK(ndr_pull_dfs_StorageInfo2(ndr, NDR_SCALARS, &r->stores[cntr_stores_1])); + } +- for (cntr_stores_1 = 0; cntr_stores_1 < r->num_stores; cntr_stores_1++) { ++ for (cntr_stores_1 = 0; cntr_stores_1 < size_stores_1; cntr_stores_1++) { + NDR_CHECK(ndr_pull_dfs_StorageInfo2(ndr, NDR_BUFFERS, &r->stores[cntr_stores_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stores_1, 0); +@@ -1156,6 +1214,8 @@ + static enum ndr_err_code ndr_pull_dfs_Info100(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info100 *r) + { + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -1173,11 +1233,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + } +@@ -1355,6 +1417,8 @@ + static enum ndr_err_code ndr_pull_dfs_Info105(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info105 *r) + { + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -1376,11 +1440,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + } +@@ -1462,6 +1528,8 @@ + static enum ndr_err_code ndr_pull_dfs_Info200(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info200 *r) + { + uint32_t _ptr_dom_root; ++ uint32_t size_dom_root_1 = 0; ++ uint32_t length_dom_root_1 = 0; + TALLOC_CTX *_mem_save_dom_root_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -1479,11 +1547,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dom_root, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dom_root)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dom_root)); +- if (ndr_get_array_length(ndr, &r->dom_root) > ndr_get_array_size(ndr, &r->dom_root)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dom_root), ndr_get_array_length(ndr, &r->dom_root)); ++ size_dom_root_1 = ndr_get_array_size(ndr, &r->dom_root); ++ length_dom_root_1 = ndr_get_array_length(ndr, &r->dom_root); ++ if (length_dom_root_1 > size_dom_root_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_root_1, length_dom_root_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_root_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, length_dom_root_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_root_0, 0); + } + } +@@ -1551,6 +1621,8 @@ + static enum ndr_err_code ndr_pull_dfs_Info300(struct ndr_pull *ndr, int ndr_flags, struct dfs_Info300 *r) + { + uint32_t _ptr_dom_root; ++ uint32_t size_dom_root_1 = 0; ++ uint32_t length_dom_root_1 = 0; + TALLOC_CTX *_mem_save_dom_root_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -1569,11 +1641,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dom_root, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dom_root)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dom_root)); +- if (ndr_get_array_length(ndr, &r->dom_root) > ndr_get_array_size(ndr, &r->dom_root)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dom_root), ndr_get_array_length(ndr, &r->dom_root)); ++ size_dom_root_1 = ndr_get_array_size(ndr, &r->dom_root); ++ length_dom_root_1 = ndr_get_array_length(ndr, &r->dom_root); ++ if (length_dom_root_1 > size_dom_root_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_root_1, length_dom_root_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, ndr_get_array_length(ndr, &r->dom_root), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_root_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dom_root, length_dom_root_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_root_0, 0); + } + } +@@ -1772,20 +1846,35 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info0_0; ++ uint32_t _ptr_info0; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + TALLOC_CTX *_mem_save_info2_0; ++ uint32_t _ptr_info2; + TALLOC_CTX *_mem_save_info3_0; ++ uint32_t _ptr_info3; + TALLOC_CTX *_mem_save_info4_0; ++ uint32_t _ptr_info4; + TALLOC_CTX *_mem_save_info5_0; ++ uint32_t _ptr_info5; + TALLOC_CTX *_mem_save_info6_0; ++ uint32_t _ptr_info6; + TALLOC_CTX *_mem_save_info7_0; ++ uint32_t _ptr_info7; + TALLOC_CTX *_mem_save_info100_0; ++ uint32_t _ptr_info100; + TALLOC_CTX *_mem_save_info101_0; ++ uint32_t _ptr_info101; + TALLOC_CTX *_mem_save_info102_0; ++ uint32_t _ptr_info102; + TALLOC_CTX *_mem_save_info103_0; ++ uint32_t _ptr_info103; + TALLOC_CTX *_mem_save_info104_0; ++ uint32_t _ptr_info104; + TALLOC_CTX *_mem_save_info105_0; ++ uint32_t _ptr_info105; + TALLOC_CTX *_mem_save_info106_0; ++ uint32_t _ptr_info106; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -1796,7 +1885,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_info0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); + if (_ptr_info0) { + NDR_PULL_ALLOC(ndr, r->info0); +@@ -1806,7 +1894,6 @@ + break; } + + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -1816,7 +1903,6 @@ + break; } + + case 2: { +- uint32_t _ptr_info2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); + if (_ptr_info2) { + NDR_PULL_ALLOC(ndr, r->info2); +@@ -1826,7 +1912,6 @@ + break; } + + case 3: { +- uint32_t _ptr_info3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); + if (_ptr_info3) { + NDR_PULL_ALLOC(ndr, r->info3); +@@ -1836,7 +1921,6 @@ + break; } + + case 4: { +- uint32_t _ptr_info4; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); + if (_ptr_info4) { + NDR_PULL_ALLOC(ndr, r->info4); +@@ -1846,7 +1930,6 @@ + break; } + + case 5: { +- uint32_t _ptr_info5; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); + if (_ptr_info5) { + NDR_PULL_ALLOC(ndr, r->info5); +@@ -1856,7 +1939,6 @@ + break; } + + case 6: { +- uint32_t _ptr_info6; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); + if (_ptr_info6) { + NDR_PULL_ALLOC(ndr, r->info6); +@@ -1866,7 +1948,6 @@ + break; } + + case 7: { +- uint32_t _ptr_info7; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info7)); + if (_ptr_info7) { + NDR_PULL_ALLOC(ndr, r->info7); +@@ -1876,7 +1957,6 @@ + break; } + + case 100: { +- uint32_t _ptr_info100; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info100)); + if (_ptr_info100) { + NDR_PULL_ALLOC(ndr, r->info100); +@@ -1886,7 +1966,6 @@ + break; } + + case 101: { +- uint32_t _ptr_info101; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info101)); + if (_ptr_info101) { + NDR_PULL_ALLOC(ndr, r->info101); +@@ -1896,7 +1975,6 @@ + break; } + + case 102: { +- uint32_t _ptr_info102; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info102)); + if (_ptr_info102) { + NDR_PULL_ALLOC(ndr, r->info102); +@@ -1906,7 +1984,6 @@ + break; } + + case 103: { +- uint32_t _ptr_info103; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info103)); + if (_ptr_info103) { + NDR_PULL_ALLOC(ndr, r->info103); +@@ -1916,7 +1993,6 @@ + break; } + + case 104: { +- uint32_t _ptr_info104; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info104)); + if (_ptr_info104) { + NDR_PULL_ALLOC(ndr, r->info104); +@@ -1926,7 +2002,6 @@ + break; } + + case 105: { +- uint32_t _ptr_info105; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info105)); + if (_ptr_info105) { + NDR_PULL_ALLOC(ndr, r->info105); +@@ -1936,7 +2011,6 @@ + break; } + + case 106: { +- uint32_t _ptr_info106; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info106)); + if (_ptr_info106) { + NDR_PULL_ALLOC(ndr, r->info106); +@@ -2265,6 +2339,7 @@ + static enum ndr_err_code ndr_pull_dfs_EnumArray1(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray1 *r) + { + uint32_t _ptr_s; ++ uint32_t size_s_1 = 0; + uint32_t cntr_s_1; + TALLOC_CTX *_mem_save_s_0; + TALLOC_CTX *_mem_save_s_1; +@@ -2284,13 +2359,14 @@ + _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); +- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); ++ size_s_1 = ndr_get_array_size(ndr, &r->s); ++ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); + _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info1(ndr, NDR_SCALARS, &r->s[cntr_s_1])); + } +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info1(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); +@@ -2350,6 +2426,7 @@ + static enum ndr_err_code ndr_pull_dfs_EnumArray2(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray2 *r) + { + uint32_t _ptr_s; ++ uint32_t size_s_1 = 0; + uint32_t cntr_s_1; + TALLOC_CTX *_mem_save_s_0; + TALLOC_CTX *_mem_save_s_1; +@@ -2369,13 +2446,14 @@ + _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); +- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); ++ size_s_1 = ndr_get_array_size(ndr, &r->s); ++ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); + _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info2(ndr, NDR_SCALARS, &r->s[cntr_s_1])); + } +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info2(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); +@@ -2435,6 +2513,7 @@ + static enum ndr_err_code ndr_pull_dfs_EnumArray3(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray3 *r) + { + uint32_t _ptr_s; ++ uint32_t size_s_1 = 0; + uint32_t cntr_s_1; + TALLOC_CTX *_mem_save_s_0; + TALLOC_CTX *_mem_save_s_1; +@@ -2454,13 +2533,14 @@ + _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); +- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); ++ size_s_1 = ndr_get_array_size(ndr, &r->s); ++ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); + _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info3(ndr, NDR_SCALARS, &r->s[cntr_s_1])); + } +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info3(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); +@@ -2520,6 +2600,7 @@ + static enum ndr_err_code ndr_pull_dfs_EnumArray4(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray4 *r) + { + uint32_t _ptr_s; ++ uint32_t size_s_1 = 0; + uint32_t cntr_s_1; + TALLOC_CTX *_mem_save_s_0; + TALLOC_CTX *_mem_save_s_1; +@@ -2539,13 +2620,14 @@ + _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); +- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); ++ size_s_1 = ndr_get_array_size(ndr, &r->s); ++ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); + _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info4(ndr, NDR_SCALARS, &r->s[cntr_s_1])); + } +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info4(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); +@@ -2605,6 +2687,7 @@ + static enum ndr_err_code ndr_pull_dfs_EnumArray5(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray5 *r) + { + uint32_t _ptr_s; ++ uint32_t size_s_1 = 0; + uint32_t cntr_s_1; + TALLOC_CTX *_mem_save_s_0; + TALLOC_CTX *_mem_save_s_1; +@@ -2624,13 +2707,14 @@ + _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); +- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); ++ size_s_1 = ndr_get_array_size(ndr, &r->s); ++ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); + _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info5(ndr, NDR_SCALARS, &r->s[cntr_s_1])); + } +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info5(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); +@@ -2690,6 +2774,7 @@ + static enum ndr_err_code ndr_pull_dfs_EnumArray6(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray6 *r) + { + uint32_t _ptr_s; ++ uint32_t size_s_1 = 0; + uint32_t cntr_s_1; + TALLOC_CTX *_mem_save_s_0; + TALLOC_CTX *_mem_save_s_1; +@@ -2709,13 +2794,14 @@ + _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); +- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); ++ size_s_1 = ndr_get_array_size(ndr, &r->s); ++ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); + _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info6(ndr, NDR_SCALARS, &r->s[cntr_s_1])); + } +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info6(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); +@@ -2775,6 +2861,7 @@ + static enum ndr_err_code ndr_pull_dfs_EnumArray200(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray200 *r) + { + uint32_t _ptr_s; ++ uint32_t size_s_1 = 0; + uint32_t cntr_s_1; + TALLOC_CTX *_mem_save_s_0; + TALLOC_CTX *_mem_save_s_1; +@@ -2794,13 +2881,14 @@ + _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); +- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); ++ size_s_1 = ndr_get_array_size(ndr, &r->s); ++ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); + _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info200(ndr, NDR_SCALARS, &r->s[cntr_s_1])); + } +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info200(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); +@@ -2860,6 +2948,7 @@ + static enum ndr_err_code ndr_pull_dfs_EnumArray300(struct ndr_pull *ndr, int ndr_flags, struct dfs_EnumArray300 *r) + { + uint32_t _ptr_s; ++ uint32_t size_s_1 = 0; + uint32_t cntr_s_1; + TALLOC_CTX *_mem_save_s_0; + TALLOC_CTX *_mem_save_s_1; +@@ -2879,13 +2968,14 @@ + _mem_save_s_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->s)); +- NDR_PULL_ALLOC_N(ndr, r->s, ndr_get_array_size(ndr, &r->s)); ++ size_s_1 = ndr_get_array_size(ndr, &r->s); ++ NDR_PULL_ALLOC_N(ndr, r->s, size_s_1); + _mem_save_s_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->s, 0); +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info300(ndr, NDR_SCALARS, &r->s[cntr_s_1])); + } +- for (cntr_s_1 = 0; cntr_s_1 < r->count; cntr_s_1++) { ++ for (cntr_s_1 = 0; cntr_s_1 < size_s_1; cntr_s_1++) { + NDR_CHECK(ndr_pull_dfs_Info300(ndr, NDR_BUFFERS, &r->s[cntr_s_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s_1, 0); +@@ -3026,13 +3116,21 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + TALLOC_CTX *_mem_save_info2_0; ++ uint32_t _ptr_info2; + TALLOC_CTX *_mem_save_info3_0; ++ uint32_t _ptr_info3; + TALLOC_CTX *_mem_save_info4_0; ++ uint32_t _ptr_info4; + TALLOC_CTX *_mem_save_info5_0; ++ uint32_t _ptr_info5; + TALLOC_CTX *_mem_save_info6_0; ++ uint32_t _ptr_info6; + TALLOC_CTX *_mem_save_info200_0; ++ uint32_t _ptr_info200; + TALLOC_CTX *_mem_save_info300_0; ++ uint32_t _ptr_info300; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -3043,7 +3141,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -3053,7 +3150,6 @@ + break; } + + case 2: { +- uint32_t _ptr_info2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); + if (_ptr_info2) { + NDR_PULL_ALLOC(ndr, r->info2); +@@ -3063,7 +3159,6 @@ + break; } + + case 3: { +- uint32_t _ptr_info3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); + if (_ptr_info3) { + NDR_PULL_ALLOC(ndr, r->info3); +@@ -3073,7 +3168,6 @@ + break; } + + case 4: { +- uint32_t _ptr_info4; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); + if (_ptr_info4) { + NDR_PULL_ALLOC(ndr, r->info4); +@@ -3083,7 +3177,6 @@ + break; } + + case 5: { +- uint32_t _ptr_info5; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); + if (_ptr_info5) { + NDR_PULL_ALLOC(ndr, r->info5); +@@ -3093,7 +3186,6 @@ + break; } + + case 6: { +- uint32_t _ptr_info6; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); + if (_ptr_info6) { + NDR_PULL_ALLOC(ndr, r->info6); +@@ -3103,7 +3195,6 @@ + break; } + + case 200: { +- uint32_t _ptr_info200; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info200)); + if (_ptr_info200) { + NDR_PULL_ALLOC(ndr, r->info200); +@@ -3113,7 +3204,6 @@ + break; } + + case 300: { +- uint32_t _ptr_info300; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info300)); + if (_ptr_info300) { + NDR_PULL_ALLOC(ndr, r->info300); +@@ -3353,6 +3443,8 @@ + static enum ndr_err_code ndr_pull_dfs_UnknownStruct(struct ndr_pull *ndr, int ndr_flags, struct dfs_UnknownStruct *r) + { + uint32_t _ptr_unknown2; ++ uint32_t size_unknown2_1 = 0; ++ uint32_t length_unknown2_1 = 0; + TALLOC_CTX *_mem_save_unknown2_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3371,11 +3463,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->unknown2, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown2)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown2)); +- if (ndr_get_array_length(ndr, &r->unknown2) > ndr_get_array_size(ndr, &r->unknown2)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown2), ndr_get_array_length(ndr, &r->unknown2)); ++ size_unknown2_1 = ndr_get_array_size(ndr, &r->unknown2); ++ length_unknown2_1 = ndr_get_array_length(ndr, &r->unknown2); ++ if (length_unknown2_1 > size_unknown2_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown2_1, length_unknown2_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown2_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, length_unknown2_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown2_0, 0); + } + } +@@ -3497,25 +3591,37 @@ + + static enum ndr_err_code ndr_pull_dfs_Add(struct ndr_pull *ndr, int flags, struct dfs_Add *r) + { ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; + uint32_t _ptr_share; ++ uint32_t size_share_1 = 0; ++ uint32_t length_share_1 = 0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_share_0; + TALLOC_CTX *_mem_save_comment_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); +- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->in.path); ++ length_path_1 = ndr_get_array_length(ndr, &r->in.path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_share)); + if (_ptr_share) { + NDR_PULL_ALLOC(ndr, r->in.share); +@@ -3527,11 +3633,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.share, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); +- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); ++ size_share_1 = ndr_get_array_size(ndr, &r->in.share); ++ length_share_1 = ndr_get_array_length(ndr, &r->in.share); ++ if (length_share_1 > size_share_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_comment)); +@@ -3545,11 +3653,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); +- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->in.comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->in.comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); +@@ -3636,18 +3746,26 @@ + + static enum ndr_err_code ndr_pull_dfs_Remove(struct ndr_pull *ndr, int flags, struct dfs_Remove *r) + { ++ uint32_t size_dfs_entry_path_1 = 0; ++ uint32_t length_dfs_entry_path_1 = 0; + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_sharename; ++ uint32_t size_sharename_1 = 0; ++ uint32_t length_sharename_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_sharename_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); +- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); ++ size_dfs_entry_path_1 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); ++ length_dfs_entry_path_1 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); ++ if (length_dfs_entry_path_1 > size_dfs_entry_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_1, length_dfs_entry_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); + if (_ptr_servername) { + NDR_PULL_ALLOC(ndr, r->in.servername); +@@ -3659,11 +3777,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); +@@ -3677,11 +3797,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); +- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); ++ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); ++ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); ++ if (length_sharename_1 > size_sharename_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); + } + } +@@ -3765,19 +3887,27 @@ + + static enum ndr_err_code ndr_pull_dfs_SetInfo(struct ndr_pull *ndr, int flags, struct dfs_SetInfo *r) + { ++ uint32_t size_dfs_entry_path_0 = 0; ++ uint32_t length_dfs_entry_path_0 = 0; + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_sharename; ++ uint32_t size_sharename_1 = 0; ++ uint32_t length_sharename_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_sharename_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); +- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); ++ size_dfs_entry_path_0 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); ++ length_dfs_entry_path_0 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); ++ if (length_dfs_entry_path_0 > size_dfs_entry_path_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_0, length_dfs_entry_path_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); + if (_ptr_servername) { + NDR_PULL_ALLOC(ndr, r->in.servername); +@@ -3789,11 +3919,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); +@@ -3807,11 +3939,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); +- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); ++ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); ++ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); ++ if (length_sharename_1 > size_sharename_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -3907,8 +4041,14 @@ + + static enum ndr_err_code ndr_pull_dfs_GetInfo(struct ndr_pull *ndr, int flags, struct dfs_GetInfo *r) + { ++ uint32_t size_dfs_entry_path_0 = 0; ++ uint32_t length_dfs_entry_path_0 = 0; + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_sharename; ++ uint32_t size_sharename_1 = 0; ++ uint32_t length_sharename_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_sharename_0; + TALLOC_CTX *_mem_save_info_0; +@@ -3917,11 +4057,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_entry_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_entry_path)); +- if (ndr_get_array_length(ndr, &r->in.dfs_entry_path) > ndr_get_array_size(ndr, &r->in.dfs_entry_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_entry_path), ndr_get_array_length(ndr, &r->in.dfs_entry_path)); ++ size_dfs_entry_path_0 = ndr_get_array_size(ndr, &r->in.dfs_entry_path); ++ length_dfs_entry_path_0 = ndr_get_array_length(ndr, &r->in.dfs_entry_path); ++ if (length_dfs_entry_path_0 > size_dfs_entry_path_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_entry_path_0, length_dfs_entry_path_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, ndr_get_array_length(ndr, &r->in.dfs_entry_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_entry_path_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_entry_path, length_dfs_entry_path_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_servername)); + if (_ptr_servername) { + NDR_PULL_ALLOC(ndr, r->in.servername); +@@ -3933,11 +4075,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sharename)); +@@ -3951,11 +4095,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.sharename, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.sharename)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.sharename)); +- if (ndr_get_array_length(ndr, &r->in.sharename) > ndr_get_array_size(ndr, &r->in.sharename)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.sharename), ndr_get_array_length(ndr, &r->in.sharename)); ++ size_sharename_1 = ndr_get_array_size(ndr, &r->in.sharename); ++ length_sharename_1 = ndr_get_array_length(ndr, &r->in.sharename); ++ if (length_sharename_1 > size_sharename_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, ndr_get_array_length(ndr, &r->in.sharename), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -4379,6 +4525,18 @@ + + static enum ndr_err_code ndr_pull_dfs_AddFtRoot(struct ndr_pull *ndr, int flags, struct dfs_AddFtRoot *r) + { ++ uint32_t size_servername_0 = 0; ++ uint32_t length_servername_0 = 0; ++ uint32_t size_dns_servername_0 = 0; ++ uint32_t length_dns_servername_0 = 0; ++ uint32_t size_dfsname_0 = 0; ++ uint32_t length_dfsname_0 = 0; ++ uint32_t size_rootshare_0 = 0; ++ uint32_t length_rootshare_0 = 0; ++ uint32_t size_comment_0 = 0; ++ uint32_t length_comment_0 = 0; ++ uint32_t size_dfs_config_dn_0 = 0; ++ uint32_t length_dfs_config_dn_0 = 0; + uint32_t _ptr_unknown2; + TALLOC_CTX *_mem_save_unknown2_0; + TALLOC_CTX *_mem_save_unknown2_1; +@@ -4387,46 +4545,58 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_0 > size_servername_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_servername)); +- if (ndr_get_array_length(ndr, &r->in.dns_servername) > ndr_get_array_size(ndr, &r->in.dns_servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_servername), ndr_get_array_length(ndr, &r->in.dns_servername)); ++ size_dns_servername_0 = ndr_get_array_size(ndr, &r->in.dns_servername); ++ length_dns_servername_0 = ndr_get_array_length(ndr, &r->in.dns_servername); ++ if (length_dns_servername_0 > size_dns_servername_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_servername_0, length_dns_servername_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_servername_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, length_dns_servername_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfsname)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfsname)); +- if (ndr_get_array_length(ndr, &r->in.dfsname) > ndr_get_array_size(ndr, &r->in.dfsname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfsname), ndr_get_array_length(ndr, &r->in.dfsname)); ++ size_dfsname_0 = ndr_get_array_size(ndr, &r->in.dfsname); ++ length_dfsname_0 = ndr_get_array_length(ndr, &r->in.dfsname); ++ if (length_dfsname_0 > size_dfsname_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfsname_0, length_dfsname_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfsname_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, length_dfsname_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); +- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); ++ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); ++ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); ++ if (length_rootshare_0 > size_rootshare_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); +- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); ++ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); ++ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); ++ if (length_comment_0 > size_comment_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_config_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_config_dn)); +- if (ndr_get_array_length(ndr, &r->in.dfs_config_dn) > ndr_get_array_size(ndr, &r->in.dfs_config_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_config_dn), ndr_get_array_length(ndr, &r->in.dfs_config_dn)); ++ size_dfs_config_dn_0 = ndr_get_array_size(ndr, &r->in.dfs_config_dn); ++ length_dfs_config_dn_0 = ndr_get_array_length(ndr, &r->in.dfs_config_dn); ++ if (length_dfs_config_dn_0 > size_dfs_config_dn_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_config_dn_0, length_dfs_config_dn_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_config_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_config_dn, ndr_get_array_length(ndr, &r->in.dfs_config_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_config_dn_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_config_dn, length_dfs_config_dn_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->in.unknown1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown2)); +@@ -4577,6 +4747,14 @@ + + static enum ndr_err_code ndr_pull_dfs_RemoveFtRoot(struct ndr_pull *ndr, int flags, struct dfs_RemoveFtRoot *r) + { ++ uint32_t size_servername_0 = 0; ++ uint32_t length_servername_0 = 0; ++ uint32_t size_dns_servername_0 = 0; ++ uint32_t length_dns_servername_0 = 0; ++ uint32_t size_dfsname_0 = 0; ++ uint32_t length_dfsname_0 = 0; ++ uint32_t size_rootshare_0 = 0; ++ uint32_t length_rootshare_0 = 0; + uint32_t _ptr_unknown; + TALLOC_CTX *_mem_save_unknown_0; + TALLOC_CTX *_mem_save_unknown_1; +@@ -4585,32 +4763,40 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_0 > size_servername_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_servername)); +- if (ndr_get_array_length(ndr, &r->in.dns_servername) > ndr_get_array_size(ndr, &r->in.dns_servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_servername), ndr_get_array_length(ndr, &r->in.dns_servername)); ++ size_dns_servername_0 = ndr_get_array_size(ndr, &r->in.dns_servername); ++ length_dns_servername_0 = ndr_get_array_length(ndr, &r->in.dns_servername); ++ if (length_dns_servername_0 > size_dns_servername_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_servername_0, length_dns_servername_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, ndr_get_array_length(ndr, &r->in.dns_servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_servername_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_servername, length_dns_servername_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfsname)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfsname)); +- if (ndr_get_array_length(ndr, &r->in.dfsname) > ndr_get_array_size(ndr, &r->in.dfsname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfsname), ndr_get_array_length(ndr, &r->in.dfsname)); ++ size_dfsname_0 = ndr_get_array_size(ndr, &r->in.dfsname); ++ length_dfsname_0 = ndr_get_array_length(ndr, &r->in.dfsname); ++ if (length_dfsname_0 > size_dfsname_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfsname_0, length_dfsname_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, ndr_get_array_length(ndr, &r->in.dfsname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfsname_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfsname, length_dfsname_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); +- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); ++ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); ++ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); ++ if (length_rootshare_0 > size_rootshare_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown)); + if (_ptr_unknown) { +@@ -4739,28 +4925,40 @@ + + static enum ndr_err_code ndr_pull_dfs_AddStdRoot(struct ndr_pull *ndr, int flags, struct dfs_AddStdRoot *r) + { ++ uint32_t size_servername_0 = 0; ++ uint32_t length_servername_0 = 0; ++ uint32_t size_rootshare_0 = 0; ++ uint32_t length_rootshare_0 = 0; ++ uint32_t size_comment_0 = 0; ++ uint32_t length_comment_0 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_0 > size_servername_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); +- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); ++ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); ++ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); ++ if (length_rootshare_0 > size_rootshare_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); +- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); ++ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); ++ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); ++ if (length_comment_0 > size_comment_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + } + if (flags & NDR_OUT) { +@@ -4816,21 +5014,29 @@ + + static enum ndr_err_code ndr_pull_dfs_RemoveStdRoot(struct ndr_pull *ndr, int flags, struct dfs_RemoveStdRoot *r) + { ++ uint32_t size_servername_0 = 0; ++ uint32_t length_servername_0 = 0; ++ uint32_t size_rootshare_0 = 0; ++ uint32_t length_rootshare_0 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_0 > size_servername_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); +- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); ++ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); ++ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); ++ if (length_rootshare_0 > size_rootshare_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + } + if (flags & NDR_OUT) { +@@ -4884,14 +5090,18 @@ + + static enum ndr_err_code ndr_pull_dfs_ManagerInitialize(struct ndr_pull *ndr, int flags, struct dfs_ManagerInitialize *r) + { ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + } + if (flags & NDR_OUT) { +@@ -4955,35 +5165,51 @@ + + static enum ndr_err_code ndr_pull_dfs_AddStdRootForced(struct ndr_pull *ndr, int flags, struct dfs_AddStdRootForced *r) + { ++ uint32_t size_servername_0 = 0; ++ uint32_t length_servername_0 = 0; ++ uint32_t size_rootshare_0 = 0; ++ uint32_t length_rootshare_0 = 0; ++ uint32_t size_comment_0 = 0; ++ uint32_t length_comment_0 = 0; ++ uint32_t size_store_0 = 0; ++ uint32_t length_store_0 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_0 > size_servername_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); +- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); ++ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); ++ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); ++ if (length_rootshare_0 > size_rootshare_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.comment)); +- if (ndr_get_array_length(ndr, &r->in.comment) > ndr_get_array_size(ndr, &r->in.comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.comment), ndr_get_array_length(ndr, &r->in.comment)); ++ size_comment_0 = ndr_get_array_size(ndr, &r->in.comment); ++ length_comment_0 = ndr_get_array_length(ndr, &r->in.comment); ++ if (length_comment_0 > size_comment_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_0, length_comment_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, ndr_get_array_length(ndr, &r->in.comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.comment, length_comment_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.store)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.store)); +- if (ndr_get_array_length(ndr, &r->in.store) > ndr_get_array_size(ndr, &r->in.store)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.store), ndr_get_array_length(ndr, &r->in.store)); ++ size_store_0 = ndr_get_array_size(ndr, &r->in.store); ++ length_store_0 = ndr_get_array_length(ndr, &r->in.store); ++ if (length_store_0 > size_store_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_store_0, length_store_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.store), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.store, ndr_get_array_length(ndr, &r->in.store), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_store_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.store, length_store_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -5069,7 +5295,11 @@ + + static enum ndr_err_code ndr_pull_dfs_GetDcAddress(struct ndr_pull *ndr, int flags, struct dfs_GetDcAddress *r) + { ++ uint32_t size_servername_0 = 0; ++ uint32_t length_servername_0 = 0; + uint32_t _ptr_server_fullname; ++ uint32_t size_server_fullname_2 = 0; ++ uint32_t length_server_fullname_2 = 0; + TALLOC_CTX *_mem_save_server_fullname_0; + TALLOC_CTX *_mem_save_server_fullname_1; + TALLOC_CTX *_mem_save_is_root_0; +@@ -5079,11 +5309,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_0 > size_servername_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.server_fullname); + } +@@ -5100,11 +5332,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->in.server_fullname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->in.server_fullname)); + NDR_CHECK(ndr_pull_array_length(ndr, r->in.server_fullname)); +- if (ndr_get_array_length(ndr, r->in.server_fullname) > ndr_get_array_size(ndr, r->in.server_fullname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->in.server_fullname), ndr_get_array_length(ndr, r->in.server_fullname)); ++ size_server_fullname_2 = ndr_get_array_size(ndr, r->in.server_fullname); ++ length_server_fullname_2 = ndr_get_array_length(ndr, r->in.server_fullname); ++ if (length_server_fullname_2 > size_server_fullname_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_2, length_server_fullname_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->in.server_fullname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.server_fullname, ndr_get_array_length(ndr, r->in.server_fullname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.server_fullname, length_server_fullname_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_0, LIBNDR_FLAG_REF_ALLOC); +@@ -5146,11 +5380,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.server_fullname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.server_fullname)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.server_fullname)); +- if (ndr_get_array_length(ndr, r->out.server_fullname) > ndr_get_array_size(ndr, r->out.server_fullname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.server_fullname), ndr_get_array_length(ndr, r->out.server_fullname)); ++ size_server_fullname_2 = ndr_get_array_size(ndr, r->out.server_fullname); ++ length_server_fullname_2 = ndr_get_array_length(ndr, r->out.server_fullname); ++ if (length_server_fullname_2 > size_server_fullname_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_2, length_server_fullname_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.server_fullname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.server_fullname, ndr_get_array_length(ndr, r->out.server_fullname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.server_fullname, length_server_fullname_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_fullname_0, LIBNDR_FLAG_REF_ALLOC); +@@ -5252,21 +5488,29 @@ + + static enum ndr_err_code ndr_pull_dfs_SetDcAddress(struct ndr_pull *ndr, int flags, struct dfs_SetDcAddress *r) + { ++ uint32_t size_servername_0 = 0; ++ uint32_t length_servername_0 = 0; ++ uint32_t size_server_fullname_0 = 0; ++ uint32_t length_server_fullname_0 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_0 > size_servername_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_fullname)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_fullname)); +- if (ndr_get_array_length(ndr, &r->in.server_fullname) > ndr_get_array_size(ndr, &r->in.server_fullname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_fullname), ndr_get_array_length(ndr, &r->in.server_fullname)); ++ size_server_fullname_0 = ndr_get_array_size(ndr, &r->in.server_fullname); ++ length_server_fullname_0 = ndr_get_array_length(ndr, &r->in.server_fullname); ++ if (length_server_fullname_0 > size_server_fullname_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_fullname_0, length_server_fullname_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_fullname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_fullname, ndr_get_array_length(ndr, &r->in.server_fullname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_fullname_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_fullname, length_server_fullname_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.ttl)); + } +@@ -5322,21 +5566,29 @@ + + static enum ndr_err_code ndr_pull_dfs_FlushFtTable(struct ndr_pull *ndr, int flags, struct dfs_FlushFtTable *r) + { ++ uint32_t size_servername_0 = 0; ++ uint32_t length_servername_0 = 0; ++ uint32_t size_rootshare_0 = 0; ++ uint32_t length_rootshare_0 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_0 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_0 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_0 > size_servername_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_0, length_servername_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rootshare)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rootshare)); +- if (ndr_get_array_length(ndr, &r->in.rootshare) > ndr_get_array_size(ndr, &r->in.rootshare)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rootshare), ndr_get_array_length(ndr, &r->in.rootshare)); ++ size_rootshare_0 = ndr_get_array_size(ndr, &r->in.rootshare); ++ length_rootshare_0 = ndr_get_array_length(ndr, &r->in.rootshare); ++ if (length_rootshare_0 > size_rootshare_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rootshare_0, length_rootshare_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, ndr_get_array_length(ndr, &r->in.rootshare), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_rootshare_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.rootshare, length_rootshare_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -5486,6 +5738,8 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_dfs_EnumEx(struct ndr_pull *ndr, int flags, struct dfs_EnumEx *r) + { ++ uint32_t size_dfs_name_0 = 0; ++ uint32_t length_dfs_name_0 = 0; + uint32_t _ptr_info; + uint32_t _ptr_total; + TALLOC_CTX *_mem_save_info_0; +@@ -5495,11 +5749,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dfs_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dfs_name)); +- if (ndr_get_array_length(ndr, &r->in.dfs_name) > ndr_get_array_size(ndr, &r->in.dfs_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dfs_name), ndr_get_array_length(ndr, &r->in.dfs_name)); ++ size_dfs_name_0 = ndr_get_array_size(ndr, &r->in.dfs_name); ++ length_dfs_name_0 = ndr_get_array_length(ndr, &r->in.dfs_name); ++ if (length_dfs_name_0 > size_dfs_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dfs_name_0, length_dfs_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dfs_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_name, ndr_get_array_length(ndr, &r->in.dfs_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dfs_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dfs_name, length_dfs_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.bufsize)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_dns.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_dns.c 2012-04-12 12:09:51.451287474 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_dns.c 2012-04-12 12:19:20.583300999 -0500 +@@ -242,11 +242,13 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_dns_rdata_data(struct ndr_pull *ndr, int ndr_flags, struct dns_rdata_data *r) + { ++ uint32_t size_data_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 2)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); +- NDR_PULL_ALLOC_N(ndr, r->data, r->length); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, r->length)); ++ size_data_0 = r->length; ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 2)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -678,12 +680,16 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_dns_name_packet(struct ndr_pull *ndr, int ndr_flags, struct dns_name_packet *r) + { ++ uint32_t size_questions_0 = 0; + uint32_t cntr_questions_0; + TALLOC_CTX *_mem_save_questions_0; ++ uint32_t size_answers_0 = 0; + uint32_t cntr_answers_0; + TALLOC_CTX *_mem_save_answers_0; ++ uint32_t size_nsrecs_0 = 0; + uint32_t cntr_nsrecs_0; + TALLOC_CTX *_mem_save_nsrecs_0; ++ uint32_t size_additional_0 = 0; + uint32_t cntr_additional_0; + TALLOC_CTX *_mem_save_additional_0; + { +@@ -697,52 +703,59 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->ancount)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->nscount)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->arcount)); +- NDR_PULL_ALLOC_N(ndr, r->questions, r->qdcount); ++ size_questions_0 = r->qdcount; ++ NDR_PULL_ALLOC_N(ndr, r->questions, size_questions_0); + _mem_save_questions_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->questions, 0); +- for (cntr_questions_0 = 0; cntr_questions_0 < r->qdcount; cntr_questions_0++) { ++ for (cntr_questions_0 = 0; cntr_questions_0 < size_questions_0; cntr_questions_0++) { + NDR_CHECK(ndr_pull_dns_name_question(ndr, NDR_SCALARS, &r->questions[cntr_questions_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_questions_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->answers, r->ancount); ++ size_answers_0 = r->ancount; ++ NDR_PULL_ALLOC_N(ndr, r->answers, size_answers_0); + _mem_save_answers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->answers, 0); +- for (cntr_answers_0 = 0; cntr_answers_0 < r->ancount; cntr_answers_0++) { ++ for (cntr_answers_0 = 0; cntr_answers_0 < size_answers_0; cntr_answers_0++) { + NDR_CHECK(ndr_pull_dns_res_rec(ndr, NDR_SCALARS, &r->answers[cntr_answers_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_answers_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->nsrecs, r->nscount); ++ size_nsrecs_0 = r->nscount; ++ NDR_PULL_ALLOC_N(ndr, r->nsrecs, size_nsrecs_0); + _mem_save_nsrecs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->nsrecs, 0); +- for (cntr_nsrecs_0 = 0; cntr_nsrecs_0 < r->nscount; cntr_nsrecs_0++) { ++ for (cntr_nsrecs_0 = 0; cntr_nsrecs_0 < size_nsrecs_0; cntr_nsrecs_0++) { + NDR_CHECK(ndr_pull_dns_res_rec(ndr, NDR_SCALARS, &r->nsrecs[cntr_nsrecs_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_nsrecs_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->additional, r->arcount); ++ size_additional_0 = r->arcount; ++ NDR_PULL_ALLOC_N(ndr, r->additional, size_additional_0); + _mem_save_additional_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->additional, 0); +- for (cntr_additional_0 = 0; cntr_additional_0 < r->arcount; cntr_additional_0++) { ++ for (cntr_additional_0 = 0; cntr_additional_0 < size_additional_0; cntr_additional_0++) { + NDR_CHECK(ndr_pull_dns_res_rec(ndr, NDR_SCALARS, &r->additional[cntr_additional_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_additional_0, 0); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_answers_0 = r->ancount; + _mem_save_answers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->answers, 0); +- for (cntr_answers_0 = 0; cntr_answers_0 < r->ancount; cntr_answers_0++) { ++ for (cntr_answers_0 = 0; cntr_answers_0 < size_answers_0; cntr_answers_0++) { + NDR_CHECK(ndr_pull_dns_res_rec(ndr, NDR_BUFFERS, &r->answers[cntr_answers_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_answers_0, 0); ++ size_nsrecs_0 = r->nscount; + _mem_save_nsrecs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->nsrecs, 0); +- for (cntr_nsrecs_0 = 0; cntr_nsrecs_0 < r->nscount; cntr_nsrecs_0++) { ++ for (cntr_nsrecs_0 = 0; cntr_nsrecs_0 < size_nsrecs_0; cntr_nsrecs_0++) { + NDR_CHECK(ndr_pull_dns_res_rec(ndr, NDR_BUFFERS, &r->nsrecs[cntr_nsrecs_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_nsrecs_0, 0); ++ size_additional_0 = r->arcount; + _mem_save_additional_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->additional, 0); +- for (cntr_additional_0 = 0; cntr_additional_0 < r->arcount; cntr_additional_0++) { ++ for (cntr_additional_0 = 0; cntr_additional_0 < size_additional_0; cntr_additional_0++) { + NDR_CHECK(ndr_pull_dns_res_rec(ndr, NDR_BUFFERS, &r->additional[cntr_additional_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_additional_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_drsblobs.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_drsblobs.c 2012-04-12 12:09:51.911287485 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_drsblobs.c 2012-04-12 12:19:20.587301000 -0500 +@@ -75,16 +75,18 @@ + + static enum ndr_err_code ndr_pull_replPropertyMetaDataCtr1(struct ndr_pull *ndr, int ndr_flags, struct replPropertyMetaDataCtr1 *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_PULL_ALLOC_N(ndr, r->array, r->count); ++ size_array_0 = r->count; ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_replPropertyMetaData1(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -242,16 +244,18 @@ + + static enum ndr_err_code ndr_pull_replUpToDateVectorCtr1(struct ndr_pull *ndr, int ndr_flags, struct replUpToDateVectorCtr1 *r) + { ++ uint32_t size_cursors_0 = 0; + uint32_t cntr_cursors_0; + TALLOC_CTX *_mem_save_cursors_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_PULL_ALLOC_N(ndr, r->cursors, r->count); ++ size_cursors_0 = r->count; ++ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); + _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); +- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { ++ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); +@@ -298,16 +302,18 @@ + + static enum ndr_err_code ndr_pull_replUpToDateVectorCtr2(struct ndr_pull *ndr, int ndr_flags, struct replUpToDateVectorCtr2 *r) + { ++ uint32_t size_cursors_0 = 0; + uint32_t cntr_cursors_0; + TALLOC_CTX *_mem_save_cursors_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_PULL_ALLOC_N(ndr, r->cursors, r->count); ++ size_cursors_0 = r->count; ++ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); + _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); +- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { ++ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor2(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); +@@ -479,10 +485,12 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_repsFromTo1OtherInfo(struct ndr_pull *ndr, int ndr_flags, struct repsFromTo1OtherInfo *r) + { ++ uint32_t size_dns_name_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__dns_name_size)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, r->__dns_name_size, sizeof(uint8_t), CH_DOS)); ++ size_dns_name_0 = r->__dns_name_size; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, size_dns_name_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -544,6 +552,7 @@ + { + uint32_t _ptr_other_info; + TALLOC_CTX *_mem_save_other_info_0; ++ uint32_t size_schedule_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); +@@ -563,7 +572,8 @@ + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->other_info_length)); + NDR_CHECK(ndr_pull_drsuapi_DrsOptions(ndr, NDR_SCALARS, &r->replica_flags)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); ++ size_schedule_0 = 84; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); + NDR_CHECK(ndr_pull_drsuapi_DsReplicaHighWaterMark(ndr, NDR_SCALARS, &r->highwatermark)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->source_dsa_obj_guid)); +@@ -829,6 +839,7 @@ + { + uint32_t _ptr_other_info; + TALLOC_CTX *_mem_save_other_info_0; ++ uint32_t size_schedule_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); +@@ -848,7 +859,8 @@ + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->other_info_length)); + NDR_CHECK(ndr_pull_drsuapi_DrsOptions(ndr, NDR_SCALARS, &r->replica_flags)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); ++ size_schedule_0 = 84; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); + NDR_CHECK(ndr_pull_drsuapi_DsReplicaHighWaterMark(ndr, NDR_SCALARS, &r->highwatermark)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->source_dsa_obj_guid)); +@@ -1069,15 +1081,17 @@ + + static enum ndr_err_code ndr_pull_partialAttributeSetCtr1(struct ndr_pull *ndr, int ndr_flags, struct partialAttributeSetCtr1 *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); +- NDR_PULL_ALLOC_N(ndr, r->array, r->count); ++ size_array_0 = r->count; ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsAttributeId(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -1300,6 +1314,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_MSPrefixMap_Entry(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_MSPrefixMap_Entry *r) + { ++ uint32_t size_binary_oid_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN); +@@ -1307,8 +1322,9 @@ + NDR_CHECK(ndr_pull_align(ndr, 2)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->entryID)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); +- NDR_PULL_ALLOC_N(ndr, r->binary_oid, r->length); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->binary_oid, r->length)); ++ size_binary_oid_0 = r->length; ++ NDR_PULL_ALLOC_N(ndr, r->binary_oid, size_binary_oid_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->binary_oid, size_binary_oid_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 2)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1337,16 +1353,18 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_MSPrefixMap_Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_MSPrefixMap_Ctr *r) + { ++ uint32_t size_entries_0 = 0; + uint32_t cntr_entries_0; + TALLOC_CTX *_mem_save_entries_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_entries)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size)); +- NDR_PULL_ALLOC_N(ndr, r->entries, r->num_entries); ++ size_entries_0 = r->num_entries; ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_0); + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { ++ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { + NDR_CHECK(ndr_pull_drsuapi_MSPrefixMap_Entry(ndr, NDR_SCALARS, &r->entries[cntr_entries_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); +@@ -1681,10 +1699,12 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_ldapControlDirSyncCookie(struct ndr_pull *ndr, int ndr_flags, struct ldapControlDirSyncCookie *r) + { + uint32_t _save_relative_base_offset = ndr_pull_get_relative_base_offset(ndr); ++ uint32_t size_msds_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_setup_relative_base_offset1(ndr, r, ndr->offset)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->msds, 4, sizeof(uint8_t), CH_DOS)); ++ size_msds_0 = 4; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->msds, size_msds_0, sizeof(uint8_t), CH_DOS)); + { + struct ndr_pull *_ndr_blob; + NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_blob, 0, -1)); +@@ -1728,13 +1748,17 @@ + + static enum ndr_err_code ndr_pull_supplementalCredentialsPackage(struct ndr_pull *ndr, int ndr_flags, struct supplementalCredentialsPackage *r) + { ++ uint32_t size_name_0 = 0; ++ uint32_t size_data_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 2)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->name_len)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->data_len)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->reserved)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, r->name_len, sizeof(uint8_t), CH_UTF16)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data, r->data_len, sizeof(uint8_t), CH_DOS)); ++ size_name_0 = r->name_len; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, size_name_0, sizeof(uint8_t), CH_UTF16)); ++ size_data_0 = r->data_len; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data, size_data_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 2)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1814,17 +1838,21 @@ + + static enum ndr_err_code ndr_pull_supplementalCredentialsSubBlob(struct ndr_pull *ndr, int ndr_flags, struct supplementalCredentialsSubBlob *r) + { ++ uint32_t size_prefix_0 = 0; ++ uint32_t size_packages_0 = 0; + uint32_t cntr_packages_0; + TALLOC_CTX *_mem_save_packages_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 3)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->prefix, 0x30, sizeof(uint16_t), CH_UTF16)); ++ size_prefix_0 = 0x30; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->prefix, size_prefix_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_supplementalCredentialsSignature(ndr, NDR_SCALARS, &r->signature)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_packages)); +- NDR_PULL_ALLOC_N(ndr, r->packages, r->num_packages); ++ size_packages_0 = r->num_packages; ++ NDR_PULL_ALLOC_N(ndr, r->packages, size_packages_0); + _mem_save_packages_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->packages, 0); +- for (cntr_packages_0 = 0; cntr_packages_0 < r->num_packages; cntr_packages_0++) { ++ for (cntr_packages_0 = 0; cntr_packages_0 < size_packages_0; cntr_packages_0++) { + NDR_CHECK(ndr_pull_supplementalCredentialsPackage(ndr, NDR_SCALARS, &r->packages[cntr_packages_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_packages_0, 0); +@@ -2201,8 +2229,10 @@ + + static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr3(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryKerberosCtr3 *r) + { ++ uint32_t size_keys_0 = 0; + uint32_t cntr_keys_0; + TALLOC_CTX *_mem_save_keys_0; ++ uint32_t size_old_keys_0 = 0; + uint32_t cntr_old_keys_0; + TALLOC_CTX *_mem_save_old_keys_0; + if (ndr_flags & NDR_SCALARS) { +@@ -2210,17 +2240,19 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_keys)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_old_keys)); + NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_SCALARS, &r->salt)); +- NDR_PULL_ALLOC_N(ndr, r->keys, r->num_keys); ++ size_keys_0 = r->num_keys; ++ NDR_PULL_ALLOC_N(ndr, r->keys, size_keys_0); + _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); +- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { ++ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_SCALARS, &r->keys[cntr_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->old_keys, r->num_old_keys); ++ size_old_keys_0 = r->num_old_keys; ++ NDR_PULL_ALLOC_N(ndr, r->old_keys, size_old_keys_0); + _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); +- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { ++ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_SCALARS, &r->old_keys[cntr_old_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); +@@ -2233,15 +2265,17 @@ + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_BUFFERS, &r->salt)); ++ size_keys_0 = r->num_keys; + _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); +- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { ++ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_BUFFERS, &r->keys[cntr_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); ++ size_old_keys_0 = r->num_old_keys; + _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); +- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { ++ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey3(ndr, NDR_BUFFERS, &r->old_keys[cntr_old_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); +@@ -2432,12 +2466,16 @@ + + static enum ndr_err_code ndr_pull_package_PrimaryKerberosCtr4(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryKerberosCtr4 *r) + { ++ uint32_t size_keys_0 = 0; + uint32_t cntr_keys_0; + TALLOC_CTX *_mem_save_keys_0; ++ uint32_t size_service_keys_0 = 0; + uint32_t cntr_service_keys_0; + TALLOC_CTX *_mem_save_service_keys_0; ++ uint32_t size_old_keys_0 = 0; + uint32_t cntr_old_keys_0; + TALLOC_CTX *_mem_save_old_keys_0; ++ uint32_t size_older_keys_0 = 0; + uint32_t cntr_older_keys_0; + TALLOC_CTX *_mem_save_older_keys_0; + if (ndr_flags & NDR_SCALARS) { +@@ -2448,31 +2486,35 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_older_keys)); + NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_SCALARS, &r->salt)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->default_iteration_count)); +- NDR_PULL_ALLOC_N(ndr, r->keys, r->num_keys); ++ size_keys_0 = r->num_keys; ++ NDR_PULL_ALLOC_N(ndr, r->keys, size_keys_0); + _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); +- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { ++ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->keys[cntr_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->service_keys, r->num_service_keys); ++ size_service_keys_0 = r->num_service_keys; ++ NDR_PULL_ALLOC_N(ndr, r->service_keys, size_service_keys_0); + _mem_save_service_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->service_keys, 0); +- for (cntr_service_keys_0 = 0; cntr_service_keys_0 < r->num_service_keys; cntr_service_keys_0++) { ++ for (cntr_service_keys_0 = 0; cntr_service_keys_0 < size_service_keys_0; cntr_service_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->service_keys[cntr_service_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_keys_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->old_keys, r->num_old_keys); ++ size_old_keys_0 = r->num_old_keys; ++ NDR_PULL_ALLOC_N(ndr, r->old_keys, size_old_keys_0); + _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); +- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { ++ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->old_keys[cntr_old_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->older_keys, r->num_older_keys); ++ size_older_keys_0 = r->num_older_keys; ++ NDR_PULL_ALLOC_N(ndr, r->older_keys, size_older_keys_0); + _mem_save_older_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->older_keys, 0); +- for (cntr_older_keys_0 = 0; cntr_older_keys_0 < r->num_older_keys; cntr_older_keys_0++) { ++ for (cntr_older_keys_0 = 0; cntr_older_keys_0 < size_older_keys_0; cntr_older_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_SCALARS, &r->older_keys[cntr_older_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_older_keys_0, 0); +@@ -2480,27 +2522,31 @@ + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosString(ndr, NDR_BUFFERS, &r->salt)); ++ size_keys_0 = r->num_keys; + _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); +- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { ++ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->keys[cntr_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); ++ size_service_keys_0 = r->num_service_keys; + _mem_save_service_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->service_keys, 0); +- for (cntr_service_keys_0 = 0; cntr_service_keys_0 < r->num_service_keys; cntr_service_keys_0++) { ++ for (cntr_service_keys_0 = 0; cntr_service_keys_0 < size_service_keys_0; cntr_service_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->service_keys[cntr_service_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_keys_0, 0); ++ size_old_keys_0 = r->num_old_keys; + _mem_save_old_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->old_keys, 0); +- for (cntr_old_keys_0 = 0; cntr_old_keys_0 < r->num_old_keys; cntr_old_keys_0++) { ++ for (cntr_old_keys_0 = 0; cntr_old_keys_0 < size_old_keys_0; cntr_old_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->old_keys[cntr_old_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_old_keys_0, 0); ++ size_older_keys_0 = r->num_older_keys; + _mem_save_older_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->older_keys, 0); +- for (cntr_older_keys_0 = 0; cntr_older_keys_0 < r->num_older_keys; cntr_older_keys_0++) { ++ for (cntr_older_keys_0 = 0; cntr_older_keys_0 < size_older_keys_0; cntr_older_keys_0++) { + NDR_CHECK(ndr_pull_package_PrimaryKerberosKey4(ndr, NDR_BUFFERS, &r->older_keys[cntr_older_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_older_keys_0, 0); +@@ -2747,12 +2793,14 @@ + + static enum ndr_err_code ndr_pull_package_PrimaryWDigestHash(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryWDigestHash *r) + { ++ uint32_t size_hash_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); ++ size_hash_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -2798,6 +2846,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_package_PrimaryWDigestBlob(struct ndr_pull *ndr, int ndr_flags, struct package_PrimaryWDigestBlob *r) + { ++ uint32_t size_hashes_0 = 0; + uint32_t cntr_hashes_0; + TALLOC_CTX *_mem_save_hashes_0; + if (ndr_flags & NDR_SCALARS) { +@@ -2807,10 +2856,11 @@ + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_hashes)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown3)); + NDR_CHECK(ndr_pull_udlong(ndr, NDR_SCALARS, &r->uuknown4)); +- NDR_PULL_ALLOC_N(ndr, r->hashes, r->num_hashes); ++ size_hashes_0 = r->num_hashes; ++ NDR_PULL_ALLOC_N(ndr, r->hashes, size_hashes_0); + _mem_save_hashes_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->hashes, 0); +- for (cntr_hashes_0 = 0; cntr_hashes_0 < r->num_hashes; cntr_hashes_0++) { ++ for (cntr_hashes_0 = 0; cntr_hashes_0 < size_hashes_0; cntr_hashes_0++) { + NDR_CHECK(ndr_pull_package_PrimaryWDigestHash(ndr, NDR_SCALARS, &r->hashes[cntr_hashes_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_hashes_0, 0); +@@ -2925,11 +2975,13 @@ + + static enum ndr_err_code ndr_pull_AuthInfoClear(struct ndr_pull *ndr, int ndr_flags, struct AuthInfoClear *r) + { ++ uint32_t size_password_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); +- NDR_PULL_ALLOC_N(ndr, r->password, r->size); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->password, r->size)); ++ size_password_0 = r->size; ++ NDR_PULL_ALLOC_N(ndr, r->password, size_password_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->password, size_password_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -3326,6 +3378,7 @@ + static enum ndr_err_code ndr_pull_ExtendedErrorAString(struct ndr_pull *ndr, int ndr_flags, struct ExtendedErrorAString *r) + { + uint32_t _ptr_string; ++ uint32_t size_string_1 = 0; + TALLOC_CTX *_mem_save_string_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3343,7 +3396,8 @@ + _mem_save_string_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_size(ndr, &r->string), sizeof(uint8_t), CH_DOS)); ++ size_string_1 = ndr_get_array_size(ndr, &r->string); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, size_string_1, sizeof(uint8_t), CH_DOS)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); + } + if (r->string) { +@@ -3388,6 +3442,7 @@ + static enum ndr_err_code ndr_pull_ExtendedErrorUString(struct ndr_pull *ndr, int ndr_flags, struct ExtendedErrorUString *r) + { + uint32_t _ptr_string; ++ uint32_t size_string_1 = 0; + TALLOC_CTX *_mem_save_string_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3405,7 +3460,8 @@ + _mem_save_string_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_size(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); ++ size_string_1 = ndr_get_array_size(ndr, &r->string); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, size_string_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); + } + if (r->string) { +@@ -3450,6 +3506,7 @@ + static enum ndr_err_code ndr_pull_ExtendedErrorBlob(struct ndr_pull *ndr, int ndr_flags, struct ExtendedErrorBlob *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_data_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3467,8 +3524,9 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + if (r->data) { +@@ -3948,6 +4006,7 @@ + { + uint32_t _ptr_next; + TALLOC_CTX *_mem_save_next_0; ++ uint32_t size_params_0 = 0; + uint32_t cntr_params_0; + TALLOC_CTX *_mem_save_params_0; + if (ndr_flags & NDR_SCALARS) { +@@ -3967,10 +4026,11 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->detection_location)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->flags)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_params)); +- NDR_PULL_ALLOC_N(ndr, r->params, ndr_get_array_size(ndr, &r->params)); ++ size_params_0 = ndr_get_array_size(ndr, &r->params); ++ NDR_PULL_ALLOC_N(ndr, r->params, size_params_0); + _mem_save_params_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->params, 0); +- for (cntr_params_0 = 0; cntr_params_0 < r->num_params; cntr_params_0++) { ++ for (cntr_params_0 = 0; cntr_params_0 < size_params_0; cntr_params_0++) { + NDR_CHECK(ndr_pull_ExtendedErrorParam(ndr, NDR_SCALARS, &r->params[cntr_params_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_params_0, 0); +@@ -3987,9 +4047,10 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_next_0, 0); + } + NDR_CHECK(ndr_pull_ExtendedErrorComputerName(ndr, NDR_BUFFERS, &r->computer_name)); ++ size_params_0 = ndr_get_array_size(ndr, &r->params); + _mem_save_params_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->params, 0); +- for (cntr_params_0 = 0; cntr_params_0 < r->num_params; cntr_params_0++) { ++ for (cntr_params_0 = 0; cntr_params_0 < size_params_0; cntr_params_0++) { + NDR_CHECK(ndr_pull_ExtendedErrorParam(ndr, NDR_BUFFERS, &r->params[cntr_params_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_params_0, 0); +@@ -4095,10 +4156,12 @@ + + static enum ndr_err_code ndr_pull_ForestTrustString(struct ndr_pull *ndr, int ndr_flags, struct ForestTrustString *r) + { ++ uint32_t size_string_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, r->size, sizeof(uint8_t), CH_UTF8)); ++ size_string_0 = r->size; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, size_string_0, sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -4203,14 +4266,16 @@ + + static enum ndr_err_code ndr_pull_ForestTrustDataBinaryData(struct ndr_pull *ndr, int ndr_flags, struct ForestTrustDataBinaryData *r) + { ++ uint32_t size_data_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); +- NDR_PULL_ALLOC_N(ndr, r->data, r->size); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, r->size)); ++ size_data_0 = r->size; ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -4515,6 +4580,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_ForestTrustInfo(struct ndr_pull *ndr, int ndr_flags, struct ForestTrustInfo *r) + { ++ uint32_t size_records_0 = 0; + uint32_t cntr_records_0; + TALLOC_CTX *_mem_save_records_0; + { +@@ -4524,10 +4590,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); +- NDR_PULL_ALLOC_N(ndr, r->records, r->count); ++ size_records_0 = r->count; ++ NDR_PULL_ALLOC_N(ndr, r->records, size_records_0); + _mem_save_records_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->records, 0); +- for (cntr_records_0 = 0; cntr_records_0 < r->count; cntr_records_0++) { ++ for (cntr_records_0 = 0; cntr_records_0 < size_records_0; cntr_records_0++) { + NDR_CHECK(ndr_pull_ForestTrustInfoRecordArmor(ndr, NDR_SCALARS, &r->records[cntr_records_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_records_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_drsuapi.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_drsuapi.c 2012-04-12 12:09:50.919287461 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_drsuapi.c 2012-04-12 12:19:20.595301000 -0500 +@@ -535,6 +535,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjectIdentifier *r) + { ++ uint32_t size_dn_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->dn)); + NDR_CHECK(ndr_pull_align(ndr, 4)); +@@ -543,7 +544,8 @@ + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->guid)); + NDR_CHECK(ndr_pull_dom_sid28(ndr, NDR_SCALARS, &r->sid)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_dn)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, ndr_get_array_size(ndr, &r->dn), sizeof(uint16_t), CH_UTF16)); ++ size_dn_0 = ndr_get_array_size(ndr, &r->dn); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, size_dn_0, sizeof(uint16_t), CH_UTF16)); + if (r->dn) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->dn, r->__ndr_size_dn + 1)); + } +@@ -851,6 +853,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursorCtrEx(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursorCtrEx *r) + { ++ uint32_t size_cursors_0 = 0; + uint32_t cntr_cursors_0; + TALLOC_CTX *_mem_save_cursors_0; + if (ndr_flags & NDR_SCALARS) { +@@ -863,10 +866,11 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved2)); +- NDR_PULL_ALLOC_N(ndr, r->cursors, ndr_get_array_size(ndr, &r->cursors)); ++ size_cursors_0 = ndr_get_array_size(ndr, &r->cursors); ++ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); + _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); +- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { ++ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); +@@ -1119,6 +1123,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOID(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaOID *r) + { + uint32_t _ptr_binary_oid; ++ uint32_t size_binary_oid_1 = 0; + TALLOC_CTX *_mem_save_binary_oid_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -1139,8 +1144,9 @@ + _mem_save_binary_oid_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->binary_oid, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->binary_oid)); +- NDR_PULL_ALLOC_N(ndr, r->binary_oid, ndr_get_array_size(ndr, &r->binary_oid)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->binary_oid, ndr_get_array_size(ndr, &r->binary_oid))); ++ size_binary_oid_1 = ndr_get_array_size(ndr, &r->binary_oid); ++ NDR_PULL_ALLOC_N(ndr, r->binary_oid, size_binary_oid_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->binary_oid, size_binary_oid_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_binary_oid_0, 0); + } + if (r->binary_oid) { +@@ -1214,6 +1220,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaOIDMapping_Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaOIDMapping_Ctr *r) + { + uint32_t _ptr_mappings; ++ uint32_t size_mappings_1 = 0; + uint32_t cntr_mappings_1; + TALLOC_CTX *_mem_save_mappings_0; + TALLOC_CTX *_mem_save_mappings_1; +@@ -1236,13 +1243,14 @@ + _mem_save_mappings_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->mappings, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->mappings)); +- NDR_PULL_ALLOC_N(ndr, r->mappings, ndr_get_array_size(ndr, &r->mappings)); ++ size_mappings_1 = ndr_get_array_size(ndr, &r->mappings); ++ NDR_PULL_ALLOC_N(ndr, r->mappings, size_mappings_1); + _mem_save_mappings_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->mappings, 0); +- for (cntr_mappings_1 = 0; cntr_mappings_1 < r->num_mappings; cntr_mappings_1++) { ++ for (cntr_mappings_1 = 0; cntr_mappings_1 < size_mappings_1; cntr_mappings_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaOIDMapping(ndr, NDR_SCALARS, &r->mappings[cntr_mappings_1])); + } +- for (cntr_mappings_1 = 0; cntr_mappings_1 < r->num_mappings; cntr_mappings_1++) { ++ for (cntr_mappings_1 = 0; cntr_mappings_1 < size_mappings_1; cntr_mappings_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaOIDMapping(ndr, NDR_BUFFERS, &r->mappings[cntr_mappings_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_mappings_1, 0); +@@ -1426,6 +1434,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsPartialAttributeSet(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsPartialAttributeSet *r) + { ++ uint32_t size_attids_0 = 0; + uint32_t cntr_attids_0; + TALLOC_CTX *_mem_save_attids_0; + if (ndr_flags & NDR_SCALARS) { +@@ -1437,10 +1446,11 @@ + if (r->num_attids < 1 || r->num_attids > 0x100000) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_PULL_ALLOC_N(ndr, r->attids, ndr_get_array_size(ndr, &r->attids)); ++ size_attids_0 = ndr_get_array_size(ndr, &r->attids); ++ NDR_PULL_ALLOC_N(ndr, r->attids, size_attids_0); + _mem_save_attids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->attids, 0); +- for (cntr_attids_0 = 0; cntr_attids_0 < r->num_attids; cntr_attids_0++) { ++ for (cntr_attids_0 = 0; cntr_attids_0 < size_attids_0; cntr_attids_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsAttributeId(ndr, NDR_SCALARS, &r->attids[cntr_attids_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attids_0, 0); +@@ -1959,6 +1969,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor2CtrEx(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor2CtrEx *r) + { ++ uint32_t size_cursors_0 = 0; + uint32_t cntr_cursors_0; + TALLOC_CTX *_mem_save_cursors_0; + if (ndr_flags & NDR_SCALARS) { +@@ -1971,10 +1982,11 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved2)); +- NDR_PULL_ALLOC_N(ndr, r->cursors, ndr_get_array_size(ndr, &r->cursors)); ++ size_cursors_0 = ndr_get_array_size(ndr, &r->cursors); ++ NDR_PULL_ALLOC_N(ndr, r->cursors, size_cursors_0); + _mem_save_cursors_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->cursors, 0); +- for (cntr_cursors_0 = 0; cntr_cursors_0 < r->count; cntr_cursors_0++) { ++ for (cntr_cursors_0 = 0; cntr_cursors_0 < size_cursors_0; cntr_cursors_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor2(ndr, NDR_SCALARS, &r->cursors[cntr_cursors_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cursors_0, 0); +@@ -2093,6 +2105,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsAttributeValueCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsAttributeValueCtr *r) + { + uint32_t _ptr_values; ++ uint32_t size_values_1 = 0; + uint32_t cntr_values_1; + TALLOC_CTX *_mem_save_values_0; + TALLOC_CTX *_mem_save_values_1; +@@ -2115,13 +2128,14 @@ + _mem_save_values_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->values, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->values)); +- NDR_PULL_ALLOC_N(ndr, r->values, ndr_get_array_size(ndr, &r->values)); ++ size_values_1 = ndr_get_array_size(ndr, &r->values); ++ NDR_PULL_ALLOC_N(ndr, r->values, size_values_1); + _mem_save_values_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->values, 0); +- for (cntr_values_1 = 0; cntr_values_1 < r->num_values; cntr_values_1++) { ++ for (cntr_values_1 = 0; cntr_values_1 < size_values_1; cntr_values_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsAttributeValue(ndr, NDR_SCALARS, &r->values[cntr_values_1])); + } +- for (cntr_values_1 = 0; cntr_values_1 < r->num_values; cntr_values_1++) { ++ for (cntr_values_1 = 0; cntr_values_1 < size_values_1; cntr_values_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsAttributeValue(ndr, NDR_BUFFERS, &r->values[cntr_values_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_values_1, 0); +@@ -2175,6 +2189,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjectIdentifier3 *r) + { ++ uint32_t size_dn_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size)); +@@ -2182,7 +2197,8 @@ + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->guid)); + NDR_CHECK(ndr_pull_dom_sid28(ndr, NDR_SCALARS, &r->sid)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_dn)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, r->__ndr_size_dn + 1, sizeof(uint16_t), CH_UTF16)); ++ size_dn_0 = r->__ndr_size_dn + 1; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, size_dn_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -2237,6 +2253,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjectIdentifier3Binary(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjectIdentifier3Binary *r) + { ++ uint32_t size_dn_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size)); +@@ -2244,7 +2261,8 @@ + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->guid)); + NDR_CHECK(ndr_pull_dom_sid28(ndr, NDR_SCALARS, &r->sid)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_dn)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, r->__ndr_size_dn + 1, sizeof(uint16_t), CH_UTF16)); ++ size_dn_0 = r->__ndr_size_dn + 1; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dn, size_dn_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__ndr_size_binary)); + { + uint32_t _flags_save_DATA_BLOB = ndr->flags; +@@ -2330,6 +2348,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttributeCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttributeCtr *r) + { + uint32_t _ptr_attributes; ++ uint32_t size_attributes_1 = 0; + uint32_t cntr_attributes_1; + TALLOC_CTX *_mem_save_attributes_0; + TALLOC_CTX *_mem_save_attributes_1; +@@ -2352,13 +2371,14 @@ + _mem_save_attributes_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->attributes, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->attributes)); +- NDR_PULL_ALLOC_N(ndr, r->attributes, ndr_get_array_size(ndr, &r->attributes)); ++ size_attributes_1 = ndr_get_array_size(ndr, &r->attributes); ++ NDR_PULL_ALLOC_N(ndr, r->attributes, size_attributes_1); + _mem_save_attributes_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->attributes, 0); +- for (cntr_attributes_1 = 0; cntr_attributes_1 < r->num_attributes; cntr_attributes_1++) { ++ for (cntr_attributes_1 = 0; cntr_attributes_1 < size_attributes_1; cntr_attributes_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttribute(ndr, NDR_SCALARS, &r->attributes[cntr_attributes_1])); + } +- for (cntr_attributes_1 = 0; cntr_attributes_1 < r->num_attributes; cntr_attributes_1++) { ++ for (cntr_attributes_1 = 0; cntr_attributes_1 < size_attributes_1; cntr_attributes_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttribute(ndr, NDR_BUFFERS, &r->attributes[cntr_attributes_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attributes_1, 0); +@@ -2539,6 +2559,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_drsuapi_DsReplicaMetaDataCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaMetaDataCtr *r) + { ++ uint32_t size_meta_data_0 = 0; + uint32_t cntr_meta_data_0; + TALLOC_CTX *_mem_save_meta_data_0; + if (ndr_flags & NDR_SCALARS) { +@@ -2548,10 +2569,11 @@ + if (r->count > 1048576) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_PULL_ALLOC_N(ndr, r->meta_data, ndr_get_array_size(ndr, &r->meta_data)); ++ size_meta_data_0 = ndr_get_array_size(ndr, &r->meta_data); ++ NDR_PULL_ALLOC_N(ndr, r->meta_data, size_meta_data_0); + _mem_save_meta_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->meta_data, 0); +- for (cntr_meta_data_0 = 0; cntr_meta_data_0 < r->count; cntr_meta_data_0++) { ++ for (cntr_meta_data_0 = 0; cntr_meta_data_0 < size_meta_data_0; cntr_meta_data_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaMetaData(ndr, NDR_SCALARS, &r->meta_data[cntr_meta_data_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_meta_data_0, 0); +@@ -2949,6 +2971,7 @@ + uint32_t _ptr_first_object; + TALLOC_CTX *_mem_save_first_object_0; + uint32_t _ptr_linked_attributes; ++ uint32_t size_linked_attributes_1 = 0; + uint32_t cntr_linked_attributes_1; + TALLOC_CTX *_mem_save_linked_attributes_0; + TALLOC_CTX *_mem_save_linked_attributes_1; +@@ -3020,13 +3043,14 @@ + _mem_save_linked_attributes_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->linked_attributes, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->linked_attributes)); +- NDR_PULL_ALLOC_N(ndr, r->linked_attributes, ndr_get_array_size(ndr, &r->linked_attributes)); ++ size_linked_attributes_1 = ndr_get_array_size(ndr, &r->linked_attributes); ++ NDR_PULL_ALLOC_N(ndr, r->linked_attributes, size_linked_attributes_1); + _mem_save_linked_attributes_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->linked_attributes, 0); +- for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < r->linked_attributes_count; cntr_linked_attributes_1++) { ++ for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < size_linked_attributes_1; cntr_linked_attributes_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaLinkedAttribute(ndr, NDR_SCALARS, &r->linked_attributes[cntr_linked_attributes_1])); + } +- for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < r->linked_attributes_count; cntr_linked_attributes_1++) { ++ for (cntr_linked_attributes_1 = 0; cntr_linked_attributes_1 < size_linked_attributes_1; cntr_linked_attributes_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaLinkedAttribute(ndr, NDR_BUFFERS, &r->linked_attributes[cntr_linked_attributes_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_linked_attributes_1, 0); +@@ -3819,6 +3843,8 @@ + uint32_t _ptr_naming_context; + TALLOC_CTX *_mem_save_naming_context_0; + uint32_t _ptr_dest_dsa_dns_name; ++ uint32_t size_dest_dsa_dns_name_1 = 0; ++ uint32_t length_dest_dsa_dns_name_1 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_ref_ptr(ndr, &_ptr_naming_context)); +@@ -3844,11 +3870,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_naming_context_0, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dest_dsa_dns_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dest_dsa_dns_name)); +- if (ndr_get_array_length(ndr, &r->dest_dsa_dns_name) > ndr_get_array_size(ndr, &r->dest_dsa_dns_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dest_dsa_dns_name), ndr_get_array_length(ndr, &r->dest_dsa_dns_name)); ++ size_dest_dsa_dns_name_1 = ndr_get_array_size(ndr, &r->dest_dsa_dns_name); ++ length_dest_dsa_dns_name_1 = ndr_get_array_length(ndr, &r->dest_dsa_dns_name); ++ if (length_dest_dsa_dns_name_1 > size_dest_dsa_dns_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dest_dsa_dns_name_1, length_dest_dsa_dns_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dest_dsa_dns_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dest_dsa_dns_name, ndr_get_array_length(ndr, &r->dest_dsa_dns_name), sizeof(uint8_t), CH_DOS)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dest_dsa_dns_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dest_dsa_dns_name, length_dest_dsa_dns_name_1, sizeof(uint8_t), CH_DOS)); + } + return NDR_ERR_SUCCESS; + } +@@ -3980,7 +4008,10 @@ + uint32_t _ptr_naming_context; + TALLOC_CTX *_mem_save_naming_context_0; + uint32_t _ptr_source_dsa_address; ++ uint32_t size_source_dsa_address_1 = 0; ++ uint32_t length_source_dsa_address_1 = 0; + TALLOC_CTX *_mem_save_source_dsa_address_0; ++ uint32_t size_schedule_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_ref_ptr(ndr, &_ptr_naming_context)); +@@ -3995,7 +4026,8 @@ + } else { + r->source_dsa_address = NULL; + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); ++ size_schedule_0 = 84; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); + NDR_CHECK(ndr_pull_drsuapi_DrsOptions(ndr, NDR_SCALARS, &r->options)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } +@@ -4009,11 +4041,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_address, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_address)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_address)); +- if (ndr_get_array_length(ndr, &r->source_dsa_address) > ndr_get_array_size(ndr, &r->source_dsa_address)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_address), ndr_get_array_length(ndr, &r->source_dsa_address)); ++ size_source_dsa_address_1 = ndr_get_array_size(ndr, &r->source_dsa_address); ++ length_source_dsa_address_1 = ndr_get_array_length(ndr, &r->source_dsa_address); ++ if (length_source_dsa_address_1 > size_source_dsa_address_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_address_1, length_source_dsa_address_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_address_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, length_source_dsa_address_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_address_0, 0); + } + } +@@ -4082,7 +4116,10 @@ + uint32_t _ptr_transport_dn; + TALLOC_CTX *_mem_save_transport_dn_0; + uint32_t _ptr_source_dsa_address; ++ uint32_t size_source_dsa_address_1 = 0; ++ uint32_t length_source_dsa_address_1 = 0; + TALLOC_CTX *_mem_save_source_dsa_address_0; ++ uint32_t size_schedule_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_ref_ptr(ndr, &_ptr_naming_context)); +@@ -4109,7 +4146,8 @@ + } else { + r->source_dsa_address = NULL; + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); ++ size_schedule_0 = 84; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); + NDR_CHECK(ndr_pull_drsuapi_DrsOptions(ndr, NDR_SCALARS, &r->options)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } +@@ -4135,11 +4173,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_address, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_address)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_address)); +- if (ndr_get_array_length(ndr, &r->source_dsa_address) > ndr_get_array_size(ndr, &r->source_dsa_address)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_address), ndr_get_array_length(ndr, &r->source_dsa_address)); ++ size_source_dsa_address_1 = ndr_get_array_size(ndr, &r->source_dsa_address); ++ length_source_dsa_address_1 = ndr_get_array_length(ndr, &r->source_dsa_address); ++ if (length_source_dsa_address_1 > size_source_dsa_address_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_address_1, length_source_dsa_address_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_address_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, length_source_dsa_address_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_address_0, 0); + } + } +@@ -4306,6 +4346,8 @@ + uint32_t _ptr_naming_context; + TALLOC_CTX *_mem_save_naming_context_0; + uint32_t _ptr_source_dsa_address; ++ uint32_t size_source_dsa_address_1 = 0; ++ uint32_t length_source_dsa_address_1 = 0; + TALLOC_CTX *_mem_save_source_dsa_address_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4334,11 +4376,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_address, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_address)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_address)); +- if (ndr_get_array_length(ndr, &r->source_dsa_address) > ndr_get_array_size(ndr, &r->source_dsa_address)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_address), ndr_get_array_length(ndr, &r->source_dsa_address)); ++ size_source_dsa_address_1 = ndr_get_array_size(ndr, &r->source_dsa_address); ++ length_source_dsa_address_1 = ndr_get_array_length(ndr, &r->source_dsa_address); ++ if (length_source_dsa_address_1 > size_source_dsa_address_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_address_1, length_source_dsa_address_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_address_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, length_source_dsa_address_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_address_0, 0); + } + } +@@ -4476,7 +4520,10 @@ + uint32_t _ptr_naming_context; + TALLOC_CTX *_mem_save_naming_context_0; + uint32_t _ptr_source_dra_address; ++ uint32_t size_source_dra_address_1 = 0; ++ uint32_t length_source_dra_address_1 = 0; + TALLOC_CTX *_mem_save_source_dra_address_0; ++ uint32_t size_schedule_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_ref_ptr(ndr, &_ptr_naming_context)); +@@ -4492,7 +4539,8 @@ + } else { + r->source_dra_address = NULL; + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, 84)); ++ size_schedule_0 = 84; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->schedule, size_schedule_0)); + NDR_CHECK(ndr_pull_drsuapi_DrsOptions(ndr, NDR_SCALARS, &r->replica_flags)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->modify_fields)); + NDR_CHECK(ndr_pull_drsuapi_DrsOptions(ndr, NDR_SCALARS, &r->options)); +@@ -4508,11 +4556,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->source_dra_address, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dra_address)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dra_address)); +- if (ndr_get_array_length(ndr, &r->source_dra_address) > ndr_get_array_size(ndr, &r->source_dra_address)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dra_address), ndr_get_array_length(ndr, &r->source_dra_address)); ++ size_source_dra_address_1 = ndr_get_array_size(ndr, &r->source_dra_address); ++ length_source_dra_address_1 = ndr_get_array_length(ndr, &r->source_dra_address); ++ if (length_source_dra_address_1 > size_source_dra_address_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dra_address_1, length_source_dra_address_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dra_address), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dra_address, ndr_get_array_length(ndr, &r->source_dra_address), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dra_address_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dra_address, length_source_dra_address_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dra_address_0, 0); + } + } +@@ -4702,15 +4752,18 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetMembershipsCtr1 *r) + { + uint32_t _ptr_info_array; ++ uint32_t size_info_array_1 = 0; + uint32_t cntr_info_array_1; + TALLOC_CTX *_mem_save_info_array_0; + TALLOC_CTX *_mem_save_info_array_1; + TALLOC_CTX *_mem_save_info_array_2; + uint32_t _ptr_group_attrs; ++ uint32_t size_group_attrs_1 = 0; + uint32_t cntr_group_attrs_1; + TALLOC_CTX *_mem_save_group_attrs_0; + TALLOC_CTX *_mem_save_group_attrs_1; + uint32_t _ptr_sids; ++ uint32_t size_sids_1 = 0; + uint32_t cntr_sids_1; + TALLOC_CTX *_mem_save_sids_0; + TALLOC_CTX *_mem_save_sids_1; +@@ -4751,10 +4804,11 @@ + _mem_save_info_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->info_array)); +- NDR_PULL_ALLOC_N(ndr, r->info_array, ndr_get_array_size(ndr, &r->info_array)); ++ size_info_array_1 = ndr_get_array_size(ndr, &r->info_array); ++ NDR_PULL_ALLOC_N(ndr, r->info_array, size_info_array_1); + _mem_save_info_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); +- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->num_memberships; cntr_info_array_1++) { ++ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info_array)); + if (_ptr_info_array) { + NDR_PULL_ALLOC(ndr, r->info_array[cntr_info_array_1]); +@@ -4762,7 +4816,7 @@ + r->info_array[cntr_info_array_1] = NULL; + } + } +- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->num_memberships; cntr_info_array_1++) { ++ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { + if (r->info_array[cntr_info_array_1]) { + _mem_save_info_array_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->info_array[cntr_info_array_1], 0); +@@ -4777,10 +4831,11 @@ + _mem_save_group_attrs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->group_attrs, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->group_attrs)); +- NDR_PULL_ALLOC_N(ndr, r->group_attrs, ndr_get_array_size(ndr, &r->group_attrs)); ++ size_group_attrs_1 = ndr_get_array_size(ndr, &r->group_attrs); ++ NDR_PULL_ALLOC_N(ndr, r->group_attrs, size_group_attrs_1); + _mem_save_group_attrs_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->group_attrs, 0); +- for (cntr_group_attrs_1 = 0; cntr_group_attrs_1 < r->num_memberships; cntr_group_attrs_1++) { ++ for (cntr_group_attrs_1 = 0; cntr_group_attrs_1 < size_group_attrs_1; cntr_group_attrs_1++) { + NDR_CHECK(ndr_pull_samr_GroupAttrs(ndr, NDR_SCALARS, &r->group_attrs[cntr_group_attrs_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_attrs_1, 0); +@@ -4790,10 +4845,11 @@ + _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); +- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); ++ size_sids_1 = ndr_get_array_size(ndr, &r->sids); ++ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); + _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); +- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sids)); + if (_ptr_sids) { + NDR_PULL_ALLOC(ndr, r->sids[cntr_sids_1]); +@@ -4801,7 +4857,7 @@ + r->sids[cntr_sids_1] = NULL; + } + } +- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + if (r->sids[cntr_sids_1]) { + _mem_save_sids_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids[cntr_sids_1], 0); +@@ -4995,6 +5051,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetMembershipsRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetMembershipsRequest1 *r) + { + uint32_t _ptr_info_array; ++ uint32_t size_info_array_1 = 0; + uint32_t cntr_info_array_1; + TALLOC_CTX *_mem_save_info_array_0; + TALLOC_CTX *_mem_save_info_array_1; +@@ -5031,10 +5088,11 @@ + _mem_save_info_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->info_array)); +- NDR_PULL_ALLOC_N(ndr, r->info_array, ndr_get_array_size(ndr, &r->info_array)); ++ size_info_array_1 = ndr_get_array_size(ndr, &r->info_array); ++ NDR_PULL_ALLOC_N(ndr, r->info_array, size_info_array_1); + _mem_save_info_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->info_array, 0); +- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->count; cntr_info_array_1++) { ++ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info_array)); + if (_ptr_info_array) { + NDR_PULL_ALLOC(ndr, r->info_array[cntr_info_array_1]); +@@ -5042,7 +5100,7 @@ + r->info_array[cntr_info_array_1] = NULL; + } + } +- for (cntr_info_array_1 = 0; cntr_info_array_1 < r->count; cntr_info_array_1++) { ++ for (cntr_info_array_1 = 0; cntr_info_array_1 < size_info_array_1; cntr_info_array_1++) { + if (r->info_array[cntr_info_array_1]) { + _mem_save_info_array_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->info_array[cntr_info_array_1], 0); +@@ -5224,6 +5282,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetNT4ChangeLogRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetNT4ChangeLogRequest1 *r) + { + uint32_t _ptr_restart_data; ++ uint32_t size_restart_data_1 = 0; + TALLOC_CTX *_mem_save_restart_data_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -5246,8 +5305,9 @@ + _mem_save_restart_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->restart_data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->restart_data)); +- NDR_PULL_ALLOC_N(ndr, r->restart_data, ndr_get_array_size(ndr, &r->restart_data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->restart_data, ndr_get_array_size(ndr, &r->restart_data))); ++ size_restart_data_1 = ndr_get_array_size(ndr, &r->restart_data); ++ NDR_PULL_ALLOC_N(ndr, r->restart_data, size_restart_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->restart_data, size_restart_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_restart_data_0, 0); + } + if (r->restart_data) { +@@ -5386,8 +5446,10 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetNT4ChangeLogInfo1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetNT4ChangeLogInfo1 *r) + { + uint32_t _ptr_restart_data; ++ uint32_t size_restart_data_1 = 0; + TALLOC_CTX *_mem_save_restart_data_0; + uint32_t _ptr_log_data; ++ uint32_t size_log_data_1 = 0; + TALLOC_CTX *_mem_save_log_data_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); +@@ -5425,16 +5487,18 @@ + _mem_save_restart_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->restart_data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->restart_data)); +- NDR_PULL_ALLOC_N(ndr, r->restart_data, ndr_get_array_size(ndr, &r->restart_data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->restart_data, ndr_get_array_size(ndr, &r->restart_data))); ++ size_restart_data_1 = ndr_get_array_size(ndr, &r->restart_data); ++ NDR_PULL_ALLOC_N(ndr, r->restart_data, size_restart_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->restart_data, size_restart_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_restart_data_0, 0); + } + if (r->log_data) { + _mem_save_log_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->log_data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->log_data)); +- NDR_PULL_ALLOC_N(ndr, r->log_data, ndr_get_array_size(ndr, &r->log_data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->log_data, ndr_get_array_size(ndr, &r->log_data))); ++ size_log_data_1 = ndr_get_array_size(ndr, &r->log_data); ++ NDR_PULL_ALLOC_N(ndr, r->log_data, size_log_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->log_data, size_log_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_log_data_0, 0); + } + if (r->restart_data) { +@@ -5686,6 +5750,8 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsNameString(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameString *r) + { + uint32_t _ptr_str; ++ uint32_t size_str_1 = 0; ++ uint32_t length_str_1 = 0; + TALLOC_CTX *_mem_save_str_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -5703,11 +5769,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->str, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->str)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->str)); +- if (ndr_get_array_length(ndr, &r->str) > ndr_get_array_size(ndr, &r->str)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->str), ndr_get_array_length(ndr, &r->str)); ++ size_str_1 = ndr_get_array_size(ndr, &r->str); ++ length_str_1 = ndr_get_array_length(ndr, &r->str); ++ if (length_str_1 > size_str_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_str_1, length_str_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->str), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str, ndr_get_array_length(ndr, &r->str), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_str_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str, length_str_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_str_0, 0); + } + } +@@ -5759,6 +5827,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsNameRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameRequest1 *r) + { + uint32_t _ptr_names; ++ uint32_t size_names_1 = 0; + uint32_t cntr_names_1; + TALLOC_CTX *_mem_save_names_0; + TALLOC_CTX *_mem_save_names_1; +@@ -5786,13 +5855,14 @@ + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); +- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); ++ size_names_1 = ndr_get_array_size(ndr, &r->names); ++ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); + _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_SCALARS, &r->names[cntr_names_1])); + } +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); +@@ -5939,8 +6009,12 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsNameInfo1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameInfo1 *r) + { + uint32_t _ptr_dns_domain_name; ++ uint32_t size_dns_domain_name_1 = 0; ++ uint32_t length_dns_domain_name_1 = 0; + TALLOC_CTX *_mem_save_dns_domain_name_0; + uint32_t _ptr_result_name; ++ uint32_t size_result_name_1 = 0; ++ uint32_t length_result_name_1 = 0; + TALLOC_CTX *_mem_save_result_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -5965,11 +6039,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dns_domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_domain_name)); +- if (ndr_get_array_length(ndr, &r->dns_domain_name) > ndr_get_array_size(ndr, &r->dns_domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_domain_name), ndr_get_array_length(ndr, &r->dns_domain_name)); ++ size_dns_domain_name_1 = ndr_get_array_size(ndr, &r->dns_domain_name); ++ length_dns_domain_name_1 = ndr_get_array_length(ndr, &r->dns_domain_name); ++ if (length_dns_domain_name_1 > size_dns_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_domain_name_1, length_dns_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain_name, ndr_get_array_length(ndr, &r->dns_domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain_name, length_dns_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_domain_name_0, 0); + } + if (r->result_name) { +@@ -5977,11 +6053,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->result_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->result_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->result_name)); +- if (ndr_get_array_length(ndr, &r->result_name) > ndr_get_array_size(ndr, &r->result_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->result_name), ndr_get_array_length(ndr, &r->result_name)); ++ size_result_name_1 = ndr_get_array_size(ndr, &r->result_name); ++ length_result_name_1 = ndr_get_array_length(ndr, &r->result_name); ++ if (length_result_name_1 > size_result_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_result_name_1, length_result_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->result_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->result_name, ndr_get_array_length(ndr, &r->result_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_result_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->result_name, length_result_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_result_name_0, 0); + } + } +@@ -6035,6 +6113,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsNameCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsNameCtr1 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -6054,13 +6133,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsNameInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsNameInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -6131,6 +6211,7 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_ctr1_0; ++ uint32_t _ptr_ctr1; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -6141,7 +6222,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_ctr1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); + if (_ptr_ctr1) { + NDR_PULL_ALLOC(ndr, r->ctr1); +@@ -6253,8 +6333,11 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsWriteAccountSpnRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsWriteAccountSpnRequest1 *r) + { + uint32_t _ptr_object_dn; ++ uint32_t size_object_dn_1 = 0; ++ uint32_t length_object_dn_1 = 0; + TALLOC_CTX *_mem_save_object_dn_0; + uint32_t _ptr_spn_names; ++ uint32_t size_spn_names_1 = 0; + uint32_t cntr_spn_names_1; + TALLOC_CTX *_mem_save_spn_names_0; + TALLOC_CTX *_mem_save_spn_names_1; +@@ -6286,24 +6369,27 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); +- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); ++ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); ++ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); ++ if (length_object_dn_1 > size_object_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); + } + if (r->spn_names) { + _mem_save_spn_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->spn_names, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->spn_names)); +- NDR_PULL_ALLOC_N(ndr, r->spn_names, ndr_get_array_size(ndr, &r->spn_names)); ++ size_spn_names_1 = ndr_get_array_size(ndr, &r->spn_names); ++ NDR_PULL_ALLOC_N(ndr, r->spn_names, size_spn_names_1); + _mem_save_spn_names_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->spn_names, 0); +- for (cntr_spn_names_1 = 0; cntr_spn_names_1 < r->count; cntr_spn_names_1++) { ++ for (cntr_spn_names_1 = 0; cntr_spn_names_1 < size_spn_names_1; cntr_spn_names_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_SCALARS, &r->spn_names[cntr_spn_names_1])); + } +- for (cntr_spn_names_1 = 0; cntr_spn_names_1 < r->count; cntr_spn_names_1++) { ++ for (cntr_spn_names_1 = 0; cntr_spn_names_1 < size_spn_names_1; cntr_spn_names_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsNameString(ndr, NDR_BUFFERS, &r->spn_names[cntr_spn_names_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_spn_names_1, 0); +@@ -6563,8 +6649,12 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsRemoveDSServerRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsRemoveDSServerRequest1 *r) + { + uint32_t _ptr_server_dn; ++ uint32_t size_server_dn_1 = 0; ++ uint32_t length_server_dn_1 = 0; + TALLOC_CTX *_mem_save_server_dn_0; + uint32_t _ptr_domain_dn; ++ uint32_t size_domain_dn_1 = 0; ++ uint32_t length_domain_dn_1 = 0; + TALLOC_CTX *_mem_save_domain_dn_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -6589,11 +6679,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); +- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); ++ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); ++ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); ++ if (length_server_dn_1 > size_server_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); + } + if (r->domain_dn) { +@@ -6601,11 +6693,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_dn)); +- if (ndr_get_array_length(ndr, &r->domain_dn) > ndr_get_array_size(ndr, &r->domain_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_dn), ndr_get_array_length(ndr, &r->domain_dn)); ++ size_domain_dn_1 = ndr_get_array_size(ndr, &r->domain_dn); ++ length_domain_dn_1 = ndr_get_array_length(ndr, &r->domain_dn); ++ if (length_domain_dn_1 > size_domain_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_dn_1, length_domain_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_dn, ndr_get_array_length(ndr, &r->domain_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_dn, length_domain_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_dn_0, 0); + } + } +@@ -6844,6 +6938,8 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoRequest1 *r) + { + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + TALLOC_CTX *_mem_save_domain_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -6862,11 +6958,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); +- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); + } + } +@@ -7018,14 +7116,24 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfo1 *r) + { + uint32_t _ptr_netbios_name; ++ uint32_t size_netbios_name_1 = 0; ++ uint32_t length_netbios_name_1 = 0; + TALLOC_CTX *_mem_save_netbios_name_0; + uint32_t _ptr_dns_name; ++ uint32_t size_dns_name_1 = 0; ++ uint32_t length_dns_name_1 = 0; + TALLOC_CTX *_mem_save_dns_name_0; + uint32_t _ptr_site_name; ++ uint32_t size_site_name_1 = 0; ++ uint32_t length_site_name_1 = 0; + TALLOC_CTX *_mem_save_site_name_0; + uint32_t _ptr_computer_dn; ++ uint32_t size_computer_dn_1 = 0; ++ uint32_t length_computer_dn_1 = 0; + TALLOC_CTX *_mem_save_computer_dn_0; + uint32_t _ptr_server_dn; ++ uint32_t size_server_dn_1 = 0; ++ uint32_t length_server_dn_1 = 0; + TALLOC_CTX *_mem_save_server_dn_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7069,11 +7177,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); +- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); ++ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); ++ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); ++ if (length_netbios_name_1 > size_netbios_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); + } + if (r->dns_name) { +@@ -7081,11 +7191,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); +- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); ++ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); ++ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); ++ if (length_dns_name_1 > size_dns_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); + } + if (r->site_name) { +@@ -7093,11 +7205,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->site_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->site_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->site_name)); +- if (ndr_get_array_length(ndr, &r->site_name) > ndr_get_array_size(ndr, &r->site_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_name), ndr_get_array_length(ndr, &r->site_name)); ++ size_site_name_1 = ndr_get_array_size(ndr, &r->site_name); ++ length_site_name_1 = ndr_get_array_length(ndr, &r->site_name); ++ if (length_site_name_1 > size_site_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); + } + if (r->computer_dn) { +@@ -7105,11 +7219,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->computer_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_dn)); +- if (ndr_get_array_length(ndr, &r->computer_dn) > ndr_get_array_size(ndr, &r->computer_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_dn), ndr_get_array_length(ndr, &r->computer_dn)); ++ size_computer_dn_1 = ndr_get_array_size(ndr, &r->computer_dn); ++ length_computer_dn_1 = ndr_get_array_length(ndr, &r->computer_dn); ++ if (length_computer_dn_1 > size_computer_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_dn_1, length_computer_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, length_computer_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_dn_0, 0); + } + if (r->server_dn) { +@@ -7117,11 +7233,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); +- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); ++ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); ++ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); ++ if (length_server_dn_1 > size_server_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); + } + } +@@ -7194,6 +7312,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoCtr1 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -7216,13 +7335,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -7326,18 +7446,32 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfo2 *r) + { + uint32_t _ptr_netbios_name; ++ uint32_t size_netbios_name_1 = 0; ++ uint32_t length_netbios_name_1 = 0; + TALLOC_CTX *_mem_save_netbios_name_0; + uint32_t _ptr_dns_name; ++ uint32_t size_dns_name_1 = 0; ++ uint32_t length_dns_name_1 = 0; + TALLOC_CTX *_mem_save_dns_name_0; + uint32_t _ptr_site_name; ++ uint32_t size_site_name_1 = 0; ++ uint32_t length_site_name_1 = 0; + TALLOC_CTX *_mem_save_site_name_0; + uint32_t _ptr_site_dn; ++ uint32_t size_site_dn_1 = 0; ++ uint32_t length_site_dn_1 = 0; + TALLOC_CTX *_mem_save_site_dn_0; + uint32_t _ptr_computer_dn; ++ uint32_t size_computer_dn_1 = 0; ++ uint32_t length_computer_dn_1 = 0; + TALLOC_CTX *_mem_save_computer_dn_0; + uint32_t _ptr_server_dn; ++ uint32_t size_server_dn_1 = 0; ++ uint32_t length_server_dn_1 = 0; + TALLOC_CTX *_mem_save_server_dn_0; + uint32_t _ptr_ntds_dn; ++ uint32_t size_ntds_dn_1 = 0; ++ uint32_t length_ntds_dn_1 = 0; + TALLOC_CTX *_mem_save_ntds_dn_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7398,11 +7532,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); +- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); ++ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); ++ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); ++ if (length_netbios_name_1 > size_netbios_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); + } + if (r->dns_name) { +@@ -7410,11 +7546,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); +- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); ++ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); ++ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); ++ if (length_dns_name_1 > size_dns_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); + } + if (r->site_name) { +@@ -7422,11 +7560,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->site_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->site_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->site_name)); +- if (ndr_get_array_length(ndr, &r->site_name) > ndr_get_array_size(ndr, &r->site_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_name), ndr_get_array_length(ndr, &r->site_name)); ++ size_site_name_1 = ndr_get_array_size(ndr, &r->site_name); ++ length_site_name_1 = ndr_get_array_length(ndr, &r->site_name); ++ if (length_site_name_1 > size_site_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); + } + if (r->site_dn) { +@@ -7434,11 +7574,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->site_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->site_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->site_dn)); +- if (ndr_get_array_length(ndr, &r->site_dn) > ndr_get_array_size(ndr, &r->site_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_dn), ndr_get_array_length(ndr, &r->site_dn)); ++ size_site_dn_1 = ndr_get_array_size(ndr, &r->site_dn); ++ length_site_dn_1 = ndr_get_array_length(ndr, &r->site_dn); ++ if (length_site_dn_1 > size_site_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_dn_1, length_site_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, length_site_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_dn_0, 0); + } + if (r->computer_dn) { +@@ -7446,11 +7588,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->computer_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_dn)); +- if (ndr_get_array_length(ndr, &r->computer_dn) > ndr_get_array_size(ndr, &r->computer_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_dn), ndr_get_array_length(ndr, &r->computer_dn)); ++ size_computer_dn_1 = ndr_get_array_size(ndr, &r->computer_dn); ++ length_computer_dn_1 = ndr_get_array_length(ndr, &r->computer_dn); ++ if (length_computer_dn_1 > size_computer_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_dn_1, length_computer_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, length_computer_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_dn_0, 0); + } + if (r->server_dn) { +@@ -7458,11 +7602,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); +- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); ++ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); ++ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); ++ if (length_server_dn_1 > size_server_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); + } + if (r->ntds_dn) { +@@ -7470,11 +7616,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->ntds_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->ntds_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->ntds_dn)); +- if (ndr_get_array_length(ndr, &r->ntds_dn) > ndr_get_array_size(ndr, &r->ntds_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->ntds_dn), ndr_get_array_length(ndr, &r->ntds_dn)); ++ size_ntds_dn_1 = ndr_get_array_size(ndr, &r->ntds_dn); ++ length_ntds_dn_1 = ndr_get_array_length(ndr, &r->ntds_dn); ++ if (length_ntds_dn_1 > size_ntds_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ntds_dn_1, length_ntds_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_ntds_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, length_ntds_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ntds_dn_0, 0); + } + } +@@ -7564,6 +7712,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoCtr2 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -7586,13 +7735,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -7697,18 +7847,32 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfo3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfo3 *r) + { + uint32_t _ptr_netbios_name; ++ uint32_t size_netbios_name_1 = 0; ++ uint32_t length_netbios_name_1 = 0; + TALLOC_CTX *_mem_save_netbios_name_0; + uint32_t _ptr_dns_name; ++ uint32_t size_dns_name_1 = 0; ++ uint32_t length_dns_name_1 = 0; + TALLOC_CTX *_mem_save_dns_name_0; + uint32_t _ptr_site_name; ++ uint32_t size_site_name_1 = 0; ++ uint32_t length_site_name_1 = 0; + TALLOC_CTX *_mem_save_site_name_0; + uint32_t _ptr_site_dn; ++ uint32_t size_site_dn_1 = 0; ++ uint32_t length_site_dn_1 = 0; + TALLOC_CTX *_mem_save_site_dn_0; + uint32_t _ptr_computer_dn; ++ uint32_t size_computer_dn_1 = 0; ++ uint32_t length_computer_dn_1 = 0; + TALLOC_CTX *_mem_save_computer_dn_0; + uint32_t _ptr_server_dn; ++ uint32_t size_server_dn_1 = 0; ++ uint32_t length_server_dn_1 = 0; + TALLOC_CTX *_mem_save_server_dn_0; + uint32_t _ptr_ntds_dn; ++ uint32_t size_ntds_dn_1 = 0; ++ uint32_t length_ntds_dn_1 = 0; + TALLOC_CTX *_mem_save_ntds_dn_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7770,11 +7934,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); +- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); ++ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); ++ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); ++ if (length_netbios_name_1 > size_netbios_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); + } + if (r->dns_name) { +@@ -7782,11 +7948,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); +- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); ++ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); ++ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); ++ if (length_dns_name_1 > size_dns_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); + } + if (r->site_name) { +@@ -7794,11 +7962,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->site_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->site_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->site_name)); +- if (ndr_get_array_length(ndr, &r->site_name) > ndr_get_array_size(ndr, &r->site_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_name), ndr_get_array_length(ndr, &r->site_name)); ++ size_site_name_1 = ndr_get_array_size(ndr, &r->site_name); ++ length_site_name_1 = ndr_get_array_length(ndr, &r->site_name); ++ if (length_site_name_1 > size_site_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, ndr_get_array_length(ndr, &r->site_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); + } + if (r->site_dn) { +@@ -7806,11 +7976,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->site_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->site_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->site_dn)); +- if (ndr_get_array_length(ndr, &r->site_dn) > ndr_get_array_size(ndr, &r->site_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_dn), ndr_get_array_length(ndr, &r->site_dn)); ++ size_site_dn_1 = ndr_get_array_size(ndr, &r->site_dn); ++ length_site_dn_1 = ndr_get_array_length(ndr, &r->site_dn); ++ if (length_site_dn_1 > size_site_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_dn_1, length_site_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, ndr_get_array_length(ndr, &r->site_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_dn, length_site_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_dn_0, 0); + } + if (r->computer_dn) { +@@ -7818,11 +7990,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->computer_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_dn)); +- if (ndr_get_array_length(ndr, &r->computer_dn) > ndr_get_array_size(ndr, &r->computer_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_dn), ndr_get_array_length(ndr, &r->computer_dn)); ++ size_computer_dn_1 = ndr_get_array_size(ndr, &r->computer_dn); ++ length_computer_dn_1 = ndr_get_array_length(ndr, &r->computer_dn); ++ if (length_computer_dn_1 > size_computer_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_dn_1, length_computer_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, ndr_get_array_length(ndr, &r->computer_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_dn, length_computer_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_dn_0, 0); + } + if (r->server_dn) { +@@ -7830,11 +8004,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_dn)); +- if (ndr_get_array_length(ndr, &r->server_dn) > ndr_get_array_size(ndr, &r->server_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_dn), ndr_get_array_length(ndr, &r->server_dn)); ++ size_server_dn_1 = ndr_get_array_size(ndr, &r->server_dn); ++ length_server_dn_1 = ndr_get_array_length(ndr, &r->server_dn); ++ if (length_server_dn_1 > size_server_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_dn_1, length_server_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, ndr_get_array_length(ndr, &r->server_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_dn, length_server_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_dn_0, 0); + } + if (r->ntds_dn) { +@@ -7842,11 +8018,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->ntds_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->ntds_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->ntds_dn)); +- if (ndr_get_array_length(ndr, &r->ntds_dn) > ndr_get_array_size(ndr, &r->ntds_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->ntds_dn), ndr_get_array_length(ndr, &r->ntds_dn)); ++ size_ntds_dn_1 = ndr_get_array_size(ndr, &r->ntds_dn); ++ length_ntds_dn_1 = ndr_get_array_length(ndr, &r->ntds_dn); ++ if (length_ntds_dn_1 > size_ntds_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ntds_dn_1, length_ntds_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, ndr_get_array_length(ndr, &r->ntds_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_ntds_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ntds_dn, length_ntds_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ntds_dn_0, 0); + } + } +@@ -7937,6 +8115,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetDCInfoCtr3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCInfoCtr3 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -7959,13 +8138,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo3(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsGetDCInfo3(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -8031,6 +8211,8 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetDCConnection01(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCConnection01 *r) + { + uint32_t _ptr_client_account; ++ uint32_t size_client_account_1 = 0; ++ uint32_t length_client_account_1 = 0; + TALLOC_CTX *_mem_save_client_account_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -8059,11 +8241,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client_account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client_account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client_account)); +- if (ndr_get_array_length(ndr, &r->client_account) > ndr_get_array_size(ndr, &r->client_account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_account), ndr_get_array_length(ndr, &r->client_account)); ++ size_client_account_1 = ndr_get_array_size(ndr, &r->client_account); ++ length_client_account_1 = ndr_get_array_length(ndr, &r->client_account); ++ if (length_client_account_1 > size_client_account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_account_1, length_client_account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_account, ndr_get_array_length(ndr, &r->client_account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_account, length_client_account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_account_0, 0); + } + } +@@ -8116,6 +8300,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetDCConnectionCtr01(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetDCConnectionCtr01 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -8138,13 +8323,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsGetDCConnection01(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsGetDCConnection01(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -8462,6 +8648,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_SecBuffer(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_SecBuffer *r) + { + uint32_t _ptr_buffer; ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_buffer_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -8483,8 +8670,9 @@ + _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->buffer)); +- NDR_PULL_ALLOC_N(ndr, r->buffer, ndr_get_array_size(ndr, &r->buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, ndr_get_array_size(ndr, &r->buffer))); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->buffer); ++ NDR_PULL_ALLOC_N(ndr, r->buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, size_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + if (r->buffer) { +@@ -8537,6 +8725,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_SecBufferDesc(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_SecBufferDesc *r) + { + uint32_t _ptr_buffers; ++ uint32_t size_buffers_1 = 0; + uint32_t cntr_buffers_1; + TALLOC_CTX *_mem_save_buffers_0; + TALLOC_CTX *_mem_save_buffers_1; +@@ -8560,13 +8749,14 @@ + _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->buffers)); +- NDR_PULL_ALLOC_N(ndr, r->buffers, ndr_get_array_size(ndr, &r->buffers)); ++ size_buffers_1 = ndr_get_array_size(ndr, &r->buffers); ++ NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_1); + _mem_save_buffers_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); +- for (cntr_buffers_1 = 0; cntr_buffers_1 < r->buff_count; cntr_buffers_1++) { ++ for (cntr_buffers_1 = 0; cntr_buffers_1 < size_buffers_1; cntr_buffers_1++) { + NDR_CHECK(ndr_pull_drsuapi_SecBuffer(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_1])); + } +- for (cntr_buffers_1 = 0; cntr_buffers_1 < r->buff_count; cntr_buffers_1++) { ++ for (cntr_buffers_1 = 0; cntr_buffers_1 < size_buffers_1; cntr_buffers_1++) { + NDR_CHECK(ndr_pull_drsuapi_SecBuffer(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_1, 0); +@@ -9771,6 +9961,7 @@ + uint32_t _ptr_id; + TALLOC_CTX *_mem_save_id_0; + uint32_t _ptr_objects; ++ uint32_t size_objects_1 = 0; + uint32_t cntr_objects_1; + TALLOC_CTX *_mem_save_objects_0; + TALLOC_CTX *_mem_save_objects_1; +@@ -9810,13 +10001,14 @@ + _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->objects)); +- NDR_PULL_ALLOC_N(ndr, r->objects, ndr_get_array_size(ndr, &r->objects)); ++ size_objects_1 = ndr_get_array_size(ndr, &r->objects); ++ NDR_PULL_ALLOC_N(ndr, r->objects, size_objects_1); + _mem_save_objects_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); +- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { ++ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_SCALARS, &r->objects[cntr_objects_1])); + } +- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { ++ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_BUFFERS, &r->objects[cntr_objects_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_1, 0); +@@ -9901,6 +10093,7 @@ + uint32_t _ptr_err_data; + TALLOC_CTX *_mem_save_err_data_0; + uint32_t _ptr_objects; ++ uint32_t size_objects_1 = 0; + uint32_t cntr_objects_1; + TALLOC_CTX *_mem_save_objects_0; + TALLOC_CTX *_mem_save_objects_1; +@@ -9949,13 +10142,14 @@ + _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->objects)); +- NDR_PULL_ALLOC_N(ndr, r->objects, ndr_get_array_size(ndr, &r->objects)); ++ size_objects_1 = ndr_get_array_size(ndr, &r->objects); ++ NDR_PULL_ALLOC_N(ndr, r->objects, size_objects_1); + _mem_save_objects_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); +- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { ++ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_SCALARS, &r->objects[cntr_objects_1])); + } +- for (cntr_objects_1 = 0; cntr_objects_1 < r->count; cntr_objects_1++) { ++ for (cntr_objects_1 = 0; cntr_objects_1 < size_objects_1; cntr_objects_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjectIdentifier2(ndr, NDR_BUFFERS, &r->objects[cntr_objects_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_1, 0); +@@ -10324,6 +10518,8 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaGetInfoRequest1 *r) + { + uint32_t _ptr_object_dn; ++ uint32_t size_object_dn_1 = 0; ++ uint32_t length_object_dn_1 = 0; + TALLOC_CTX *_mem_save_object_dn_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -10343,11 +10539,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); +- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); ++ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); ++ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); ++ if (length_object_dn_1 > size_object_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); + } + } +@@ -10409,10 +10607,16 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaGetInfoRequest2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaGetInfoRequest2 *r) + { + uint32_t _ptr_object_dn; ++ uint32_t size_object_dn_1 = 0; ++ uint32_t length_object_dn_1 = 0; + TALLOC_CTX *_mem_save_object_dn_0; + uint32_t _ptr_attribute_name; ++ uint32_t size_attribute_name_1 = 0; ++ uint32_t length_attribute_name_1 = 0; + TALLOC_CTX *_mem_save_attribute_name_0; + uint32_t _ptr_value_dn_str; ++ uint32_t size_value_dn_str_1 = 0; ++ uint32_t length_value_dn_str_1 = 0; + TALLOC_CTX *_mem_save_value_dn_str_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -10446,11 +10650,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); +- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); ++ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); ++ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); ++ if (length_object_dn_1 > size_object_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); + } + if (r->attribute_name) { +@@ -10458,11 +10664,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); +- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); ++ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); ++ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); ++ if (length_attribute_name_1 > size_attribute_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); + } + if (r->value_dn_str) { +@@ -10470,11 +10678,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->value_dn_str, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->value_dn_str)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->value_dn_str)); +- if (ndr_get_array_length(ndr, &r->value_dn_str) > ndr_get_array_size(ndr, &r->value_dn_str)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->value_dn_str), ndr_get_array_length(ndr, &r->value_dn_str)); ++ size_value_dn_str_1 = ndr_get_array_size(ndr, &r->value_dn_str); ++ length_value_dn_str_1 = ndr_get_array_length(ndr, &r->value_dn_str); ++ if (length_value_dn_str_1 > size_value_dn_str_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_dn_str_1, length_value_dn_str_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->value_dn_str), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->value_dn_str, ndr_get_array_length(ndr, &r->value_dn_str), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_dn_str_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->value_dn_str, length_value_dn_str_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_value_dn_str_0, 0); + } + } +@@ -10664,12 +10874,20 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbour(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaNeighbour *r) + { + uint32_t _ptr_naming_context_dn; ++ uint32_t size_naming_context_dn_1 = 0; ++ uint32_t length_naming_context_dn_1 = 0; + TALLOC_CTX *_mem_save_naming_context_dn_0; + uint32_t _ptr_source_dsa_obj_dn; ++ uint32_t size_source_dsa_obj_dn_1 = 0; ++ uint32_t length_source_dsa_obj_dn_1 = 0; + TALLOC_CTX *_mem_save_source_dsa_obj_dn_0; + uint32_t _ptr_source_dsa_address; ++ uint32_t size_source_dsa_address_1 = 0; ++ uint32_t length_source_dsa_address_1 = 0; + TALLOC_CTX *_mem_save_source_dsa_address_0; + uint32_t _ptr_transport_obj_dn; ++ uint32_t size_transport_obj_dn_1 = 0; ++ uint32_t length_transport_obj_dn_1 = 0; + TALLOC_CTX *_mem_save_transport_obj_dn_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); +@@ -10717,11 +10935,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->naming_context_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->naming_context_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->naming_context_dn)); +- if (ndr_get_array_length(ndr, &r->naming_context_dn) > ndr_get_array_size(ndr, &r->naming_context_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->naming_context_dn), ndr_get_array_length(ndr, &r->naming_context_dn)); ++ size_naming_context_dn_1 = ndr_get_array_size(ndr, &r->naming_context_dn); ++ length_naming_context_dn_1 = ndr_get_array_length(ndr, &r->naming_context_dn); ++ if (length_naming_context_dn_1 > size_naming_context_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_naming_context_dn_1, length_naming_context_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->naming_context_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->naming_context_dn, ndr_get_array_length(ndr, &r->naming_context_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_naming_context_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->naming_context_dn, length_naming_context_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_naming_context_dn_0, 0); + } + if (r->source_dsa_obj_dn) { +@@ -10729,11 +10949,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_obj_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_obj_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_obj_dn)); +- if (ndr_get_array_length(ndr, &r->source_dsa_obj_dn) > ndr_get_array_size(ndr, &r->source_dsa_obj_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_obj_dn), ndr_get_array_length(ndr, &r->source_dsa_obj_dn)); ++ size_source_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->source_dsa_obj_dn); ++ length_source_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->source_dsa_obj_dn); ++ if (length_source_dsa_obj_dn_1 > size_source_dsa_obj_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_obj_dn_1, length_source_dsa_obj_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_obj_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, length_source_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_obj_dn_0, 0); + } + if (r->source_dsa_address) { +@@ -10741,11 +10963,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_address, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_address)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_address)); +- if (ndr_get_array_length(ndr, &r->source_dsa_address) > ndr_get_array_size(ndr, &r->source_dsa_address)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_address), ndr_get_array_length(ndr, &r->source_dsa_address)); ++ size_source_dsa_address_1 = ndr_get_array_size(ndr, &r->source_dsa_address); ++ length_source_dsa_address_1 = ndr_get_array_length(ndr, &r->source_dsa_address); ++ if (length_source_dsa_address_1 > size_source_dsa_address_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_address_1, length_source_dsa_address_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, ndr_get_array_length(ndr, &r->source_dsa_address), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_address_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_address, length_source_dsa_address_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_address_0, 0); + } + if (r->transport_obj_dn) { +@@ -10753,11 +10977,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->transport_obj_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->transport_obj_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->transport_obj_dn)); +- if (ndr_get_array_length(ndr, &r->transport_obj_dn) > ndr_get_array_size(ndr, &r->transport_obj_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->transport_obj_dn), ndr_get_array_length(ndr, &r->transport_obj_dn)); ++ size_transport_obj_dn_1 = ndr_get_array_size(ndr, &r->transport_obj_dn); ++ length_transport_obj_dn_1 = ndr_get_array_length(ndr, &r->transport_obj_dn); ++ if (length_transport_obj_dn_1 > size_transport_obj_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_obj_dn_1, length_transport_obj_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->transport_obj_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport_obj_dn, ndr_get_array_length(ndr, &r->transport_obj_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_obj_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport_obj_dn, length_transport_obj_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_obj_dn_0, 0); + } + } +@@ -10831,6 +11057,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaNeighbourCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaNeighbourCtr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -10838,10 +11065,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaNeighbour(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -10851,9 +11079,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_array_0 = ndr_get_array_size(ndr, &r->array); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaNeighbour(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -10898,6 +11127,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursorCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursorCtr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -10905,10 +11135,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -10965,6 +11196,8 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaData *r) + { + uint32_t _ptr_attribute_name; ++ uint32_t size_attribute_name_1 = 0; ++ uint32_t length_attribute_name_1 = 0; + TALLOC_CTX *_mem_save_attribute_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); +@@ -10987,11 +11220,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); +- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); ++ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); ++ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); ++ if (length_attribute_name_1 > size_attribute_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); + } + } +@@ -11040,6 +11275,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaDataCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaDataCtr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -11047,10 +11283,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11060,9 +11297,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_array_0 = ndr_get_array_size(ndr, &r->array); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11112,6 +11350,8 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailure(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaKccDsaFailure *r) + { + uint32_t _ptr_dsa_obj_dn; ++ uint32_t size_dsa_obj_dn_1 = 0; ++ uint32_t length_dsa_obj_dn_1 = 0; + TALLOC_CTX *_mem_save_dsa_obj_dn_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -11133,11 +11373,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dsa_obj_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dsa_obj_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dsa_obj_dn)); +- if (ndr_get_array_length(ndr, &r->dsa_obj_dn) > ndr_get_array_size(ndr, &r->dsa_obj_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dsa_obj_dn), ndr_get_array_length(ndr, &r->dsa_obj_dn)); ++ size_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->dsa_obj_dn); ++ length_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->dsa_obj_dn); ++ if (length_dsa_obj_dn_1 > size_dsa_obj_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dsa_obj_dn_1, length_dsa_obj_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dsa_obj_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dsa_obj_dn, ndr_get_array_length(ndr, &r->dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dsa_obj_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dsa_obj_dn, length_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dsa_obj_dn_0, 0); + } + } +@@ -11185,6 +11427,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaKccDsaFailuresCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaKccDsaFailuresCtr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -11192,10 +11435,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaKccDsaFailure(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11205,9 +11449,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_array_0 = ndr_get_array_size(ndr, &r->array); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaKccDsaFailure(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11302,10 +11547,16 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOp(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaOp *r) + { + uint32_t _ptr_nc_dn; ++ uint32_t size_nc_dn_1 = 0; ++ uint32_t length_nc_dn_1 = 0; + TALLOC_CTX *_mem_save_nc_dn_0; + uint32_t _ptr_remote_dsa_obj_dn; ++ uint32_t size_remote_dsa_obj_dn_1 = 0; ++ uint32_t length_remote_dsa_obj_dn_1 = 0; + TALLOC_CTX *_mem_save_remote_dsa_obj_dn_0; + uint32_t _ptr_remote_dsa_address; ++ uint32_t size_remote_dsa_address_1 = 0; ++ uint32_t length_remote_dsa_address_1 = 0; + TALLOC_CTX *_mem_save_remote_dsa_address_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -11342,11 +11593,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->nc_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->nc_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->nc_dn)); +- if (ndr_get_array_length(ndr, &r->nc_dn) > ndr_get_array_size(ndr, &r->nc_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->nc_dn), ndr_get_array_length(ndr, &r->nc_dn)); ++ size_nc_dn_1 = ndr_get_array_size(ndr, &r->nc_dn); ++ length_nc_dn_1 = ndr_get_array_length(ndr, &r->nc_dn); ++ if (length_nc_dn_1 > size_nc_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_nc_dn_1, length_nc_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->nc_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->nc_dn, ndr_get_array_length(ndr, &r->nc_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_nc_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->nc_dn, length_nc_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_nc_dn_0, 0); + } + if (r->remote_dsa_obj_dn) { +@@ -11354,11 +11607,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->remote_dsa_obj_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->remote_dsa_obj_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->remote_dsa_obj_dn)); +- if (ndr_get_array_length(ndr, &r->remote_dsa_obj_dn) > ndr_get_array_size(ndr, &r->remote_dsa_obj_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote_dsa_obj_dn), ndr_get_array_length(ndr, &r->remote_dsa_obj_dn)); ++ size_remote_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->remote_dsa_obj_dn); ++ length_remote_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->remote_dsa_obj_dn); ++ if (length_remote_dsa_obj_dn_1 > size_remote_dsa_obj_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_dsa_obj_dn_1, length_remote_dsa_obj_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote_dsa_obj_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_obj_dn, ndr_get_array_length(ndr, &r->remote_dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_dsa_obj_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_obj_dn, length_remote_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_dsa_obj_dn_0, 0); + } + if (r->remote_dsa_address) { +@@ -11366,11 +11621,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->remote_dsa_address, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->remote_dsa_address)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->remote_dsa_address)); +- if (ndr_get_array_length(ndr, &r->remote_dsa_address) > ndr_get_array_size(ndr, &r->remote_dsa_address)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote_dsa_address), ndr_get_array_length(ndr, &r->remote_dsa_address)); ++ size_remote_dsa_address_1 = ndr_get_array_size(ndr, &r->remote_dsa_address); ++ length_remote_dsa_address_1 = ndr_get_array_length(ndr, &r->remote_dsa_address); ++ if (length_remote_dsa_address_1 > size_remote_dsa_address_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_dsa_address_1, length_remote_dsa_address_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote_dsa_address), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_address, ndr_get_array_length(ndr, &r->remote_dsa_address), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_dsa_address_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote_dsa_address, length_remote_dsa_address_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_dsa_address_0, 0); + } + } +@@ -11433,6 +11690,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaOpCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaOpCtr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -11440,10 +11698,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->time)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaOp(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11453,9 +11712,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_array_0 = ndr_get_array_size(ndr, &r->array); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaOp(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11520,8 +11780,12 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaData *r) + { + uint32_t _ptr_attribute_name; ++ uint32_t size_attribute_name_1 = 0; ++ uint32_t length_attribute_name_1 = 0; + TALLOC_CTX *_mem_save_attribute_name_0; + uint32_t _ptr_object_dn; ++ uint32_t size_object_dn_1 = 0; ++ uint32_t length_object_dn_1 = 0; + TALLOC_CTX *_mem_save_object_dn_0; + uint32_t _ptr_binary; + TALLOC_CTX *_mem_save_binary_0; +@@ -11561,11 +11825,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); +- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); ++ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); ++ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); ++ if (length_attribute_name_1 > size_attribute_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); + } + if (r->object_dn) { +@@ -11573,11 +11839,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); +- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); ++ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); ++ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); ++ if (length_object_dn_1 > size_object_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); + } + if (r->binary) { +@@ -11647,6 +11915,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaDataCtr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaDataCtr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -11654,10 +11923,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->enumeration_context)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11667,9 +11937,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_array_0 = ndr_get_array_size(ndr, &r->array); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11714,6 +11985,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor2Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor2Ctr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -11721,10 +11993,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->enumeration_context)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor2(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11779,6 +12052,8 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor3 *r) + { + uint32_t _ptr_source_dsa_obj_dn; ++ uint32_t size_source_dsa_obj_dn_1 = 0; ++ uint32_t length_source_dsa_obj_dn_1 = 0; + TALLOC_CTX *_mem_save_source_dsa_obj_dn_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); +@@ -11799,11 +12074,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->source_dsa_obj_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->source_dsa_obj_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->source_dsa_obj_dn)); +- if (ndr_get_array_length(ndr, &r->source_dsa_obj_dn) > ndr_get_array_size(ndr, &r->source_dsa_obj_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->source_dsa_obj_dn), ndr_get_array_length(ndr, &r->source_dsa_obj_dn)); ++ size_source_dsa_obj_dn_1 = ndr_get_array_size(ndr, &r->source_dsa_obj_dn); ++ length_source_dsa_obj_dn_1 = ndr_get_array_length(ndr, &r->source_dsa_obj_dn); ++ if (length_source_dsa_obj_dn_1 > size_source_dsa_obj_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_source_dsa_obj_dn_1, length_source_dsa_obj_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, ndr_get_array_length(ndr, &r->source_dsa_obj_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_source_dsa_obj_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->source_dsa_obj_dn, length_source_dsa_obj_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_source_dsa_obj_dn_0, 0); + } + } +@@ -11850,6 +12127,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaCursor3Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaCursor3Ctr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -11857,10 +12135,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->enumeration_context)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor3(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11870,9 +12149,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_array_0 = ndr_get_array_size(ndr, &r->array); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaCursor3(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -11930,8 +12210,12 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaData2 *r) + { + uint32_t _ptr_attribute_name; ++ uint32_t size_attribute_name_1 = 0; ++ uint32_t length_attribute_name_1 = 0; + TALLOC_CTX *_mem_save_attribute_name_0; + uint32_t _ptr_originating_dsa_dn; ++ uint32_t size_originating_dsa_dn_1 = 0; ++ uint32_t length_originating_dsa_dn_1 = 0; + TALLOC_CTX *_mem_save_originating_dsa_dn_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); +@@ -11960,11 +12244,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); +- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); ++ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); ++ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); ++ if (length_attribute_name_1 > size_attribute_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); + } + if (r->originating_dsa_dn) { +@@ -11972,11 +12258,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->originating_dsa_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->originating_dsa_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->originating_dsa_dn)); +- if (ndr_get_array_length(ndr, &r->originating_dsa_dn) > ndr_get_array_size(ndr, &r->originating_dsa_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->originating_dsa_dn), ndr_get_array_length(ndr, &r->originating_dsa_dn)); ++ size_originating_dsa_dn_1 = ndr_get_array_size(ndr, &r->originating_dsa_dn); ++ length_originating_dsa_dn_1 = ndr_get_array_length(ndr, &r->originating_dsa_dn); ++ if (length_originating_dsa_dn_1 > size_originating_dsa_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_originating_dsa_dn_1, length_originating_dsa_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_originating_dsa_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, length_originating_dsa_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_originating_dsa_dn_0, 0); + } + } +@@ -12031,6 +12319,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaObjMetaData2Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaObjMetaData2Ctr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -12038,10 +12327,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->enumeration_context)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData2(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -12051,9 +12341,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_array_0 = ndr_get_array_size(ndr, &r->array); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaObjMetaData2(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -12125,12 +12416,18 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaData2 *r) + { + uint32_t _ptr_attribute_name; ++ uint32_t size_attribute_name_1 = 0; ++ uint32_t length_attribute_name_1 = 0; + TALLOC_CTX *_mem_save_attribute_name_0; + uint32_t _ptr_object_dn; ++ uint32_t size_object_dn_1 = 0; ++ uint32_t length_object_dn_1 = 0; + TALLOC_CTX *_mem_save_object_dn_0; + uint32_t _ptr_binary; + TALLOC_CTX *_mem_save_binary_0; + uint32_t _ptr_originating_dsa_dn; ++ uint32_t size_originating_dsa_dn_1 = 0; ++ uint32_t length_originating_dsa_dn_1 = 0; + TALLOC_CTX *_mem_save_originating_dsa_dn_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); +@@ -12174,11 +12471,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->attribute_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->attribute_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->attribute_name)); +- if (ndr_get_array_length(ndr, &r->attribute_name) > ndr_get_array_size(ndr, &r->attribute_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->attribute_name), ndr_get_array_length(ndr, &r->attribute_name)); ++ size_attribute_name_1 = ndr_get_array_size(ndr, &r->attribute_name); ++ length_attribute_name_1 = ndr_get_array_length(ndr, &r->attribute_name); ++ if (length_attribute_name_1 > size_attribute_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_attribute_name_1, length_attribute_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, ndr_get_array_length(ndr, &r->attribute_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_attribute_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->attribute_name, length_attribute_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribute_name_0, 0); + } + if (r->object_dn) { +@@ -12186,11 +12485,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->object_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->object_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->object_dn)); +- if (ndr_get_array_length(ndr, &r->object_dn) > ndr_get_array_size(ndr, &r->object_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_dn), ndr_get_array_length(ndr, &r->object_dn)); ++ size_object_dn_1 = ndr_get_array_size(ndr, &r->object_dn); ++ length_object_dn_1 = ndr_get_array_length(ndr, &r->object_dn); ++ if (length_object_dn_1 > size_object_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_dn_1, length_object_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, ndr_get_array_length(ndr, &r->object_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_dn, length_object_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_dn_0, 0); + } + if (r->binary) { +@@ -12204,11 +12505,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->originating_dsa_dn, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->originating_dsa_dn)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->originating_dsa_dn)); +- if (ndr_get_array_length(ndr, &r->originating_dsa_dn) > ndr_get_array_size(ndr, &r->originating_dsa_dn)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->originating_dsa_dn), ndr_get_array_length(ndr, &r->originating_dsa_dn)); ++ size_originating_dsa_dn_1 = ndr_get_array_size(ndr, &r->originating_dsa_dn); ++ length_originating_dsa_dn_1 = ndr_get_array_length(ndr, &r->originating_dsa_dn); ++ if (length_originating_dsa_dn_1 > size_originating_dsa_dn_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_originating_dsa_dn_1, length_originating_dsa_dn_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, ndr_get_array_length(ndr, &r->originating_dsa_dn), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_originating_dsa_dn_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->originating_dsa_dn, length_originating_dsa_dn_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_originating_dsa_dn_0, 0); + } + } +@@ -12278,6 +12581,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaAttrValMetaData2Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaAttrValMetaData2Ctr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -12285,10 +12589,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->enumeration_context)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData2(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -12298,9 +12603,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_array_0 = ndr_get_array_size(ndr, &r->array); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaAttrValMetaData2(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -12406,6 +12712,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplicaConnection04Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplicaConnection04Ctr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -12416,10 +12723,11 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplicaConnection04(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -12478,6 +12786,8 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsReplica06(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplica06 *r) + { + uint32_t _ptr_str1; ++ uint32_t size_str1_1 = 0; ++ uint32_t length_str1_1 = 0; + TALLOC_CTX *_mem_save_str1_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); +@@ -12502,11 +12812,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->str1, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->str1)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->str1)); +- if (ndr_get_array_length(ndr, &r->str1) > ndr_get_array_size(ndr, &r->str1)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->str1), ndr_get_array_length(ndr, &r->str1)); ++ size_str1_1 = ndr_get_array_size(ndr, &r->str1); ++ length_str1_1 = ndr_get_array_length(ndr, &r->str1); ++ if (length_str1_1 > size_str1_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_str1_1, length_str1_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->str1), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str1, ndr_get_array_length(ndr, &r->str1), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_str1_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->str1, length_str1_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_str1_0, 0); + } + } +@@ -12557,6 +12869,7 @@ + + static enum ndr_err_code ndr_pull_drsuapi_DsReplica06Ctr(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsReplica06Ctr *r) + { ++ uint32_t size_array_0 = 0; + uint32_t cntr_array_0; + TALLOC_CTX *_mem_save_array_0; + if (ndr_flags & NDR_SCALARS) { +@@ -12567,10 +12880,11 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_0 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplica06(ndr, NDR_SCALARS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -12580,9 +12894,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_array_0 = ndr_get_array_size(ndr, &r->array); + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_0 = 0; cntr_array_0 < r->count; cntr_array_0++) { ++ for (cntr_array_0 = 0; cntr_array_0 < size_array_0; cntr_array_0++) { + NDR_CHECK(ndr_pull_drsuapi_DsReplica06(ndr, NDR_BUFFERS, &r->array[cntr_array_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0); +@@ -12784,20 +13099,35 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_neighbours_0; ++ uint32_t _ptr_neighbours; + TALLOC_CTX *_mem_save_cursors_0; ++ uint32_t _ptr_cursors; + TALLOC_CTX *_mem_save_objmetadata_0; ++ uint32_t _ptr_objmetadata; + TALLOC_CTX *_mem_save_connectfailures_0; ++ uint32_t _ptr_connectfailures; + TALLOC_CTX *_mem_save_linkfailures_0; ++ uint32_t _ptr_linkfailures; + TALLOC_CTX *_mem_save_pendingops_0; ++ uint32_t _ptr_pendingops; + TALLOC_CTX *_mem_save_attrvalmetadata_0; ++ uint32_t _ptr_attrvalmetadata; + TALLOC_CTX *_mem_save_cursors2_0; ++ uint32_t _ptr_cursors2; + TALLOC_CTX *_mem_save_cursors3_0; ++ uint32_t _ptr_cursors3; + TALLOC_CTX *_mem_save_objmetadata2_0; ++ uint32_t _ptr_objmetadata2; + TALLOC_CTX *_mem_save_attrvalmetadata2_0; ++ uint32_t _ptr_attrvalmetadata2; + TALLOC_CTX *_mem_save_repsto_0; ++ uint32_t _ptr_repsto; + TALLOC_CTX *_mem_save_clientctx_0; ++ uint32_t _ptr_clientctx; + TALLOC_CTX *_mem_save_udv1_0; ++ uint32_t _ptr_udv1; + TALLOC_CTX *_mem_save_srvoutgoingcalls_0; ++ uint32_t _ptr_srvoutgoingcalls; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -12808,7 +13138,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case DRSUAPI_DS_REPLICA_INFO_NEIGHBORS: { +- uint32_t _ptr_neighbours; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_neighbours)); + if (_ptr_neighbours) { + NDR_PULL_ALLOC(ndr, r->neighbours); +@@ -12818,7 +13147,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_CURSORS: { +- uint32_t _ptr_cursors; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors)); + if (_ptr_cursors) { + NDR_PULL_ALLOC(ndr, r->cursors); +@@ -12828,7 +13156,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_OBJ_METADATA: { +- uint32_t _ptr_objmetadata; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_objmetadata)); + if (_ptr_objmetadata) { + NDR_PULL_ALLOC(ndr, r->objmetadata); +@@ -12838,7 +13165,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_KCC_DSA_CONNECT_FAILURES: { +- uint32_t _ptr_connectfailures; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_connectfailures)); + if (_ptr_connectfailures) { + NDR_PULL_ALLOC(ndr, r->connectfailures); +@@ -12848,7 +13174,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_KCC_DSA_LINK_FAILURES: { +- uint32_t _ptr_linkfailures; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_linkfailures)); + if (_ptr_linkfailures) { + NDR_PULL_ALLOC(ndr, r->linkfailures); +@@ -12858,7 +13183,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_PENDING_OPS: { +- uint32_t _ptr_pendingops; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_pendingops)); + if (_ptr_pendingops) { + NDR_PULL_ALLOC(ndr, r->pendingops); +@@ -12868,7 +13192,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_ATTRIBUTE_VALUE_METADATA: { +- uint32_t _ptr_attrvalmetadata; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_attrvalmetadata)); + if (_ptr_attrvalmetadata) { + NDR_PULL_ALLOC(ndr, r->attrvalmetadata); +@@ -12878,7 +13201,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_CURSORS2: { +- uint32_t _ptr_cursors2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors2)); + if (_ptr_cursors2) { + NDR_PULL_ALLOC(ndr, r->cursors2); +@@ -12888,7 +13210,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_CURSORS3: { +- uint32_t _ptr_cursors3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_cursors3)); + if (_ptr_cursors3) { + NDR_PULL_ALLOC(ndr, r->cursors3); +@@ -12898,7 +13219,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_OBJ_METADATA2: { +- uint32_t _ptr_objmetadata2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_objmetadata2)); + if (_ptr_objmetadata2) { + NDR_PULL_ALLOC(ndr, r->objmetadata2); +@@ -12908,7 +13228,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_ATTRIBUTE_VALUE_METADATA2: { +- uint32_t _ptr_attrvalmetadata2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_attrvalmetadata2)); + if (_ptr_attrvalmetadata2) { + NDR_PULL_ALLOC(ndr, r->attrvalmetadata2); +@@ -12918,7 +13237,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_REPSTO: { +- uint32_t _ptr_repsto; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_repsto)); + if (_ptr_repsto) { + NDR_PULL_ALLOC(ndr, r->repsto); +@@ -12928,7 +13246,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_CLIENT_CONTEXTS: { +- uint32_t _ptr_clientctx; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_clientctx)); + if (_ptr_clientctx) { + NDR_PULL_ALLOC(ndr, r->clientctx); +@@ -12938,7 +13255,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_UPTODATE_VECTOR_V1: { +- uint32_t _ptr_udv1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_udv1)); + if (_ptr_udv1) { + NDR_PULL_ALLOC(ndr, r->udv1); +@@ -12948,7 +13264,6 @@ + break; } + + case DRSUAPI_DS_REPLICA_INFO_SERVER_OUTGOING_CALLS: { +- uint32_t _ptr_srvoutgoingcalls; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_srvoutgoingcalls)); + if (_ptr_srvoutgoingcalls) { + NDR_PULL_ALLOC(ndr, r->srvoutgoingcalls); +@@ -13358,6 +13673,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_DsGetMemberships2Request1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_DsGetMemberships2Request1 *r) + { + uint32_t _ptr_req_array; ++ uint32_t size_req_array_1 = 0; + uint32_t cntr_req_array_1; + TALLOC_CTX *_mem_save_req_array_0; + TALLOC_CTX *_mem_save_req_array_1; +@@ -13381,10 +13697,11 @@ + _mem_save_req_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->req_array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->req_array)); +- NDR_PULL_ALLOC_N(ndr, r->req_array, ndr_get_array_size(ndr, &r->req_array)); ++ size_req_array_1 = ndr_get_array_size(ndr, &r->req_array); ++ NDR_PULL_ALLOC_N(ndr, r->req_array, size_req_array_1); + _mem_save_req_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->req_array, 0); +- for (cntr_req_array_1 = 0; cntr_req_array_1 < r->num_req; cntr_req_array_1++) { ++ for (cntr_req_array_1 = 0; cntr_req_array_1 < size_req_array_1; cntr_req_array_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_req_array)); + if (_ptr_req_array) { + NDR_PULL_ALLOC(ndr, r->req_array[cntr_req_array_1]); +@@ -13392,7 +13709,7 @@ + r->req_array[cntr_req_array_1] = NULL; + } + } +- for (cntr_req_array_1 = 0; cntr_req_array_1 < r->num_req; cntr_req_array_1++) { ++ for (cntr_req_array_1 = 0; cntr_req_array_1 < size_req_array_1; cntr_req_array_1++) { + if (r->req_array[cntr_req_array_1]) { + _mem_save_req_array_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->req_array[cntr_req_array_1], 0); +@@ -13575,6 +13892,7 @@ + static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostCtr1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_QuerySitesByCostCtr1 *r) + { + uint32_t _ptr_info; ++ uint32_t size_info_1 = 0; + uint32_t cntr_info_1; + TALLOC_CTX *_mem_save_info_0; + TALLOC_CTX *_mem_save_info_1; +@@ -13598,10 +13916,11 @@ + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->info, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->info)); +- NDR_PULL_ALLOC_N(ndr, r->info, ndr_get_array_size(ndr, &r->info)); ++ size_info_1 = ndr_get_array_size(ndr, &r->info); ++ NDR_PULL_ALLOC_N(ndr, r->info, size_info_1); + _mem_save_info_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->info, 0); +- for (cntr_info_1 = 0; cntr_info_1 < r->num_info; cntr_info_1++) { ++ for (cntr_info_1 = 0; cntr_info_1 < size_info_1; cntr_info_1++) { + NDR_CHECK(ndr_pull_drsuapi_DsSiteCostInfo(ndr, NDR_SCALARS, &r->info[cntr_info_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_1, 0); +@@ -13754,9 +14073,14 @@ + static enum ndr_err_code ndr_pull_drsuapi_QuerySitesByCostRequest1(struct ndr_pull *ndr, int ndr_flags, struct drsuapi_QuerySitesByCostRequest1 *r) + { + uint32_t _ptr_site_from; ++ uint32_t size_site_from_1 = 0; ++ uint32_t length_site_from_1 = 0; + TALLOC_CTX *_mem_save_site_from_0; + uint32_t _ptr_site_to; ++ uint32_t size_site_to_1 = 0; + uint32_t cntr_site_to_1; ++ uint32_t size_site_to_3 = 0; ++ uint32_t length_site_to_3 = 0; + TALLOC_CTX *_mem_save_site_to_0; + TALLOC_CTX *_mem_save_site_to_1; + TALLOC_CTX *_mem_save_site_to_2; +@@ -13787,21 +14111,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->site_from, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->site_from)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->site_from)); +- if (ndr_get_array_length(ndr, &r->site_from) > ndr_get_array_size(ndr, &r->site_from)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_from), ndr_get_array_length(ndr, &r->site_from)); ++ size_site_from_1 = ndr_get_array_size(ndr, &r->site_from); ++ length_site_from_1 = ndr_get_array_length(ndr, &r->site_from); ++ if (length_site_from_1 > size_site_from_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_from_1, length_site_from_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_from), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_from, ndr_get_array_length(ndr, &r->site_from), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_from_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_from, length_site_from_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_from_0, 0); + } + if (r->site_to) { + _mem_save_site_to_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->site_to, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->site_to)); +- NDR_PULL_ALLOC_N(ndr, r->site_to, ndr_get_array_size(ndr, &r->site_to)); ++ size_site_to_1 = ndr_get_array_size(ndr, &r->site_to); ++ NDR_PULL_ALLOC_N(ndr, r->site_to, size_site_to_1); + _mem_save_site_to_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->site_to, 0); +- for (cntr_site_to_1 = 0; cntr_site_to_1 < r->num_req; cntr_site_to_1++) { ++ for (cntr_site_to_1 = 0; cntr_site_to_1 < size_site_to_1; cntr_site_to_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_site_to)); + if (_ptr_site_to) { + NDR_PULL_ALLOC(ndr, r->site_to[cntr_site_to_1]); +@@ -13809,17 +14136,19 @@ + r->site_to[cntr_site_to_1] = NULL; + } + } +- for (cntr_site_to_1 = 0; cntr_site_to_1 < r->num_req; cntr_site_to_1++) { ++ for (cntr_site_to_1 = 0; cntr_site_to_1 < size_site_to_1; cntr_site_to_1++) { + if (r->site_to[cntr_site_to_1]) { + _mem_save_site_to_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->site_to[cntr_site_to_1], 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->site_to[cntr_site_to_1])); + NDR_CHECK(ndr_pull_array_length(ndr, &r->site_to[cntr_site_to_1])); +- if (ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]) > ndr_get_array_size(ndr, &r->site_to[cntr_site_to_1])) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->site_to[cntr_site_to_1]), ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1])); ++ size_site_to_3 = ndr_get_array_size(ndr, &r->site_to[cntr_site_to_1]); ++ length_site_to_3 = ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]); ++ if (length_site_to_3 > size_site_to_3) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_to_3, length_site_to_3); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_to[cntr_site_to_1], ndr_get_array_length(ndr, &r->site_to[cntr_site_to_1]), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_to_3, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->site_to[cntr_site_to_1], length_site_to_3, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_to_2, 0); + } + } +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_dssetup.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_dssetup.c 2012-04-12 12:09:51.667287478 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_dssetup.c 2012-04-12 12:19:20.607301000 -0500 +@@ -96,10 +96,16 @@ + static enum ndr_err_code ndr_pull_dssetup_DsRolePrimaryDomInfoBasic(struct ndr_pull *ndr, int ndr_flags, struct dssetup_DsRolePrimaryDomInfoBasic *r) + { + uint32_t _ptr_domain; ++ uint32_t size_domain_1 = 0; ++ uint32_t length_domain_1 = 0; + TALLOC_CTX *_mem_save_domain_0; + uint32_t _ptr_dns_domain; ++ uint32_t size_dns_domain_1 = 0; ++ uint32_t length_dns_domain_1 = 0; + TALLOC_CTX *_mem_save_dns_domain_0; + uint32_t _ptr_forest; ++ uint32_t size_forest_1 = 0; ++ uint32_t length_forest_1 = 0; + TALLOC_CTX *_mem_save_forest_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -132,11 +138,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + if (r->dns_domain) { +@@ -144,11 +152,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dns_domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_domain)); +- if (ndr_get_array_length(ndr, &r->dns_domain) > ndr_get_array_size(ndr, &r->dns_domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_domain), ndr_get_array_length(ndr, &r->dns_domain)); ++ size_dns_domain_1 = ndr_get_array_size(ndr, &r->dns_domain); ++ length_dns_domain_1 = ndr_get_array_length(ndr, &r->dns_domain); ++ if (length_dns_domain_1 > size_dns_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_domain_1, length_dns_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain, ndr_get_array_length(ndr, &r->dns_domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain, length_dns_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_domain_0, 0); + } + if (r->forest) { +@@ -156,11 +166,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->forest, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->forest)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->forest)); +- if (ndr_get_array_length(ndr, &r->forest) > ndr_get_array_size(ndr, &r->forest)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->forest), ndr_get_array_length(ndr, &r->forest)); ++ size_forest_1 = ndr_get_array_size(ndr, &r->forest); ++ length_forest_1 = ndr_get_array_length(ndr, &r->forest); ++ if (length_forest_1 > size_forest_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_forest_1, length_forest_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->forest), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest, ndr_get_array_length(ndr, &r->forest), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_forest_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest, length_forest_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_0, 0); + } + } +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_echo.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_echo.c 2012-04-12 12:09:50.507287451 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_echo.c 2012-04-12 12:19:20.611301001 -0500 +@@ -628,16 +628,18 @@ + + static enum ndr_err_code ndr_pull_echo_Surrounding(struct ndr_pull *ndr, int ndr_flags, struct echo_Surrounding *r) + { ++ uint32_t size_surrounding_0 = 0; + uint32_t cntr_surrounding_0; + TALLOC_CTX *_mem_save_surrounding_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->surrounding)); + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->x)); +- NDR_PULL_ALLOC_N(ndr, r->surrounding, ndr_get_array_size(ndr, &r->surrounding)); ++ size_surrounding_0 = ndr_get_array_size(ndr, &r->surrounding); ++ NDR_PULL_ALLOC_N(ndr, r->surrounding, size_surrounding_0); + _mem_save_surrounding_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->surrounding, 0); +- for (cntr_surrounding_0 = 0; cntr_surrounding_0 < r->x; cntr_surrounding_0++) { ++ for (cntr_surrounding_0 = 0; cntr_surrounding_0 < size_surrounding_0; cntr_surrounding_0++) { + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->surrounding[cntr_surrounding_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_surrounding_0, 0); +@@ -745,21 +747,25 @@ + + static enum ndr_err_code ndr_pull_echo_EchoData(struct ndr_pull *ndr, int flags, struct echo_EchoData *r) + { ++ uint32_t size_in_data_0 = 0; ++ uint32_t size_out_data_0 = 0; + if (flags & NDR_IN) { + ZERO_STRUCT(r->out); + + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.len)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.in_data)); +- NDR_PULL_ALLOC_N(ndr, r->in.in_data, ndr_get_array_size(ndr, &r->in.in_data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.in_data, ndr_get_array_size(ndr, &r->in.in_data))); ++ size_in_data_0 = ndr_get_array_size(ndr, &r->in.in_data); ++ NDR_PULL_ALLOC_N(ndr, r->in.in_data, size_in_data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.in_data, size_in_data_0)); + if (r->in.in_data) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.in_data, r->in.len)); + } + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.out_data)); +- NDR_PULL_ALLOC_N(ndr, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data))); ++ size_out_data_0 = ndr_get_array_size(ndr, &r->out.out_data); ++ NDR_PULL_ALLOC_N(ndr, r->out.out_data, size_out_data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, size_out_data_0)); + if (r->out.out_data) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.out_data, r->in.len)); + } +@@ -805,11 +811,13 @@ + + static enum ndr_err_code ndr_pull_echo_SinkData(struct ndr_pull *ndr, int flags, struct echo_SinkData *r) + { ++ uint32_t size_data_0 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.len)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); +- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); ++ size_data_0 = ndr_get_array_size(ndr, &r->in.data); ++ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_0)); + if (r->in.data) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.data, r->in.len)); + } +@@ -856,6 +864,7 @@ + + static enum ndr_err_code ndr_pull_echo_SourceData(struct ndr_pull *ndr, int flags, struct echo_SourceData *r) + { ++ uint32_t size_data_0 = 0; + if (flags & NDR_IN) { + ZERO_STRUCT(r->out); + +@@ -863,8 +872,9 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); +- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); ++ size_data_0 = ndr_get_array_size(ndr, &r->out.data); ++ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_0)); + if (r->out.data) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.data, r->in.len)); + } +@@ -923,7 +933,11 @@ + + static enum ndr_err_code ndr_pull_echo_TestCall(struct ndr_pull *ndr, int flags, struct echo_TestCall *r) + { ++ uint32_t size_s1_1 = 0; ++ uint32_t length_s1_1 = 0; + uint32_t _ptr_s2; ++ uint32_t size_s2_2 = 0; ++ uint32_t length_s2_2 = 0; + TALLOC_CTX *_mem_save_s2_0; + TALLOC_CTX *_mem_save_s2_1; + if (flags & NDR_IN) { +@@ -931,11 +945,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.s1)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.s1)); +- if (ndr_get_array_length(ndr, &r->in.s1) > ndr_get_array_size(ndr, &r->in.s1)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.s1), ndr_get_array_length(ndr, &r->in.s1)); ++ size_s1_1 = ndr_get_array_size(ndr, &r->in.s1); ++ length_s1_1 = ndr_get_array_length(ndr, &r->in.s1); ++ if (length_s1_1 > size_s1_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_s1_1, length_s1_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.s1), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.s1, ndr_get_array_length(ndr, &r->in.s1), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_s1_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.s1, length_s1_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_ALLOC(ndr, r->out.s2); + ZERO_STRUCTP(r->out.s2); + } +@@ -956,11 +972,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.s2, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.s2)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.s2)); +- if (ndr_get_array_length(ndr, r->out.s2) > ndr_get_array_size(ndr, r->out.s2)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.s2), ndr_get_array_length(ndr, r->out.s2)); ++ size_s2_2 = ndr_get_array_size(ndr, r->out.s2); ++ length_s2_2 = ndr_get_array_length(ndr, r->out.s2); ++ if (length_s2_2 > size_s2_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_s2_2, length_s2_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.s2), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.s2, ndr_get_array_length(ndr, r->out.s2), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_s2_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.s2, length_s2_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s2_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_s2_0, LIBNDR_FLAG_REF_ALLOC); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_efs.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_efs.c 2012-04-12 12:09:50.527287452 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_efs.c 2012-04-12 12:19:20.619301000 -0500 +@@ -24,6 +24,7 @@ + static enum ndr_err_code ndr_pull_EFS_HASH_BLOB(struct ndr_pull *ndr, int ndr_flags, struct EFS_HASH_BLOB *r) + { + uint32_t _ptr_pbData; ++ uint32_t size_pbData_1 = 0; + TALLOC_CTX *_mem_save_pbData_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -41,8 +42,9 @@ + _mem_save_pbData_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->pbData, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->pbData)); +- NDR_PULL_ALLOC_N(ndr, r->pbData, ndr_get_array_size(ndr, &r->pbData)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pbData, ndr_get_array_size(ndr, &r->pbData))); ++ size_pbData_1 = ndr_get_array_size(ndr, &r->pbData); ++ NDR_PULL_ALLOC_N(ndr, r->pbData, size_pbData_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pbData, size_pbData_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pbData_0, 0); + } + if (r->pbData) { +@@ -101,6 +103,8 @@ + uint32_t _ptr_pHash; + TALLOC_CTX *_mem_save_pHash_0; + uint32_t _ptr_lpDisplayInformation; ++ uint32_t size_lpDisplayInformation_1 = 0; ++ uint32_t length_lpDisplayInformation_1 = 0; + TALLOC_CTX *_mem_save_lpDisplayInformation_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -143,11 +147,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->lpDisplayInformation, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->lpDisplayInformation)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->lpDisplayInformation)); +- if (ndr_get_array_length(ndr, &r->lpDisplayInformation) > ndr_get_array_size(ndr, &r->lpDisplayInformation)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->lpDisplayInformation), ndr_get_array_length(ndr, &r->lpDisplayInformation)); ++ size_lpDisplayInformation_1 = ndr_get_array_size(ndr, &r->lpDisplayInformation); ++ length_lpDisplayInformation_1 = ndr_get_array_length(ndr, &r->lpDisplayInformation); ++ if (length_lpDisplayInformation_1 > size_lpDisplayInformation_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_lpDisplayInformation_1, length_lpDisplayInformation_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->lpDisplayInformation), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lpDisplayInformation, ndr_get_array_length(ndr, &r->lpDisplayInformation), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_lpDisplayInformation_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lpDisplayInformation, length_lpDisplayInformation_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_lpDisplayInformation_0, 0); + } + } +@@ -206,6 +212,7 @@ + static enum ndr_err_code ndr_pull_ENCRYPTION_CERTIFICATE_HASH_LIST(struct ndr_pull *ndr, int ndr_flags, struct ENCRYPTION_CERTIFICATE_HASH_LIST *r) + { + uint32_t _ptr_pUsers; ++ uint32_t size_pUsers_0 = 0; + uint32_t cntr_pUsers_0; + TALLOC_CTX *_mem_save_pUsers_0; + TALLOC_CTX *_mem_save_pUsers_1; +@@ -213,10 +220,11 @@ + NDR_CHECK(ndr_pull_array_size(ndr, &r->pUsers)); + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->nCert_Hash)); +- NDR_PULL_ALLOC_N(ndr, r->pUsers, ndr_get_array_size(ndr, &r->pUsers)); ++ size_pUsers_0 = ndr_get_array_size(ndr, &r->pUsers); ++ NDR_PULL_ALLOC_N(ndr, r->pUsers, size_pUsers_0); + _mem_save_pUsers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->pUsers, 0); +- for (cntr_pUsers_0 = 0; cntr_pUsers_0 < r->nCert_Hash; cntr_pUsers_0++) { ++ for (cntr_pUsers_0 = 0; cntr_pUsers_0 < size_pUsers_0; cntr_pUsers_0++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_pUsers)); + if (_ptr_pUsers) { + NDR_PULL_ALLOC(ndr, r->pUsers[cntr_pUsers_0]); +@@ -231,9 +239,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_pUsers_0 = ndr_get_array_size(ndr, &r->pUsers); + _mem_save_pUsers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->pUsers, 0); +- for (cntr_pUsers_0 = 0; cntr_pUsers_0 < r->nCert_Hash; cntr_pUsers_0++) { ++ for (cntr_pUsers_0 = 0; cntr_pUsers_0 < size_pUsers_0; cntr_pUsers_0++) { + if (r->pUsers[cntr_pUsers_0]) { + _mem_save_pUsers_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->pUsers[cntr_pUsers_0], 0); +@@ -288,6 +297,7 @@ + static enum ndr_err_code ndr_pull_EFS_CERTIFICATE_BLOB(struct ndr_pull *ndr, int ndr_flags, struct EFS_CERTIFICATE_BLOB *r) + { + uint32_t _ptr_pbData; ++ uint32_t size_pbData_1 = 0; + TALLOC_CTX *_mem_save_pbData_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -306,8 +316,9 @@ + _mem_save_pbData_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->pbData, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->pbData)); +- NDR_PULL_ALLOC_N(ndr, r->pbData, ndr_get_array_size(ndr, &r->pbData)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pbData, ndr_get_array_size(ndr, &r->pbData))); ++ size_pbData_1 = ndr_get_array_size(ndr, &r->pbData); ++ NDR_PULL_ALLOC_N(ndr, r->pbData, size_pbData_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pbData, size_pbData_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pbData_0, 0); + } + if (r->pbData) { +@@ -435,17 +446,21 @@ + + static enum ndr_err_code ndr_pull_EfsRpcOpenFileRaw(struct ndr_pull *ndr, int flags, struct EfsRpcOpenFileRaw *r) + { ++ uint32_t size_FileName_0 = 0; ++ uint32_t length_FileName_0 = 0; + TALLOC_CTX *_mem_save_pvContext_0; + if (flags & NDR_IN) { + ZERO_STRUCT(r->out); + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.FileName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.FileName)); +- if (ndr_get_array_length(ndr, &r->in.FileName) > ndr_get_array_size(ndr, &r->in.FileName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.FileName), ndr_get_array_length(ndr, &r->in.FileName)); ++ size_FileName_0 = ndr_get_array_size(ndr, &r->in.FileName); ++ length_FileName_0 = ndr_get_array_length(ndr, &r->in.FileName); ++ if (length_FileName_0 > size_FileName_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_FileName_0, length_FileName_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_FileName_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, length_FileName_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.Flags)); + NDR_PULL_ALLOC(ndr, r->out.pvContext); + ZERO_STRUCTP(r->out.pvContext); +@@ -697,14 +712,18 @@ + + static enum ndr_err_code ndr_pull_EfsRpcEncryptFileSrv(struct ndr_pull *ndr, int flags, struct EfsRpcEncryptFileSrv *r) + { ++ uint32_t size_Filename_0 = 0; ++ uint32_t length_Filename_0 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Filename)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Filename)); +- if (ndr_get_array_length(ndr, &r->in.Filename) > ndr_get_array_size(ndr, &r->in.Filename)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Filename), ndr_get_array_length(ndr, &r->in.Filename)); ++ size_Filename_0 = ndr_get_array_size(ndr, &r->in.Filename); ++ length_Filename_0 = ndr_get_array_length(ndr, &r->in.Filename); ++ if (length_Filename_0 > size_Filename_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Filename_0, length_Filename_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Filename), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Filename, ndr_get_array_length(ndr, &r->in.Filename), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Filename_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Filename, length_Filename_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -752,14 +771,18 @@ + + static enum ndr_err_code ndr_pull_EfsRpcDecryptFileSrv(struct ndr_pull *ndr, int flags, struct EfsRpcDecryptFileSrv *r) + { ++ uint32_t size_FileName_0 = 0; ++ uint32_t length_FileName_0 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.FileName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.FileName)); +- if (ndr_get_array_length(ndr, &r->in.FileName) > ndr_get_array_size(ndr, &r->in.FileName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.FileName), ndr_get_array_length(ndr, &r->in.FileName)); ++ size_FileName_0 = ndr_get_array_size(ndr, &r->in.FileName); ++ length_FileName_0 = ndr_get_array_length(ndr, &r->in.FileName); ++ if (length_FileName_0 > size_FileName_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_FileName_0, length_FileName_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_FileName_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, length_FileName_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.Reserved)); + } + if (flags & NDR_OUT) { +@@ -815,6 +838,8 @@ + + static enum ndr_err_code ndr_pull_EfsRpcQueryUsersOnFile(struct ndr_pull *ndr, int flags, struct EfsRpcQueryUsersOnFile *r) + { ++ uint32_t size_FileName_0 = 0; ++ uint32_t length_FileName_0 = 0; + uint32_t _ptr_pUsers; + TALLOC_CTX *_mem_save_pUsers_0; + TALLOC_CTX *_mem_save_pUsers_1; +@@ -823,11 +848,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.FileName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.FileName)); +- if (ndr_get_array_length(ndr, &r->in.FileName) > ndr_get_array_size(ndr, &r->in.FileName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.FileName), ndr_get_array_length(ndr, &r->in.FileName)); ++ size_FileName_0 = ndr_get_array_size(ndr, &r->in.FileName); ++ length_FileName_0 = ndr_get_array_length(ndr, &r->in.FileName); ++ if (length_FileName_0 > size_FileName_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_FileName_0, length_FileName_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_FileName_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, length_FileName_0, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_ALLOC(ndr, r->out.pUsers); + ZERO_STRUCTP(r->out.pUsers); + } +@@ -910,6 +937,8 @@ + + static enum ndr_err_code ndr_pull_EfsRpcQueryRecoveryAgents(struct ndr_pull *ndr, int flags, struct EfsRpcQueryRecoveryAgents *r) + { ++ uint32_t size_FileName_0 = 0; ++ uint32_t length_FileName_0 = 0; + uint32_t _ptr_pRecoveryAgents; + TALLOC_CTX *_mem_save_pRecoveryAgents_0; + TALLOC_CTX *_mem_save_pRecoveryAgents_1; +@@ -918,11 +947,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.FileName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.FileName)); +- if (ndr_get_array_length(ndr, &r->in.FileName) > ndr_get_array_size(ndr, &r->in.FileName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.FileName), ndr_get_array_length(ndr, &r->in.FileName)); ++ size_FileName_0 = ndr_get_array_size(ndr, &r->in.FileName); ++ length_FileName_0 = ndr_get_array_length(ndr, &r->in.FileName); ++ if (length_FileName_0 > size_FileName_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_FileName_0, length_FileName_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_FileName_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, length_FileName_0, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_ALLOC(ndr, r->out.pRecoveryAgents); + ZERO_STRUCTP(r->out.pRecoveryAgents); + } +@@ -998,14 +1029,18 @@ + + static enum ndr_err_code ndr_pull_EfsRpcRemoveUsersFromFile(struct ndr_pull *ndr, int flags, struct EfsRpcRemoveUsersFromFile *r) + { ++ uint32_t size_FileName_0 = 0; ++ uint32_t length_FileName_0 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.FileName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.FileName)); +- if (ndr_get_array_length(ndr, &r->in.FileName) > ndr_get_array_size(ndr, &r->in.FileName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.FileName), ndr_get_array_length(ndr, &r->in.FileName)); ++ size_FileName_0 = ndr_get_array_size(ndr, &r->in.FileName); ++ length_FileName_0 = ndr_get_array_length(ndr, &r->in.FileName); ++ if (length_FileName_0 > size_FileName_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_FileName_0, length_FileName_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_FileName_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, length_FileName_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -1052,14 +1087,18 @@ + + static enum ndr_err_code ndr_pull_EfsRpcAddUsersToFile(struct ndr_pull *ndr, int flags, struct EfsRpcAddUsersToFile *r) + { ++ uint32_t size_FileName_0 = 0; ++ uint32_t length_FileName_0 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.FileName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.FileName)); +- if (ndr_get_array_length(ndr, &r->in.FileName) > ndr_get_array_size(ndr, &r->in.FileName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.FileName), ndr_get_array_length(ndr, &r->in.FileName)); ++ size_FileName_0 = ndr_get_array_size(ndr, &r->in.FileName); ++ length_FileName_0 = ndr_get_array_length(ndr, &r->in.FileName); ++ if (length_FileName_0 > size_FileName_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_FileName_0, length_FileName_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, ndr_get_array_length(ndr, &r->in.FileName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_FileName_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.FileName, length_FileName_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_epmapper.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_epmapper.c 2012-04-12 12:09:50.571287452 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_epmapper.c 2012-04-12 12:19:20.627301001 -0500 +@@ -1618,6 +1618,7 @@ + + static enum ndr_err_code ndr_pull_epm_tower(struct ndr_pull *ndr, int ndr_flags, struct epm_tower *r) + { ++ uint32_t size_floors_0 = 0; + uint32_t cntr_floors_0; + TALLOC_CTX *_mem_save_floors_0; + { +@@ -1626,10 +1627,11 @@ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 2)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->num_floors)); +- NDR_PULL_ALLOC_N(ndr, r->floors, r->num_floors); ++ size_floors_0 = r->num_floors; ++ NDR_PULL_ALLOC_N(ndr, r->floors, size_floors_0); + _mem_save_floors_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->floors, 0); +- for (cntr_floors_0 = 0; cntr_floors_0 < r->num_floors; cntr_floors_0++) { ++ for (cntr_floors_0 = 0; cntr_floors_0 < size_floors_0; cntr_floors_0++) { + NDR_CHECK(ndr_pull_epm_floor(ndr, NDR_SCALARS, &r->floors[cntr_floors_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_floors_0, 0); +@@ -1738,6 +1740,7 @@ + { + uint32_t _ptr_tower; + TALLOC_CTX *_mem_save_tower_0; ++ uint32_t size_annotation_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->object)); +@@ -1749,7 +1752,8 @@ + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__annotation_offset)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__annotation_length)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->annotation, r->__annotation_length, sizeof(uint8_t), CH_DOS)); ++ size_annotation_0 = r->__annotation_length; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->annotation, size_annotation_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1951,18 +1955,20 @@ + + static enum ndr_err_code ndr_pull_epm_Insert(struct ndr_pull *ndr, int flags, struct epm_Insert *r) + { ++ uint32_t size_entries_0 = 0; + uint32_t cntr_entries_0; + TALLOC_CTX *_mem_save_entries_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.num_ents)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.entries)); +- NDR_PULL_ALLOC_N(ndr, r->in.entries, ndr_get_array_size(ndr, &r->in.entries)); ++ size_entries_0 = ndr_get_array_size(ndr, &r->in.entries); ++ NDR_PULL_ALLOC_N(ndr, r->in.entries, size_entries_0); + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.entries, 0); +- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { ++ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { + NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->in.entries[cntr_entries_0])); + } +- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { ++ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { + NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->in.entries[cntr_entries_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); +@@ -2029,18 +2035,20 @@ + + static enum ndr_err_code ndr_pull_epm_Delete(struct ndr_pull *ndr, int flags, struct epm_Delete *r) + { ++ uint32_t size_entries_0 = 0; + uint32_t cntr_entries_0; + TALLOC_CTX *_mem_save_entries_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.num_ents)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.entries)); +- NDR_PULL_ALLOC_N(ndr, r->in.entries, ndr_get_array_size(ndr, &r->in.entries)); ++ size_entries_0 = ndr_get_array_size(ndr, &r->in.entries); ++ NDR_PULL_ALLOC_N(ndr, r->in.entries, size_entries_0); + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.entries, 0); +- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { ++ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { + NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->in.entries[cntr_entries_0])); + } +- for (cntr_entries_0 = 0; cntr_entries_0 < r->in.num_ents; cntr_entries_0++) { ++ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { + NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->in.entries[cntr_entries_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); +@@ -2131,6 +2139,8 @@ + { + uint32_t _ptr_object; + uint32_t _ptr_interface_id; ++ uint32_t size_entries_0 = 0; ++ uint32_t length_entries_0 = 0; + uint32_t cntr_entries_0; + TALLOC_CTX *_mem_save_object_0; + TALLOC_CTX *_mem_save_interface_id_0; +@@ -2196,16 +2206,18 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_num_ents_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.entries)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.entries)); +- if (ndr_get_array_length(ndr, &r->out.entries) > ndr_get_array_size(ndr, &r->out.entries)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.entries), ndr_get_array_length(ndr, &r->out.entries)); ++ size_entries_0 = ndr_get_array_size(ndr, &r->out.entries); ++ length_entries_0 = ndr_get_array_length(ndr, &r->out.entries); ++ if (length_entries_0 > size_entries_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_entries_0, length_entries_0); + } +- NDR_PULL_ALLOC_N(ndr, r->out.entries, ndr_get_array_size(ndr, &r->out.entries)); ++ NDR_PULL_ALLOC_N(ndr, r->out.entries, size_entries_0); + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.entries, 0); +- for (cntr_entries_0 = 0; cntr_entries_0 < ndr_get_array_length(ndr, &r->out.entries); cntr_entries_0++) { ++ for (cntr_entries_0 = 0; cntr_entries_0 < length_entries_0; cntr_entries_0++) { + NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_SCALARS, &r->out.entries[cntr_entries_0])); + } +- for (cntr_entries_0 = 0; cntr_entries_0 < ndr_get_array_length(ndr, &r->out.entries); cntr_entries_0++) { ++ for (cntr_entries_0 = 0; cntr_entries_0 < length_entries_0; cntr_entries_0++) { + NDR_CHECK(ndr_pull_epm_entry_t(ndr, NDR_BUFFERS, &r->out.entries[cntr_entries_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); +@@ -2321,6 +2333,8 @@ + { + uint32_t _ptr_object; + uint32_t _ptr_map_tower; ++ uint32_t size_towers_0 = 0; ++ uint32_t length_towers_0 = 0; + uint32_t cntr_towers_0; + TALLOC_CTX *_mem_save_object_0; + TALLOC_CTX *_mem_save_map_tower_0; +@@ -2384,16 +2398,18 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_num_towers_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.towers)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.towers)); +- if (ndr_get_array_length(ndr, &r->out.towers) > ndr_get_array_size(ndr, &r->out.towers)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.towers), ndr_get_array_length(ndr, &r->out.towers)); ++ size_towers_0 = ndr_get_array_size(ndr, &r->out.towers); ++ length_towers_0 = ndr_get_array_length(ndr, &r->out.towers); ++ if (length_towers_0 > size_towers_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_towers_0, length_towers_0); + } +- NDR_PULL_ALLOC_N(ndr, r->out.towers, ndr_get_array_size(ndr, &r->out.towers)); ++ NDR_PULL_ALLOC_N(ndr, r->out.towers, size_towers_0); + _mem_save_towers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.towers, 0); +- for (cntr_towers_0 = 0; cntr_towers_0 < ndr_get_array_length(ndr, &r->out.towers); cntr_towers_0++) { ++ for (cntr_towers_0 = 0; cntr_towers_0 < length_towers_0; cntr_towers_0++) { + NDR_CHECK(ndr_pull_epm_twr_p_t(ndr, NDR_SCALARS, &r->out.towers[cntr_towers_0])); + } +- for (cntr_towers_0 = 0; cntr_towers_0 < ndr_get_array_length(ndr, &r->out.towers); cntr_towers_0++) { ++ for (cntr_towers_0 = 0; cntr_towers_0 < length_towers_0; cntr_towers_0++) { + NDR_CHECK(ndr_pull_epm_twr_p_t(ndr, NDR_BUFFERS, &r->out.towers[cntr_towers_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_towers_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_eventlog6.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_eventlog6.c 2012-04-12 12:09:51.943287485 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_eventlog6.c 2012-04-12 12:19:20.635301001 -0500 +@@ -63,6 +63,7 @@ + static enum ndr_err_code ndr_pull_eventlog6_boolean8Array(struct ndr_pull *ndr, int ndr_flags, struct eventlog6_boolean8Array *r) + { + uint32_t _ptr_ptr; ++ uint32_t size_ptr_1 = 0; + TALLOC_CTX *_mem_save_ptr_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -83,8 +84,9 @@ + _mem_save_ptr_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ptr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->ptr)); +- NDR_PULL_ALLOC_N(ndr, r->ptr, ndr_get_array_size(ndr, &r->ptr)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ptr, ndr_get_array_size(ndr, &r->ptr))); ++ size_ptr_1 = ndr_get_array_size(ndr, &r->ptr); ++ NDR_PULL_ALLOC_N(ndr, r->ptr, size_ptr_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ptr, size_ptr_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ptr_0, 0); + } + if (r->ptr) { +@@ -132,6 +134,7 @@ + static enum ndr_err_code ndr_pull_eventlog6_UInt32Array(struct ndr_pull *ndr, int ndr_flags, struct eventlog6_UInt32Array *r) + { + uint32_t _ptr_ptr; ++ uint32_t size_ptr_1 = 0; + uint32_t cntr_ptr_1; + TALLOC_CTX *_mem_save_ptr_0; + TALLOC_CTX *_mem_save_ptr_1; +@@ -154,10 +157,11 @@ + _mem_save_ptr_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ptr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->ptr)); +- NDR_PULL_ALLOC_N(ndr, r->ptr, ndr_get_array_size(ndr, &r->ptr)); ++ size_ptr_1 = ndr_get_array_size(ndr, &r->ptr); ++ NDR_PULL_ALLOC_N(ndr, r->ptr, size_ptr_1); + _mem_save_ptr_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ptr, 0); +- for (cntr_ptr_1 = 0; cntr_ptr_1 < r->count; cntr_ptr_1++) { ++ for (cntr_ptr_1 = 0; cntr_ptr_1 < size_ptr_1; cntr_ptr_1++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ptr[cntr_ptr_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ptr_1, 0); +@@ -214,6 +218,7 @@ + static enum ndr_err_code ndr_pull_eventlog6_UInt64Array(struct ndr_pull *ndr, int ndr_flags, struct eventlog6_UInt64Array *r) + { + uint32_t _ptr_ptr; ++ uint32_t size_ptr_1 = 0; + uint32_t cntr_ptr_1; + TALLOC_CTX *_mem_save_ptr_0; + TALLOC_CTX *_mem_save_ptr_1; +@@ -236,10 +241,11 @@ + _mem_save_ptr_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ptr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->ptr)); +- NDR_PULL_ALLOC_N(ndr, r->ptr, ndr_get_array_size(ndr, &r->ptr)); ++ size_ptr_1 = ndr_get_array_size(ndr, &r->ptr); ++ NDR_PULL_ALLOC_N(ndr, r->ptr, size_ptr_1); + _mem_save_ptr_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ptr, 0); +- for (cntr_ptr_1 = 0; cntr_ptr_1 < r->count; cntr_ptr_1++) { ++ for (cntr_ptr_1 = 0; cntr_ptr_1 < size_ptr_1; cntr_ptr_1++) { + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->ptr[cntr_ptr_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ptr_1, 0); +@@ -295,6 +301,8 @@ + static enum ndr_err_code ndr_pull_eventlog6_StringArray(struct ndr_pull *ndr, int ndr_flags, struct eventlog6_StringArray *r) + { + uint32_t _ptr_ptr; ++ uint32_t size_ptr_1 = 0; ++ uint32_t length_ptr_1 = 0; + TALLOC_CTX *_mem_save_ptr_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -316,11 +324,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->ptr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->ptr)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->ptr)); +- if (ndr_get_array_length(ndr, &r->ptr) > ndr_get_array_size(ndr, &r->ptr)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->ptr), ndr_get_array_length(ndr, &r->ptr)); ++ size_ptr_1 = ndr_get_array_size(ndr, &r->ptr); ++ length_ptr_1 = ndr_get_array_length(ndr, &r->ptr); ++ if (length_ptr_1 > size_ptr_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ptr_1, length_ptr_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->ptr), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ptr, ndr_get_array_length(ndr, &r->ptr), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_ptr_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ptr, length_ptr_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ptr_0, 0); + } + } +@@ -365,6 +375,7 @@ + static enum ndr_err_code ndr_pull_eventlog6_GuidArray(struct ndr_pull *ndr, int ndr_flags, struct eventlog6_GuidArray *r) + { + uint32_t _ptr_ptr; ++ uint32_t size_ptr_1 = 0; + uint32_t cntr_ptr_1; + TALLOC_CTX *_mem_save_ptr_0; + TALLOC_CTX *_mem_save_ptr_1; +@@ -387,10 +398,11 @@ + _mem_save_ptr_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ptr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->ptr)); +- NDR_PULL_ALLOC_N(ndr, r->ptr, ndr_get_array_size(ndr, &r->ptr)); ++ size_ptr_1 = ndr_get_array_size(ndr, &r->ptr); ++ NDR_PULL_ALLOC_N(ndr, r->ptr, size_ptr_1); + _mem_save_ptr_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ptr, 0); +- for (cntr_ptr_1 = 0; cntr_ptr_1 < r->count; cntr_ptr_1++) { ++ for (cntr_ptr_1 = 0; cntr_ptr_1 < size_ptr_1; cntr_ptr_1++) { + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->ptr[cntr_ptr_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ptr_1, 0); +@@ -576,7 +588,11 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_stringVal_0; ++ uint32_t _ptr_stringVal; ++ uint32_t size_stringVal_1 = 0; ++ uint32_t length_stringVal_1 = 0; + TALLOC_CTX *_mem_save_guidVal_0; ++ uint32_t _ptr_guidVal; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 8)); +@@ -603,7 +619,6 @@ + break; } + + case EvtRpcVarTypeString: { +- uint32_t _ptr_stringVal; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_stringVal)); + if (_ptr_stringVal) { + NDR_PULL_ALLOC(ndr, r->stringVal); +@@ -613,7 +628,6 @@ + break; } + + case EvtRpcVarTypeGuid: { +- uint32_t _ptr_guidVal; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_guidVal)); + if (_ptr_guidVal) { + NDR_PULL_ALLOC(ndr, r->guidVal); +@@ -666,11 +680,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->stringVal, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->stringVal)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->stringVal)); +- if (ndr_get_array_length(ndr, &r->stringVal) > ndr_get_array_size(ndr, &r->stringVal)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->stringVal), ndr_get_array_length(ndr, &r->stringVal)); ++ size_stringVal_1 = ndr_get_array_size(ndr, &r->stringVal); ++ length_stringVal_1 = ndr_get_array_length(ndr, &r->stringVal); ++ if (length_stringVal_1 > size_stringVal_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_stringVal_1, length_stringVal_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->stringVal), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->stringVal, ndr_get_array_length(ndr, &r->stringVal), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_stringVal_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->stringVal, length_stringVal_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_stringVal_0, 0); + } + break; +@@ -862,6 +878,7 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcVariantList(struct ndr_pull *ndr, int ndr_flags, struct eventlog6_EvtRpcVariantList *r) + { + uint32_t _ptr_props; ++ uint32_t size_props_1 = 0; + uint32_t cntr_props_1; + TALLOC_CTX *_mem_save_props_0; + TALLOC_CTX *_mem_save_props_1; +@@ -884,13 +901,14 @@ + _mem_save_props_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->props, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->props)); +- NDR_PULL_ALLOC_N(ndr, r->props, ndr_get_array_size(ndr, &r->props)); ++ size_props_1 = ndr_get_array_size(ndr, &r->props); ++ NDR_PULL_ALLOC_N(ndr, r->props, size_props_1); + _mem_save_props_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->props, 0); +- for (cntr_props_1 = 0; cntr_props_1 < r->count; cntr_props_1++) { ++ for (cntr_props_1 = 0; cntr_props_1 < size_props_1; cntr_props_1++) { + NDR_CHECK(ndr_pull_eventlog6_EvtRpcVariant(ndr, NDR_SCALARS, &r->props[cntr_props_1])); + } +- for (cntr_props_1 = 0; cntr_props_1 < r->count; cntr_props_1++) { ++ for (cntr_props_1 = 0; cntr_props_1 < size_props_1; cntr_props_1++) { + NDR_CHECK(ndr_pull_eventlog6_EvtRpcVariant(ndr, NDR_BUFFERS, &r->props[cntr_props_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_props_1, 0); +@@ -946,6 +964,8 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcQueryChannelInfo(struct ndr_pull *ndr, int ndr_flags, struct eventlog6_EvtRpcQueryChannelInfo *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -964,11 +984,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + } +@@ -1055,8 +1077,15 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcRegisterRemoteSubscription(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcRegisterRemoteSubscription *r) + { + uint32_t _ptr_channelPath; ++ uint32_t size_channelPath_1 = 0; ++ uint32_t length_channelPath_1 = 0; ++ uint32_t size_query_1 = 0; ++ uint32_t length_query_1 = 0; + uint32_t _ptr_bookmarkXml; ++ uint32_t size_bookmarkXml_1 = 0; ++ uint32_t length_bookmarkXml_1 = 0; + uint32_t _ptr_queryChannelInfo; ++ uint32_t size_queryChannelInfo_2 = 0; + uint32_t cntr_queryChannelInfo_2; + TALLOC_CTX *_mem_save_channelPath_0; + TALLOC_CTX *_mem_save_bookmarkXml_0; +@@ -1081,26 +1110,36 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.channelPath, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.channelPath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.channelPath)); +- if (ndr_get_array_length(ndr, &r->in.channelPath) > ndr_get_array_size(ndr, &r->in.channelPath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.channelPath), ndr_get_array_length(ndr, &r->in.channelPath)); ++ size_channelPath_1 = ndr_get_array_size(ndr, &r->in.channelPath); ++ if (size_channelPath_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.channelPath) > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ length_channelPath_1 = ndr_get_array_length(ndr, &r->in.channelPath); ++ if (length_channelPath_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.channelPath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channelPath, ndr_get_array_length(ndr, &r->in.channelPath), sizeof(uint16_t), CH_UTF16)); ++ if (length_channelPath_1 > size_channelPath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_channelPath_1, length_channelPath_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_channelPath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channelPath, length_channelPath_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_channelPath_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.query)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.query)); +- if (ndr_get_array_length(ndr, &r->in.query) > ndr_get_array_size(ndr, &r->in.query)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.query), ndr_get_array_length(ndr, &r->in.query)); ++ size_query_1 = ndr_get_array_size(ndr, &r->in.query); ++ if (size_query_1 < 1 || size_query_1 > MAX_RPC_QUERY_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.query) < 1 || ndr_get_array_length(ndr, &r->in.query) > MAX_RPC_QUERY_LENGTH) { ++ length_query_1 = ndr_get_array_length(ndr, &r->in.query); ++ if (length_query_1 < 1 || length_query_1 > MAX_RPC_QUERY_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.query), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.query, ndr_get_array_length(ndr, &r->in.query), sizeof(uint16_t), CH_UTF16)); ++ if (length_query_1 > size_query_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_query_1, length_query_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_query_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.query, length_query_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_bookmarkXml)); + if (_ptr_bookmarkXml) { + NDR_PULL_ALLOC(ndr, r->in.bookmarkXml); +@@ -1112,14 +1151,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.bookmarkXml, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.bookmarkXml)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.bookmarkXml)); +- if (ndr_get_array_length(ndr, &r->in.bookmarkXml) > ndr_get_array_size(ndr, &r->in.bookmarkXml)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.bookmarkXml), ndr_get_array_length(ndr, &r->in.bookmarkXml)); ++ size_bookmarkXml_1 = ndr_get_array_size(ndr, &r->in.bookmarkXml); ++ if (size_bookmarkXml_1 > MAX_RPC_BOOKMARK_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.bookmarkXml) > MAX_RPC_BOOKMARK_LENGTH) { ++ length_bookmarkXml_1 = ndr_get_array_length(ndr, &r->in.bookmarkXml); ++ if (length_bookmarkXml_1 > MAX_RPC_BOOKMARK_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.bookmarkXml), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.bookmarkXml, ndr_get_array_length(ndr, &r->in.bookmarkXml), sizeof(uint16_t), CH_UTF16)); ++ if (length_bookmarkXml_1 > size_bookmarkXml_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_bookmarkXml_1, length_bookmarkXml_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_bookmarkXml_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.bookmarkXml, length_bookmarkXml_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_bookmarkXml_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); +@@ -1171,19 +1215,17 @@ + _mem_save_queryChannelInfo_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.queryChannelInfo, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.queryChannelInfo)); +- NDR_PULL_ALLOC_N(ndr, *r->out.queryChannelInfo, ndr_get_array_size(ndr, r->out.queryChannelInfo)); +- if (ndr_get_array_size(ndr, r->out.queryChannelInfo) > MAX_RPC_QUERY_CHANNEL_SIZE) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.queryChannelInfoSize > MAX_RPC_QUERY_CHANNEL_SIZE) { ++ size_queryChannelInfo_2 = ndr_get_array_size(ndr, r->out.queryChannelInfo); ++ if (size_queryChannelInfo_2 > MAX_RPC_QUERY_CHANNEL_SIZE) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.queryChannelInfo, size_queryChannelInfo_2); + _mem_save_queryChannelInfo_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.queryChannelInfo, 0); +- for (cntr_queryChannelInfo_2 = 0; cntr_queryChannelInfo_2 < *r->out.queryChannelInfoSize; cntr_queryChannelInfo_2++) { ++ for (cntr_queryChannelInfo_2 = 0; cntr_queryChannelInfo_2 < size_queryChannelInfo_2; cntr_queryChannelInfo_2++) { + NDR_CHECK(ndr_pull_eventlog6_EvtRpcQueryChannelInfo(ndr, NDR_SCALARS, &(*r->out.queryChannelInfo)[cntr_queryChannelInfo_2])); + } +- for (cntr_queryChannelInfo_2 = 0; cntr_queryChannelInfo_2 < *r->out.queryChannelInfoSize; cntr_queryChannelInfo_2++) { ++ for (cntr_queryChannelInfo_2 = 0; cntr_queryChannelInfo_2 < size_queryChannelInfo_2; cntr_queryChannelInfo_2++) { + NDR_CHECK(ndr_pull_eventlog6_EvtRpcQueryChannelInfo(ndr, NDR_BUFFERS, &(*r->out.queryChannelInfo)[cntr_queryChannelInfo_2])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_queryChannelInfo_2, 0); +@@ -1332,10 +1374,13 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcRemoteSubscriptionNextAsync(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcRemoteSubscriptionNextAsync *r) + { + uint32_t _ptr_eventDataIndices; ++ uint32_t size_eventDataIndices_2 = 0; + uint32_t cntr_eventDataIndices_2; + uint32_t _ptr_eventDataSizes; ++ uint32_t size_eventDataSizes_2 = 0; + uint32_t cntr_eventDataSizes_2; + uint32_t _ptr_resultBuffer; ++ uint32_t size_resultBuffer_2 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_numActualRecords_0; + TALLOC_CTX *_mem_save_eventDataIndices_0; +@@ -1393,16 +1438,14 @@ + _mem_save_eventDataIndices_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataIndices, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.eventDataIndices)); +- NDR_PULL_ALLOC_N(ndr, *r->out.eventDataIndices, ndr_get_array_size(ndr, r->out.eventDataIndices)); +- if (ndr_get_array_size(ndr, r->out.eventDataIndices) > MAX_RPC_RECORD_COUNT) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.numActualRecords > MAX_RPC_RECORD_COUNT) { ++ size_eventDataIndices_2 = ndr_get_array_size(ndr, r->out.eventDataIndices); ++ if (size_eventDataIndices_2 > MAX_RPC_RECORD_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.eventDataIndices, size_eventDataIndices_2); + _mem_save_eventDataIndices_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataIndices, 0); +- for (cntr_eventDataIndices_2 = 0; cntr_eventDataIndices_2 < *r->out.numActualRecords; cntr_eventDataIndices_2++) { ++ for (cntr_eventDataIndices_2 = 0; cntr_eventDataIndices_2 < size_eventDataIndices_2; cntr_eventDataIndices_2++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &(*r->out.eventDataIndices)[cntr_eventDataIndices_2])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventDataIndices_2, 0); +@@ -1424,16 +1467,14 @@ + _mem_save_eventDataSizes_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataSizes, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.eventDataSizes)); +- NDR_PULL_ALLOC_N(ndr, *r->out.eventDataSizes, ndr_get_array_size(ndr, r->out.eventDataSizes)); +- if (ndr_get_array_size(ndr, r->out.eventDataSizes) > MAX_RPC_RECORD_COUNT) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.numActualRecords > MAX_RPC_RECORD_COUNT) { ++ size_eventDataSizes_2 = ndr_get_array_size(ndr, r->out.eventDataSizes); ++ if (size_eventDataSizes_2 > MAX_RPC_RECORD_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.eventDataSizes, size_eventDataSizes_2); + _mem_save_eventDataSizes_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataSizes, 0); +- for (cntr_eventDataSizes_2 = 0; cntr_eventDataSizes_2 < *r->out.numActualRecords; cntr_eventDataSizes_2++) { ++ for (cntr_eventDataSizes_2 = 0; cntr_eventDataSizes_2 < size_eventDataSizes_2; cntr_eventDataSizes_2++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &(*r->out.eventDataSizes)[cntr_eventDataSizes_2])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventDataSizes_2, 0); +@@ -1462,11 +1503,12 @@ + _mem_save_resultBuffer_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.resultBuffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.resultBuffer)); +- NDR_PULL_ALLOC_N(ndr, *r->out.resultBuffer, ndr_get_array_size(ndr, r->out.resultBuffer)); +- if (ndr_get_array_size(ndr, r->out.resultBuffer) > MAX_RPC_BATCH_SIZE) { ++ size_resultBuffer_2 = ndr_get_array_size(ndr, r->out.resultBuffer); ++ if (size_resultBuffer_2 > MAX_RPC_BATCH_SIZE) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.resultBuffer, ndr_get_array_size(ndr, r->out.resultBuffer))); ++ NDR_PULL_ALLOC_N(ndr, *r->out.resultBuffer, size_resultBuffer_2); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.resultBuffer, size_resultBuffer_2)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_resultBuffer_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_resultBuffer_0, LIBNDR_FLAG_REF_ALLOC); +@@ -1617,10 +1659,13 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcRemoteSubscriptionNext(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcRemoteSubscriptionNext *r) + { + uint32_t _ptr_eventDataIndices; ++ uint32_t size_eventDataIndices_2 = 0; + uint32_t cntr_eventDataIndices_2; + uint32_t _ptr_eventDataSizes; ++ uint32_t size_eventDataSizes_2 = 0; + uint32_t cntr_eventDataSizes_2; + uint32_t _ptr_resultBuffer; ++ uint32_t size_resultBuffer_2 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_numActualRecords_0; + TALLOC_CTX *_mem_save_eventDataIndices_0; +@@ -1679,16 +1724,14 @@ + _mem_save_eventDataIndices_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataIndices, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.eventDataIndices)); +- NDR_PULL_ALLOC_N(ndr, *r->out.eventDataIndices, ndr_get_array_size(ndr, r->out.eventDataIndices)); +- if (ndr_get_array_size(ndr, r->out.eventDataIndices) > MAX_RPC_RECORD_COUNT) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.numActualRecords > MAX_RPC_RECORD_COUNT) { ++ size_eventDataIndices_2 = ndr_get_array_size(ndr, r->out.eventDataIndices); ++ if (size_eventDataIndices_2 > MAX_RPC_RECORD_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.eventDataIndices, size_eventDataIndices_2); + _mem_save_eventDataIndices_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataIndices, 0); +- for (cntr_eventDataIndices_2 = 0; cntr_eventDataIndices_2 < *r->out.numActualRecords; cntr_eventDataIndices_2++) { ++ for (cntr_eventDataIndices_2 = 0; cntr_eventDataIndices_2 < size_eventDataIndices_2; cntr_eventDataIndices_2++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &(*r->out.eventDataIndices)[cntr_eventDataIndices_2])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventDataIndices_2, 0); +@@ -1710,16 +1753,14 @@ + _mem_save_eventDataSizes_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataSizes, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.eventDataSizes)); +- NDR_PULL_ALLOC_N(ndr, *r->out.eventDataSizes, ndr_get_array_size(ndr, r->out.eventDataSizes)); +- if (ndr_get_array_size(ndr, r->out.eventDataSizes) > MAX_RPC_RECORD_COUNT) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.numActualRecords > MAX_RPC_RECORD_COUNT) { ++ size_eventDataSizes_2 = ndr_get_array_size(ndr, r->out.eventDataSizes); ++ if (size_eventDataSizes_2 > MAX_RPC_RECORD_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.eventDataSizes, size_eventDataSizes_2); + _mem_save_eventDataSizes_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataSizes, 0); +- for (cntr_eventDataSizes_2 = 0; cntr_eventDataSizes_2 < *r->out.numActualRecords; cntr_eventDataSizes_2++) { ++ for (cntr_eventDataSizes_2 = 0; cntr_eventDataSizes_2 < size_eventDataSizes_2; cntr_eventDataSizes_2++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &(*r->out.eventDataSizes)[cntr_eventDataSizes_2])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventDataSizes_2, 0); +@@ -1748,11 +1789,12 @@ + _mem_save_resultBuffer_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.resultBuffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.resultBuffer)); +- NDR_PULL_ALLOC_N(ndr, *r->out.resultBuffer, ndr_get_array_size(ndr, r->out.resultBuffer)); +- if (ndr_get_array_size(ndr, r->out.resultBuffer) > MAX_RPC_BATCH_SIZE) { ++ size_resultBuffer_2 = ndr_get_array_size(ndr, r->out.resultBuffer); ++ if (size_resultBuffer_2 > MAX_RPC_BATCH_SIZE) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.resultBuffer, ndr_get_array_size(ndr, r->out.resultBuffer))); ++ NDR_PULL_ALLOC_N(ndr, *r->out.resultBuffer, size_resultBuffer_2); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.resultBuffer, size_resultBuffer_2)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_resultBuffer_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_resultBuffer_0, LIBNDR_FLAG_REF_ALLOC); +@@ -2024,7 +2066,12 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcRegisterLogQuery(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcRegisterLogQuery *r) + { + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; ++ uint32_t size_query_1 = 0; ++ uint32_t length_query_1 = 0; + uint32_t _ptr_queryChannelInfo; ++ uint32_t size_queryChannelInfo_2 = 0; + uint32_t cntr_queryChannelInfo_2; + TALLOC_CTX *_mem_save_path_0; + TALLOC_CTX *_mem_save_handle_0; +@@ -2048,26 +2095,36 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); +- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->in.path); ++ if (size_path_1 > MAX_RPC_CHANNEL_PATH_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.path) > MAX_RPC_CHANNEL_PATH_LENGTH) { ++ length_path_1 = ndr_get_array_length(ndr, &r->in.path); ++ if (length_path_1 > MAX_RPC_CHANNEL_PATH_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.query)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.query)); +- if (ndr_get_array_length(ndr, &r->in.query) > ndr_get_array_size(ndr, &r->in.query)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.query), ndr_get_array_length(ndr, &r->in.query)); ++ size_query_1 = ndr_get_array_size(ndr, &r->in.query); ++ if (size_query_1 < 1 || size_query_1 > MAX_RPC_QUERY_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.query) < 1 || ndr_get_array_length(ndr, &r->in.query) > MAX_RPC_QUERY_LENGTH) { ++ length_query_1 = ndr_get_array_length(ndr, &r->in.query); ++ if (length_query_1 < 1 || length_query_1 > MAX_RPC_QUERY_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.query), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.query, ndr_get_array_length(ndr, &r->in.query), sizeof(uint16_t), CH_UTF16)); ++ if (length_query_1 > size_query_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_query_1, length_query_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_query_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.query, length_query_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_PULL_ALLOC(ndr, r->out.handle); + ZERO_STRUCTP(r->out.handle); +@@ -2117,19 +2174,17 @@ + _mem_save_queryChannelInfo_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.queryChannelInfo, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.queryChannelInfo)); +- NDR_PULL_ALLOC_N(ndr, *r->out.queryChannelInfo, ndr_get_array_size(ndr, r->out.queryChannelInfo)); +- if (ndr_get_array_size(ndr, r->out.queryChannelInfo) > MAX_RPC_QUERY_CHANNEL_SIZE) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.queryChannelInfoSize > MAX_RPC_QUERY_CHANNEL_SIZE) { ++ size_queryChannelInfo_2 = ndr_get_array_size(ndr, r->out.queryChannelInfo); ++ if (size_queryChannelInfo_2 > MAX_RPC_QUERY_CHANNEL_SIZE) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.queryChannelInfo, size_queryChannelInfo_2); + _mem_save_queryChannelInfo_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.queryChannelInfo, 0); +- for (cntr_queryChannelInfo_2 = 0; cntr_queryChannelInfo_2 < *r->out.queryChannelInfoSize; cntr_queryChannelInfo_2++) { ++ for (cntr_queryChannelInfo_2 = 0; cntr_queryChannelInfo_2 < size_queryChannelInfo_2; cntr_queryChannelInfo_2++) { + NDR_CHECK(ndr_pull_eventlog6_EvtRpcQueryChannelInfo(ndr, NDR_SCALARS, &(*r->out.queryChannelInfo)[cntr_queryChannelInfo_2])); + } +- for (cntr_queryChannelInfo_2 = 0; cntr_queryChannelInfo_2 < *r->out.queryChannelInfoSize; cntr_queryChannelInfo_2++) { ++ for (cntr_queryChannelInfo_2 = 0; cntr_queryChannelInfo_2 < size_queryChannelInfo_2; cntr_queryChannelInfo_2++) { + NDR_CHECK(ndr_pull_eventlog6_EvtRpcQueryChannelInfo(ndr, NDR_BUFFERS, &(*r->out.queryChannelInfo)[cntr_queryChannelInfo_2])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_queryChannelInfo_2, 0); +@@ -2250,7 +2305,11 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcClearLog(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcClearLog *r) + { ++ uint32_t size_channelPath_1 = 0; ++ uint32_t length_channelPath_1 = 0; + uint32_t _ptr_backupPath; ++ uint32_t size_backupPath_1 = 0; ++ uint32_t length_backupPath_1 = 0; + TALLOC_CTX *_mem_save_control_0; + TALLOC_CTX *_mem_save_backupPath_0; + TALLOC_CTX *_mem_save_error_0; +@@ -2266,14 +2325,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_control_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.channelPath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.channelPath)); +- if (ndr_get_array_length(ndr, &r->in.channelPath) > ndr_get_array_size(ndr, &r->in.channelPath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.channelPath), ndr_get_array_length(ndr, &r->in.channelPath)); ++ size_channelPath_1 = ndr_get_array_size(ndr, &r->in.channelPath); ++ if (size_channelPath_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.channelPath) > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ length_channelPath_1 = ndr_get_array_length(ndr, &r->in.channelPath); ++ if (length_channelPath_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.channelPath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channelPath, ndr_get_array_length(ndr, &r->in.channelPath), sizeof(uint16_t), CH_UTF16)); ++ if (length_channelPath_1 > size_channelPath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_channelPath_1, length_channelPath_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_channelPath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channelPath, length_channelPath_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_backupPath)); + if (_ptr_backupPath) { + NDR_PULL_ALLOC(ndr, r->in.backupPath); +@@ -2285,14 +2349,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.backupPath, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.backupPath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.backupPath)); +- if (ndr_get_array_length(ndr, &r->in.backupPath) > ndr_get_array_size(ndr, &r->in.backupPath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.backupPath), ndr_get_array_length(ndr, &r->in.backupPath)); ++ size_backupPath_1 = ndr_get_array_size(ndr, &r->in.backupPath); ++ if (size_backupPath_1 > MAX_RPC_FILE_PATH_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.backupPath) > MAX_RPC_FILE_PATH_LENGTH) { ++ length_backupPath_1 = ndr_get_array_length(ndr, &r->in.backupPath); ++ if (length_backupPath_1 > MAX_RPC_FILE_PATH_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.backupPath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.backupPath, ndr_get_array_length(ndr, &r->in.backupPath), sizeof(uint16_t), CH_UTF16)); ++ if (length_backupPath_1 > size_backupPath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_backupPath_1, length_backupPath_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_backupPath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.backupPath, length_backupPath_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_backupPath_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); +@@ -2396,6 +2465,12 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcExportLog(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcExportLog *r) + { + uint32_t _ptr_channelPath; ++ uint32_t size_channelPath_1 = 0; ++ uint32_t length_channelPath_1 = 0; ++ uint32_t size_query_1 = 0; ++ uint32_t length_query_1 = 0; ++ uint32_t size_backupPath_1 = 0; ++ uint32_t length_backupPath_1 = 0; + TALLOC_CTX *_mem_save_control_0; + TALLOC_CTX *_mem_save_channelPath_0; + TALLOC_CTX *_mem_save_error_0; +@@ -2420,36 +2495,51 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.channelPath, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.channelPath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.channelPath)); +- if (ndr_get_array_length(ndr, &r->in.channelPath) > ndr_get_array_size(ndr, &r->in.channelPath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.channelPath), ndr_get_array_length(ndr, &r->in.channelPath)); ++ size_channelPath_1 = ndr_get_array_size(ndr, &r->in.channelPath); ++ if (size_channelPath_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.channelPath) > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ length_channelPath_1 = ndr_get_array_length(ndr, &r->in.channelPath); ++ if (length_channelPath_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.channelPath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channelPath, ndr_get_array_length(ndr, &r->in.channelPath), sizeof(uint16_t), CH_UTF16)); ++ if (length_channelPath_1 > size_channelPath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_channelPath_1, length_channelPath_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_channelPath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channelPath, length_channelPath_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_channelPath_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.query)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.query)); +- if (ndr_get_array_length(ndr, &r->in.query) > ndr_get_array_size(ndr, &r->in.query)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.query), ndr_get_array_length(ndr, &r->in.query)); ++ size_query_1 = ndr_get_array_size(ndr, &r->in.query); ++ if (size_query_1 < 1 || size_query_1 > MAX_RPC_QUERY_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.query) < 1 || ndr_get_array_length(ndr, &r->in.query) > MAX_RPC_QUERY_LENGTH) { ++ length_query_1 = ndr_get_array_length(ndr, &r->in.query); ++ if (length_query_1 < 1 || length_query_1 > MAX_RPC_QUERY_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.query), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.query, ndr_get_array_length(ndr, &r->in.query), sizeof(uint16_t), CH_UTF16)); ++ if (length_query_1 > size_query_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_query_1, length_query_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_query_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.query, length_query_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.backupPath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.backupPath)); +- if (ndr_get_array_length(ndr, &r->in.backupPath) > ndr_get_array_size(ndr, &r->in.backupPath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.backupPath), ndr_get_array_length(ndr, &r->in.backupPath)); ++ size_backupPath_1 = ndr_get_array_size(ndr, &r->in.backupPath); ++ if (size_backupPath_1 < 1 || size_backupPath_1 > MAX_RPC_FILE_PATH_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.backupPath) < 1 || ndr_get_array_length(ndr, &r->in.backupPath) > MAX_RPC_FILE_PATH_LENGTH) { ++ length_backupPath_1 = ndr_get_array_length(ndr, &r->in.backupPath); ++ if (length_backupPath_1 < 1 || length_backupPath_1 > MAX_RPC_FILE_PATH_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.backupPath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.backupPath, ndr_get_array_length(ndr, &r->in.backupPath), sizeof(uint16_t), CH_UTF16)); ++ if (length_backupPath_1 > size_backupPath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_backupPath_1, length_backupPath_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_backupPath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.backupPath, length_backupPath_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_PULL_ALLOC(ndr, r->out.error); + ZERO_STRUCTP(r->out.error); +@@ -2541,6 +2631,8 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcLocalizeExportLog(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcLocalizeExportLog *r) + { ++ uint32_t size_logFilePath_1 = 0; ++ uint32_t length_logFilePath_1 = 0; + TALLOC_CTX *_mem_save_control_0; + TALLOC_CTX *_mem_save_error_0; + if (flags & NDR_IN) { +@@ -2555,14 +2647,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_control_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logFilePath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logFilePath)); +- if (ndr_get_array_length(ndr, &r->in.logFilePath) > ndr_get_array_size(ndr, &r->in.logFilePath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logFilePath), ndr_get_array_length(ndr, &r->in.logFilePath)); ++ size_logFilePath_1 = ndr_get_array_size(ndr, &r->in.logFilePath); ++ if (size_logFilePath_1 < 1 || size_logFilePath_1 > MAX_RPC_FILE_PATH_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.logFilePath) < 1 || ndr_get_array_length(ndr, &r->in.logFilePath) > MAX_RPC_FILE_PATH_LENGTH) { ++ length_logFilePath_1 = ndr_get_array_length(ndr, &r->in.logFilePath); ++ if (length_logFilePath_1 < 1 || length_logFilePath_1 > MAX_RPC_FILE_PATH_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logFilePath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logFilePath, ndr_get_array_length(ndr, &r->in.logFilePath), sizeof(uint16_t), CH_UTF16)); ++ if (length_logFilePath_1 > size_logFilePath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logFilePath_1, length_logFilePath_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logFilePath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logFilePath, length_logFilePath_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.locale)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_PULL_ALLOC(ndr, r->out.error); +@@ -2666,7 +2763,9 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcMessageRender(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcMessageRender *r) + { ++ uint32_t size_eventId_1 = 0; + uint32_t _ptr_string; ++ uint32_t size_string_2 = 0; + TALLOC_CTX *_mem_save_pubCfgObj_0; + TALLOC_CTX *_mem_save_values_0; + TALLOC_CTX *_mem_save_actualSizeString_0; +@@ -2689,10 +2788,11 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.eventId)); ++ size_eventId_1 = ndr_get_array_size(ndr, &r->in.eventId); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.eventId, ndr_get_array_size(ndr, &r->in.eventId)); ++ NDR_PULL_ALLOC_N(ndr, r->in.eventId, size_eventId_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.eventId, ndr_get_array_size(ndr, &r->in.eventId))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.eventId, size_eventId_1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.messageId)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.values); +@@ -2745,11 +2845,12 @@ + _mem_save_string_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.string)); +- NDR_PULL_ALLOC_N(ndr, *r->out.string, ndr_get_array_size(ndr, r->out.string)); +- if (ndr_get_array_size(ndr, r->out.string) > MAX_RPC_RENDERED_STRING_SIZE) { ++ size_string_2 = ndr_get_array_size(ndr, r->out.string); ++ if (size_string_2 > MAX_RPC_RENDERED_STRING_SIZE) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.string, ndr_get_array_size(ndr, r->out.string))); ++ NDR_PULL_ALLOC_N(ndr, *r->out.string, size_string_2); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.string, size_string_2)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, LIBNDR_FLAG_REF_ALLOC); +@@ -2872,7 +2973,9 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcMessageRenderDefault(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcMessageRenderDefault *r) + { ++ uint32_t size_eventId_1 = 0; + uint32_t _ptr_string; ++ uint32_t size_string_2 = 0; + TALLOC_CTX *_mem_save_values_0; + TALLOC_CTX *_mem_save_actualSizeString_0; + TALLOC_CTX *_mem_save_neededSizeString_0; +@@ -2887,10 +2990,11 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.eventId)); ++ size_eventId_1 = ndr_get_array_size(ndr, &r->in.eventId); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.eventId, ndr_get_array_size(ndr, &r->in.eventId)); ++ NDR_PULL_ALLOC_N(ndr, r->in.eventId, size_eventId_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.eventId, ndr_get_array_size(ndr, &r->in.eventId))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.eventId, size_eventId_1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.messageId)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.values); +@@ -2943,11 +3047,12 @@ + _mem_save_string_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.string)); +- NDR_PULL_ALLOC_N(ndr, *r->out.string, ndr_get_array_size(ndr, r->out.string)); +- if (ndr_get_array_size(ndr, r->out.string) > MAX_RPC_RENDERED_STRING_SIZE) { ++ size_string_2 = ndr_get_array_size(ndr, r->out.string); ++ if (size_string_2 > MAX_RPC_RENDERED_STRING_SIZE) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.string, ndr_get_array_size(ndr, r->out.string))); ++ NDR_PULL_ALLOC_N(ndr, *r->out.string, size_string_2); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.string, size_string_2)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, LIBNDR_FLAG_REF_ALLOC); +@@ -3079,10 +3184,13 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcQueryNext(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcQueryNext *r) + { + uint32_t _ptr_eventDataIndices; ++ uint32_t size_eventDataIndices_2 = 0; + uint32_t cntr_eventDataIndices_2; + uint32_t _ptr_eventDataSizes; ++ uint32_t size_eventDataSizes_2 = 0; + uint32_t cntr_eventDataSizes_2; + uint32_t _ptr_resultBuffer; ++ uint32_t size_resultBuffer_2 = 0; + TALLOC_CTX *_mem_save_logQuery_0; + TALLOC_CTX *_mem_save_numActualRecords_0; + TALLOC_CTX *_mem_save_eventDataIndices_0; +@@ -3141,16 +3249,14 @@ + _mem_save_eventDataIndices_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataIndices, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.eventDataIndices)); +- NDR_PULL_ALLOC_N(ndr, *r->out.eventDataIndices, ndr_get_array_size(ndr, r->out.eventDataIndices)); +- if (ndr_get_array_size(ndr, r->out.eventDataIndices) > MAX_RPC_RECORD_COUNT) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.numActualRecords > MAX_RPC_RECORD_COUNT) { ++ size_eventDataIndices_2 = ndr_get_array_size(ndr, r->out.eventDataIndices); ++ if (size_eventDataIndices_2 > MAX_RPC_RECORD_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.eventDataIndices, size_eventDataIndices_2); + _mem_save_eventDataIndices_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataIndices, 0); +- for (cntr_eventDataIndices_2 = 0; cntr_eventDataIndices_2 < *r->out.numActualRecords; cntr_eventDataIndices_2++) { ++ for (cntr_eventDataIndices_2 = 0; cntr_eventDataIndices_2 < size_eventDataIndices_2; cntr_eventDataIndices_2++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &(*r->out.eventDataIndices)[cntr_eventDataIndices_2])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventDataIndices_2, 0); +@@ -3172,16 +3278,14 @@ + _mem_save_eventDataSizes_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataSizes, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.eventDataSizes)); +- NDR_PULL_ALLOC_N(ndr, *r->out.eventDataSizes, ndr_get_array_size(ndr, r->out.eventDataSizes)); +- if (ndr_get_array_size(ndr, r->out.eventDataSizes) > MAX_RPC_RECORD_COUNT) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.numActualRecords > MAX_RPC_RECORD_COUNT) { ++ size_eventDataSizes_2 = ndr_get_array_size(ndr, r->out.eventDataSizes); ++ if (size_eventDataSizes_2 > MAX_RPC_RECORD_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.eventDataSizes, size_eventDataSizes_2); + _mem_save_eventDataSizes_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventDataSizes, 0); +- for (cntr_eventDataSizes_2 = 0; cntr_eventDataSizes_2 < *r->out.numActualRecords; cntr_eventDataSizes_2++) { ++ for (cntr_eventDataSizes_2 = 0; cntr_eventDataSizes_2 < size_eventDataSizes_2; cntr_eventDataSizes_2++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &(*r->out.eventDataSizes)[cntr_eventDataSizes_2])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventDataSizes_2, 0); +@@ -3210,11 +3314,12 @@ + _mem_save_resultBuffer_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.resultBuffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.resultBuffer)); +- NDR_PULL_ALLOC_N(ndr, *r->out.resultBuffer, ndr_get_array_size(ndr, r->out.resultBuffer)); +- if (ndr_get_array_size(ndr, r->out.resultBuffer) > MAX_RPC_BATCH_SIZE) { ++ size_resultBuffer_2 = ndr_get_array_size(ndr, r->out.resultBuffer); ++ if (size_resultBuffer_2 > MAX_RPC_BATCH_SIZE) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.resultBuffer, ndr_get_array_size(ndr, r->out.resultBuffer))); ++ NDR_PULL_ALLOC_N(ndr, *r->out.resultBuffer, size_resultBuffer_2); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.resultBuffer, size_resultBuffer_2)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_resultBuffer_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_resultBuffer_0, LIBNDR_FLAG_REF_ALLOC); +@@ -3339,6 +3444,8 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcQuerySeek(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcQuerySeek *r) + { + uint32_t _ptr_bookmarkXml; ++ uint32_t size_bookmarkXml_1 = 0; ++ uint32_t length_bookmarkXml_1 = 0; + TALLOC_CTX *_mem_save_logQuery_0; + TALLOC_CTX *_mem_save_bookmarkXml_0; + TALLOC_CTX *_mem_save_error_0; +@@ -3364,14 +3471,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.bookmarkXml, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.bookmarkXml)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.bookmarkXml)); +- if (ndr_get_array_length(ndr, &r->in.bookmarkXml) > ndr_get_array_size(ndr, &r->in.bookmarkXml)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.bookmarkXml), ndr_get_array_length(ndr, &r->in.bookmarkXml)); ++ size_bookmarkXml_1 = ndr_get_array_size(ndr, &r->in.bookmarkXml); ++ if (size_bookmarkXml_1 > MAX_RPC_BOOKMARK_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.bookmarkXml) > MAX_RPC_BOOKMARK_LENGTH) { ++ length_bookmarkXml_1 = ndr_get_array_length(ndr, &r->in.bookmarkXml); ++ if (length_bookmarkXml_1 > MAX_RPC_BOOKMARK_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.bookmarkXml), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.bookmarkXml, ndr_get_array_length(ndr, &r->in.bookmarkXml), sizeof(uint16_t), CH_UTF16)); ++ if (length_bookmarkXml_1 > size_bookmarkXml_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_bookmarkXml_1, length_bookmarkXml_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_bookmarkXml_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.bookmarkXml, length_bookmarkXml_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_bookmarkXml_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.timeOut)); +@@ -3626,17 +3738,24 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcAssertConfig(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcAssertConfig *r) + { ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); +- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->in.path); ++ if (size_path_1 < 1 || size_path_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.path) < 1 || ndr_get_array_length(ndr, &r->in.path) > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ length_path_1 = ndr_get_array_length(ndr, &r->in.path); ++ if (length_path_1 < 1 || length_path_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + } + if (flags & NDR_OUT) { +@@ -3692,17 +3811,24 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcRetractConfig(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcRetractConfig *r) + { ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); +- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->in.path); ++ if (size_path_1 < 1 || size_path_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.path) < 1 || ndr_get_array_length(ndr, &r->in.path) > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ length_path_1 = ndr_get_array_length(ndr, &r->in.path); ++ if (length_path_1 < 1 || length_path_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + } + if (flags & NDR_OUT) { +@@ -3766,6 +3892,8 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcOpenLogHandle(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcOpenLogHandle *r) + { ++ uint32_t size_channel_1 = 0; ++ uint32_t length_channel_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_error_0; + if (flags & NDR_IN) { +@@ -3773,14 +3901,19 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.channel)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.channel)); +- if (ndr_get_array_length(ndr, &r->in.channel) > ndr_get_array_size(ndr, &r->in.channel)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.channel), ndr_get_array_length(ndr, &r->in.channel)); ++ size_channel_1 = ndr_get_array_size(ndr, &r->in.channel); ++ if (size_channel_1 < 1 || size_channel_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.channel) < 1 || ndr_get_array_length(ndr, &r->in.channel) > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ length_channel_1 = ndr_get_array_length(ndr, &r->in.channel); ++ if (length_channel_1 < 1 || length_channel_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.channel), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channel, ndr_get_array_length(ndr, &r->in.channel), sizeof(uint16_t), CH_UTF16)); ++ if (length_channel_1 > size_channel_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_channel_1, length_channel_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_channel_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channel, length_channel_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_PULL_ALLOC(ndr, r->out.handle); + ZERO_STRUCTP(r->out.handle); +@@ -3869,6 +4002,7 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcGetLogFileInfo(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcGetLogFileInfo *r) + { ++ uint32_t size_propertyValueBuffer_1 = 0; + TALLOC_CTX *_mem_save_logHandle_0; + TALLOC_CTX *_mem_save_propertyValueBufferLength_0; + if (flags & NDR_IN) { +@@ -3893,10 +4027,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.propertyValueBuffer)); ++ size_propertyValueBuffer_1 = ndr_get_array_size(ndr, &r->out.propertyValueBuffer); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.propertyValueBuffer, ndr_get_array_size(ndr, &r->out.propertyValueBuffer)); ++ NDR_PULL_ALLOC_N(ndr, r->out.propertyValueBuffer, size_propertyValueBuffer_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.propertyValueBuffer, ndr_get_array_size(ndr, &r->out.propertyValueBuffer))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.propertyValueBuffer, size_propertyValueBuffer_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.propertyValueBufferLength); + } +@@ -3985,7 +4120,10 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcGetChannelList(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcGetChannelList *r) + { + uint32_t _ptr_channelPaths; ++ uint32_t size_channelPaths_2 = 0; + uint32_t cntr_channelPaths_2; ++ uint32_t size_channelPaths_4 = 0; ++ uint32_t length_channelPaths_4 = 0; + TALLOC_CTX *_mem_save_numChannelPaths_0; + TALLOC_CTX *_mem_save_channelPaths_0; + TALLOC_CTX *_mem_save_channelPaths_1; +@@ -4023,16 +4161,14 @@ + _mem_save_channelPaths_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.channelPaths, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.channelPaths)); +- NDR_PULL_ALLOC_N(ndr, *r->out.channelPaths, ndr_get_array_size(ndr, r->out.channelPaths)); +- if (ndr_get_array_size(ndr, r->out.channelPaths) > MAX_RPC_CHANNEL_COUNT) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.numChannelPaths > MAX_RPC_CHANNEL_COUNT) { ++ size_channelPaths_2 = ndr_get_array_size(ndr, r->out.channelPaths); ++ if (size_channelPaths_2 > MAX_RPC_CHANNEL_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.channelPaths, size_channelPaths_2); + _mem_save_channelPaths_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.channelPaths, 0); +- for (cntr_channelPaths_2 = 0; cntr_channelPaths_2 < *r->out.numChannelPaths; cntr_channelPaths_2++) { ++ for (cntr_channelPaths_2 = 0; cntr_channelPaths_2 < size_channelPaths_2; cntr_channelPaths_2++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_channelPaths)); + if (_ptr_channelPaths) { + NDR_PULL_ALLOC(ndr, (*r->out.channelPaths)[cntr_channelPaths_2]); +@@ -4040,20 +4176,25 @@ + (*r->out.channelPaths)[cntr_channelPaths_2] = NULL; + } + } +- for (cntr_channelPaths_2 = 0; cntr_channelPaths_2 < *r->out.numChannelPaths; cntr_channelPaths_2++) { ++ for (cntr_channelPaths_2 = 0; cntr_channelPaths_2 < size_channelPaths_2; cntr_channelPaths_2++) { + if ((*r->out.channelPaths)[cntr_channelPaths_2]) { + _mem_save_channelPaths_3 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, (*r->out.channelPaths)[cntr_channelPaths_2], 0); + NDR_CHECK(ndr_pull_array_size(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2])); + NDR_CHECK(ndr_pull_array_length(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2])); +- if (ndr_get_array_length(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2]) > ndr_get_array_size(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2])) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2]), ndr_get_array_length(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2])); ++ size_channelPaths_4 = ndr_get_array_size(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2]); ++ if (size_channelPaths_4 > MAX_RPC_CHANNEL_COUNT) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2]) > MAX_RPC_CHANNEL_COUNT) { ++ length_channelPaths_4 = ndr_get_array_length(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2]); ++ if (length_channelPaths_4 > MAX_RPC_CHANNEL_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2]), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.channelPaths)[cntr_channelPaths_2], ndr_get_array_length(ndr, &(*r->out.channelPaths)[cntr_channelPaths_2]), sizeof(uint16_t), CH_UTF16)); ++ if (length_channelPaths_4 > size_channelPaths_4) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_channelPaths_4, length_channelPaths_4); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_channelPaths_4, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.channelPaths)[cntr_channelPaths_2], length_channelPaths_4, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_channelPaths_3, 0); + } + } +@@ -4140,20 +4281,27 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcGetChannelConfig(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcGetChannelConfig *r) + { ++ uint32_t size_channelPath_1 = 0; ++ uint32_t length_channelPath_1 = 0; + TALLOC_CTX *_mem_save_props_0; + if (flags & NDR_IN) { + ZERO_STRUCT(r->out); + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.channelPath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.channelPath)); +- if (ndr_get_array_length(ndr, &r->in.channelPath) > ndr_get_array_size(ndr, &r->in.channelPath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.channelPath), ndr_get_array_length(ndr, &r->in.channelPath)); ++ size_channelPath_1 = ndr_get_array_size(ndr, &r->in.channelPath); ++ if (size_channelPath_1 < 1 || size_channelPath_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.channelPath) < 1 || ndr_get_array_length(ndr, &r->in.channelPath) > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ length_channelPath_1 = ndr_get_array_length(ndr, &r->in.channelPath); ++ if (length_channelPath_1 < 1 || length_channelPath_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.channelPath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channelPath, ndr_get_array_length(ndr, &r->in.channelPath), sizeof(uint16_t), CH_UTF16)); ++ if (length_channelPath_1 > size_channelPath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_channelPath_1, length_channelPath_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_channelPath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channelPath, length_channelPath_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_PULL_ALLOC(ndr, r->out.props); + ZERO_STRUCTP(r->out.props); +@@ -4230,6 +4378,8 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcPutChannelConfig(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcPutChannelConfig *r) + { ++ uint32_t size_channelPath_1 = 0; ++ uint32_t length_channelPath_1 = 0; + TALLOC_CTX *_mem_save_props_0; + TALLOC_CTX *_mem_save_error_0; + if (flags & NDR_IN) { +@@ -4237,14 +4387,19 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.channelPath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.channelPath)); +- if (ndr_get_array_length(ndr, &r->in.channelPath) > ndr_get_array_size(ndr, &r->in.channelPath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.channelPath), ndr_get_array_length(ndr, &r->in.channelPath)); ++ size_channelPath_1 = ndr_get_array_size(ndr, &r->in.channelPath); ++ if (size_channelPath_1 < 1 || size_channelPath_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.channelPath) < 1 || ndr_get_array_length(ndr, &r->in.channelPath) > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ length_channelPath_1 = ndr_get_array_length(ndr, &r->in.channelPath); ++ if (length_channelPath_1 < 1 || length_channelPath_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.channelPath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channelPath, ndr_get_array_length(ndr, &r->in.channelPath), sizeof(uint16_t), CH_UTF16)); ++ if (length_channelPath_1 > size_channelPath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_channelPath_1, length_channelPath_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_channelPath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.channelPath, length_channelPath_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.props); +@@ -4341,7 +4496,10 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcGetPublisherList(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcGetPublisherList *r) + { + uint32_t _ptr_publisherIds; ++ uint32_t size_publisherIds_2 = 0; + uint32_t cntr_publisherIds_2; ++ uint32_t size_publisherIds_4 = 0; ++ uint32_t length_publisherIds_4 = 0; + TALLOC_CTX *_mem_save_numPublisherIds_0; + TALLOC_CTX *_mem_save_publisherIds_0; + TALLOC_CTX *_mem_save_publisherIds_1; +@@ -4379,16 +4537,14 @@ + _mem_save_publisherIds_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.publisherIds, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.publisherIds)); +- NDR_PULL_ALLOC_N(ndr, *r->out.publisherIds, ndr_get_array_size(ndr, r->out.publisherIds)); +- if (ndr_get_array_size(ndr, r->out.publisherIds) > MAX_RPC_PUBLISHER_COUNT) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.numPublisherIds > MAX_RPC_PUBLISHER_COUNT) { ++ size_publisherIds_2 = ndr_get_array_size(ndr, r->out.publisherIds); ++ if (size_publisherIds_2 > MAX_RPC_PUBLISHER_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.publisherIds, size_publisherIds_2); + _mem_save_publisherIds_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.publisherIds, 0); +- for (cntr_publisherIds_2 = 0; cntr_publisherIds_2 < *r->out.numPublisherIds; cntr_publisherIds_2++) { ++ for (cntr_publisherIds_2 = 0; cntr_publisherIds_2 < size_publisherIds_2; cntr_publisherIds_2++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_publisherIds)); + if (_ptr_publisherIds) { + NDR_PULL_ALLOC(ndr, (*r->out.publisherIds)[cntr_publisherIds_2]); +@@ -4396,20 +4552,25 @@ + (*r->out.publisherIds)[cntr_publisherIds_2] = NULL; + } + } +- for (cntr_publisherIds_2 = 0; cntr_publisherIds_2 < *r->out.numPublisherIds; cntr_publisherIds_2++) { ++ for (cntr_publisherIds_2 = 0; cntr_publisherIds_2 < size_publisherIds_2; cntr_publisherIds_2++) { + if ((*r->out.publisherIds)[cntr_publisherIds_2]) { + _mem_save_publisherIds_3 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, (*r->out.publisherIds)[cntr_publisherIds_2], 0); + NDR_CHECK(ndr_pull_array_size(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2])); + NDR_CHECK(ndr_pull_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2])); +- if (ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]) > ndr_get_array_size(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2])) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]), ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2])); ++ size_publisherIds_4 = ndr_get_array_size(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]); ++ if (size_publisherIds_4 > MAX_RPC_PUBLISHER_COUNT) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]) > MAX_RPC_PUBLISHER_COUNT) { ++ length_publisherIds_4 = ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]); ++ if (length_publisherIds_4 > MAX_RPC_PUBLISHER_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.publisherIds)[cntr_publisherIds_2], ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]), sizeof(uint16_t), CH_UTF16)); ++ if (length_publisherIds_4 > size_publisherIds_4) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_publisherIds_4, length_publisherIds_4); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_publisherIds_4, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.publisherIds)[cntr_publisherIds_2], length_publisherIds_4, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_publisherIds_3, 0); + } + } +@@ -4513,7 +4674,10 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcGetPublisherListForChannel(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcGetPublisherListForChannel *r) + { + uint32_t _ptr_publisherIds; ++ uint32_t size_publisherIds_2 = 0; + uint32_t cntr_publisherIds_2; ++ uint32_t size_publisherIds_4 = 0; ++ uint32_t length_publisherIds_4 = 0; + TALLOC_CTX *_mem_save_channelName_0; + TALLOC_CTX *_mem_save_numPublisherIds_0; + TALLOC_CTX *_mem_save_publisherIds_0; +@@ -4559,16 +4723,14 @@ + _mem_save_publisherIds_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.publisherIds, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.publisherIds)); +- NDR_PULL_ALLOC_N(ndr, *r->out.publisherIds, ndr_get_array_size(ndr, r->out.publisherIds)); +- if (ndr_get_array_size(ndr, r->out.publisherIds) > MAX_RPC_PUBLISHER_COUNT) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.numPublisherIds > MAX_RPC_PUBLISHER_COUNT) { ++ size_publisherIds_2 = ndr_get_array_size(ndr, r->out.publisherIds); ++ if (size_publisherIds_2 > MAX_RPC_PUBLISHER_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.publisherIds, size_publisherIds_2); + _mem_save_publisherIds_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.publisherIds, 0); +- for (cntr_publisherIds_2 = 0; cntr_publisherIds_2 < *r->out.numPublisherIds; cntr_publisherIds_2++) { ++ for (cntr_publisherIds_2 = 0; cntr_publisherIds_2 < size_publisherIds_2; cntr_publisherIds_2++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_publisherIds)); + if (_ptr_publisherIds) { + NDR_PULL_ALLOC(ndr, (*r->out.publisherIds)[cntr_publisherIds_2]); +@@ -4576,20 +4738,25 @@ + (*r->out.publisherIds)[cntr_publisherIds_2] = NULL; + } + } +- for (cntr_publisherIds_2 = 0; cntr_publisherIds_2 < *r->out.numPublisherIds; cntr_publisherIds_2++) { ++ for (cntr_publisherIds_2 = 0; cntr_publisherIds_2 < size_publisherIds_2; cntr_publisherIds_2++) { + if ((*r->out.publisherIds)[cntr_publisherIds_2]) { + _mem_save_publisherIds_3 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, (*r->out.publisherIds)[cntr_publisherIds_2], 0); + NDR_CHECK(ndr_pull_array_size(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2])); + NDR_CHECK(ndr_pull_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2])); +- if (ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]) > ndr_get_array_size(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2])) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]), ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2])); ++ size_publisherIds_4 = ndr_get_array_size(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]); ++ if (size_publisherIds_4 > MAX_RPC_PUBLISHER_COUNT) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]) > MAX_RPC_PUBLISHER_COUNT) { ++ length_publisherIds_4 = ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]); ++ if (length_publisherIds_4 > MAX_RPC_PUBLISHER_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.publisherIds)[cntr_publisherIds_2], ndr_get_array_length(ndr, &(*r->out.publisherIds)[cntr_publisherIds_2]), sizeof(uint16_t), CH_UTF16)); ++ if (length_publisherIds_4 > size_publisherIds_4) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_publisherIds_4, length_publisherIds_4); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_publisherIds_4, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.publisherIds)[cntr_publisherIds_2], length_publisherIds_4, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_publisherIds_3, 0); + } + } +@@ -4693,7 +4860,11 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcGetPublisherMetadata(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcGetPublisherMetadata *r) + { + uint32_t _ptr_publisherId; ++ uint32_t size_publisherId_1 = 0; ++ uint32_t length_publisherId_1 = 0; + uint32_t _ptr_logFilePath; ++ uint32_t size_logFilePath_1 = 0; ++ uint32_t length_logFilePath_1 = 0; + TALLOC_CTX *_mem_save_publisherId_0; + TALLOC_CTX *_mem_save_logFilePath_0; + TALLOC_CTX *_mem_save_pubMetadataProps_0; +@@ -4712,14 +4883,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.publisherId, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.publisherId)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.publisherId)); +- if (ndr_get_array_length(ndr, &r->in.publisherId) > ndr_get_array_size(ndr, &r->in.publisherId)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.publisherId), ndr_get_array_length(ndr, &r->in.publisherId)); ++ size_publisherId_1 = ndr_get_array_size(ndr, &r->in.publisherId); ++ if (size_publisherId_1 > MAX_RPC_PUBLISHER_ID_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.publisherId) > MAX_RPC_PUBLISHER_ID_LENGTH) { ++ length_publisherId_1 = ndr_get_array_length(ndr, &r->in.publisherId); ++ if (length_publisherId_1 > MAX_RPC_PUBLISHER_ID_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.publisherId), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.publisherId, ndr_get_array_length(ndr, &r->in.publisherId), sizeof(uint16_t), CH_UTF16)); ++ if (length_publisherId_1 > size_publisherId_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_publisherId_1, length_publisherId_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_publisherId_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.publisherId, length_publisherId_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_publisherId_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_logFilePath)); +@@ -4733,14 +4909,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.logFilePath, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logFilePath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logFilePath)); +- if (ndr_get_array_length(ndr, &r->in.logFilePath) > ndr_get_array_size(ndr, &r->in.logFilePath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logFilePath), ndr_get_array_length(ndr, &r->in.logFilePath)); ++ size_logFilePath_1 = ndr_get_array_size(ndr, &r->in.logFilePath); ++ if (size_logFilePath_1 > MAX_RPC_FILE_PATH_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.logFilePath) > MAX_RPC_FILE_PATH_LENGTH) { ++ length_logFilePath_1 = ndr_get_array_length(ndr, &r->in.logFilePath); ++ if (length_logFilePath_1 > MAX_RPC_FILE_PATH_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logFilePath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logFilePath, ndr_get_array_length(ndr, &r->in.logFilePath), sizeof(uint16_t), CH_UTF16)); ++ if (length_logFilePath_1 > size_logFilePath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logFilePath_1, length_logFilePath_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logFilePath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logFilePath, length_logFilePath_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logFilePath_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.locale)); +@@ -4927,6 +5108,8 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcGetEventMetadataEnum(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcGetEventMetadataEnum *r) + { + uint32_t _ptr_reservedForFilter; ++ uint32_t size_reservedForFilter_1 = 0; ++ uint32_t length_reservedForFilter_1 = 0; + TALLOC_CTX *_mem_save_pubMetadata_0; + TALLOC_CTX *_mem_save_reservedForFilter_0; + TALLOC_CTX *_mem_save_eventMetaDataEnum_0; +@@ -4952,14 +5135,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.reservedForFilter, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.reservedForFilter)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.reservedForFilter)); +- if (ndr_get_array_length(ndr, &r->in.reservedForFilter) > ndr_get_array_size(ndr, &r->in.reservedForFilter)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.reservedForFilter), ndr_get_array_length(ndr, &r->in.reservedForFilter)); ++ size_reservedForFilter_1 = ndr_get_array_size(ndr, &r->in.reservedForFilter); ++ if (size_reservedForFilter_1 > MAX_RPC_FILTER_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.reservedForFilter) > MAX_RPC_FILTER_LENGTH) { ++ length_reservedForFilter_1 = ndr_get_array_length(ndr, &r->in.reservedForFilter); ++ if (length_reservedForFilter_1 > MAX_RPC_FILTER_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.reservedForFilter), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.reservedForFilter, ndr_get_array_length(ndr, &r->in.reservedForFilter), sizeof(uint16_t), CH_UTF16)); ++ if (length_reservedForFilter_1 > size_reservedForFilter_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_reservedForFilter_1, length_reservedForFilter_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_reservedForFilter_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.reservedForFilter, length_reservedForFilter_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reservedForFilter_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.eventMetaDataEnum); +@@ -5052,6 +5240,7 @@ + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcGetNextEventMetadata(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcGetNextEventMetadata *r) + { + uint32_t _ptr_eventMetadataInstances; ++ uint32_t size_eventMetadataInstances_2 = 0; + uint32_t cntr_eventMetadataInstances_2; + TALLOC_CTX *_mem_save_eventMetaDataEnum_0; + TALLOC_CTX *_mem_save_numReturned_0; +@@ -5098,19 +5287,17 @@ + _mem_save_eventMetadataInstances_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventMetadataInstances, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.eventMetadataInstances)); +- NDR_PULL_ALLOC_N(ndr, *r->out.eventMetadataInstances, ndr_get_array_size(ndr, r->out.eventMetadataInstances)); +- if (ndr_get_array_size(ndr, r->out.eventMetadataInstances) > MAX_RPC_EVENT_METADATA_COUNT) { +- return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); +- } +- if (*r->out.numReturned > MAX_RPC_EVENT_METADATA_COUNT) { ++ size_eventMetadataInstances_2 = ndr_get_array_size(ndr, r->out.eventMetadataInstances); ++ if (size_eventMetadataInstances_2 > MAX_RPC_EVENT_METADATA_COUNT) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } ++ NDR_PULL_ALLOC_N(ndr, *r->out.eventMetadataInstances, size_eventMetadataInstances_2); + _mem_save_eventMetadataInstances_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.eventMetadataInstances, 0); +- for (cntr_eventMetadataInstances_2 = 0; cntr_eventMetadataInstances_2 < *r->out.numReturned; cntr_eventMetadataInstances_2++) { ++ for (cntr_eventMetadataInstances_2 = 0; cntr_eventMetadataInstances_2 < size_eventMetadataInstances_2; cntr_eventMetadataInstances_2++) { + NDR_CHECK(ndr_pull_eventlog6_EvtRpcVariantList(ndr, NDR_SCALARS, &(*r->out.eventMetadataInstances)[cntr_eventMetadataInstances_2])); + } +- for (cntr_eventMetadataInstances_2 = 0; cntr_eventMetadataInstances_2 < *r->out.numReturned; cntr_eventMetadataInstances_2++) { ++ for (cntr_eventMetadataInstances_2 = 0; cntr_eventMetadataInstances_2 < size_eventMetadataInstances_2; cntr_eventMetadataInstances_2++) { + NDR_CHECK(ndr_pull_eventlog6_EvtRpcVariantList(ndr, NDR_BUFFERS, &(*r->out.eventMetadataInstances)[cntr_eventMetadataInstances_2])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventMetadataInstances_2, 0); +@@ -5200,6 +5387,8 @@ + + static enum ndr_err_code ndr_pull_eventlog6_EvtRpcGetClassicLogDisplayName(struct ndr_pull *ndr, int flags, struct eventlog6_EvtRpcGetClassicLogDisplayName *r) + { ++ uint32_t size_logName_1 = 0; ++ uint32_t length_logName_1 = 0; + uint32_t _ptr_displayName; + TALLOC_CTX *_mem_save_displayName_0; + TALLOC_CTX *_mem_save_displayName_1; +@@ -5208,14 +5397,19 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logName)); +- if (ndr_get_array_length(ndr, &r->in.logName) > ndr_get_array_size(ndr, &r->in.logName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logName), ndr_get_array_length(ndr, &r->in.logName)); ++ size_logName_1 = ndr_get_array_size(ndr, &r->in.logName); ++ if (size_logName_1 < 1 || size_logName_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->in.logName) < 1 || ndr_get_array_length(ndr, &r->in.logName) > MAX_RPC_CHANNEL_NAME_LENGTH) { ++ length_logName_1 = ndr_get_array_length(ndr, &r->in.logName); ++ if (length_logName_1 < 1 || length_logName_1 > MAX_RPC_CHANNEL_NAME_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logName, ndr_get_array_length(ndr, &r->in.logName), sizeof(uint16_t), CH_UTF16)); ++ if (length_logName_1 > size_logName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logName_1, length_logName_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logName, length_logName_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.locale)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_PULL_ALLOC(ndr, r->out.displayName); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_eventlog.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_eventlog.c 2012-04-12 12:09:51.735287480 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_eventlog.c 2012-04-12 12:19:20.639301001 -0500 +@@ -157,6 +157,8 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_eventlog_Record_tdb(struct ndr_pull *ndr, int ndr_flags, struct eventlog_Record_tdb *r) + { ++ uint32_t size_reserved_0 = 0; ++ uint32_t size_strings_0 = 0; + uint32_t cntr_strings_0; + TALLOC_CTX *_mem_save_strings_0; + { +@@ -165,7 +167,8 @@ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->reserved, 4, sizeof(uint8_t), CH_DOS)); ++ size_reserved_0 = 4; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->reserved, size_reserved_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->record_number)); + NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->time_generated)); + NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->time_written)); +@@ -203,10 +206,11 @@ + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM|LIBNDR_FLAG_ALIGN2); +- NDR_PULL_ALLOC_N(ndr, r->strings, r->num_of_strings); ++ size_strings_0 = r->num_of_strings; ++ NDR_PULL_ALLOC_N(ndr, r->strings, size_strings_0); + _mem_save_strings_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->strings, 0); +- for (cntr_strings_0 = 0; cntr_strings_0 < r->num_of_strings; cntr_strings_0++) { ++ for (cntr_strings_0 = 0; cntr_strings_0 < size_strings_0; cntr_strings_0++) { + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->strings[cntr_strings_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_strings_0, 0); +@@ -320,10 +324,12 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOGHEADER(struct ndr_pull *ndr, int ndr_flags, struct EVENTLOGHEADER *r) + { ++ uint32_t size_Signature_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->HeaderSize)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, 4, sizeof(uint8_t), CH_DOS)); ++ size_Signature_0 = 4; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, size_Signature_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->MajorVersion)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->MinorVersion)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->StartOffset)); +@@ -440,12 +446,16 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOGRECORD(struct ndr_pull *ndr, int ndr_flags, struct EVENTLOGRECORD *r) + { ++ uint32_t size_Reserved_0 = 0; ++ uint32_t size_Strings_0 = 0; + uint32_t cntr_Strings_0; + TALLOC_CTX *_mem_save_Strings_0; ++ uint32_t size_Data_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Length)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Reserved, 4, sizeof(uint8_t), CH_DOS)); ++ size_Reserved_0 = 4; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Reserved, size_Reserved_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->RecordNumber)); + NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->TimeGenerated)); + NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->TimeWritten)); +@@ -486,10 +496,11 @@ + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM|LIBNDR_FLAG_ALIGN2); +- NDR_PULL_ALLOC_N(ndr, r->Strings, r->NumStrings); ++ size_Strings_0 = r->NumStrings; ++ NDR_PULL_ALLOC_N(ndr, r->Strings, size_Strings_0); + _mem_save_Strings_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->Strings, 0); +- for (cntr_Strings_0 = 0; cntr_Strings_0 < r->NumStrings; cntr_Strings_0++) { ++ for (cntr_Strings_0 = 0; cntr_Strings_0 < size_Strings_0; cntr_Strings_0++) { + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->Strings[cntr_Strings_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Strings_0, 0); +@@ -498,8 +509,9 @@ + { + uint32_t _flags_save_uint8 = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); +- NDR_PULL_ALLOC_N(ndr, r->Data, r->DataLength); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Data, r->DataLength)); ++ size_Data_0 = r->DataLength; ++ NDR_PULL_ALLOC_N(ndr, r->Data, size_Data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Data, size_Data_0)); + ndr->flags = _flags_save_uint8; + } + { +@@ -645,15 +657,17 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_EVENTLOG_EVT_FILE(struct ndr_pull *ndr, int ndr_flags, struct EVENTLOG_EVT_FILE *r) + { ++ uint32_t size_records_0 = 0; + uint32_t cntr_records_0; + TALLOC_CTX *_mem_save_records_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_EVENTLOGHEADER(ndr, NDR_SCALARS, &r->hdr)); +- NDR_PULL_ALLOC_N(ndr, r->records, r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber); ++ size_records_0 = r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; ++ NDR_PULL_ALLOC_N(ndr, r->records, size_records_0); + _mem_save_records_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->records, 0); +- for (cntr_records_0 = 0; cntr_records_0 < r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; cntr_records_0++) { ++ for (cntr_records_0 = 0; cntr_records_0 < size_records_0; cntr_records_0++) { + NDR_CHECK(ndr_pull_EVENTLOGRECORD(ndr, NDR_SCALARS, &r->records[cntr_records_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_records_0, 0); +@@ -661,9 +675,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_records_0 = r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; + _mem_save_records_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->records, 0); +- for (cntr_records_0 = 0; cntr_records_0 < r->hdr.CurrentRecordNumber - r->hdr.OldestRecordNumber; cntr_records_0++) { ++ for (cntr_records_0 = 0; cntr_records_0 < size_records_0; cntr_records_0++) { + NDR_CHECK(ndr_pull_EVENTLOGRECORD(ndr, NDR_BUFFERS, &r->records[cntr_records_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_records_0, 0); +@@ -1617,6 +1632,7 @@ + + static enum ndr_err_code ndr_pull_eventlog_ReadEventLogW(struct ndr_pull *ndr, int flags, struct eventlog_ReadEventLogW *r) + { ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_sent_size_0; + TALLOC_CTX *_mem_save_real_size_0; +@@ -1645,10 +1661,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->out.data); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); ++ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.sent_size); + } +@@ -1779,8 +1796,10 @@ + { + uint32_t _ptr_user_sid; + uint32_t _ptr_strings; ++ uint32_t size_strings_1 = 0; + uint32_t cntr_strings_1; + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + uint32_t _ptr_record_number; + uint32_t _ptr_time_written; + TALLOC_CTX *_mem_save_handle_0; +@@ -1843,12 +1862,13 @@ + _mem_save_strings_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.strings)); +- NDR_PULL_ALLOC_N(ndr, r->in.strings, ndr_get_array_size(ndr, &r->in.strings)); ++ size_strings_1 = ndr_get_array_size(ndr, &r->in.strings); ++ NDR_PULL_ALLOC_N(ndr, r->in.strings, size_strings_1); + _mem_save_strings_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); +- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { ++ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { + } +- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { ++ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_strings)); + if (_ptr_strings) { + NDR_PULL_ALLOC(ndr, r->in.strings[cntr_strings_1]); +@@ -1875,8 +1895,9 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); +- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); ++ size_data_1 = ndr_get_array_size(ndr, &r->in.data); ++ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.flags)); +@@ -2478,6 +2499,7 @@ + + static enum ndr_err_code ndr_pull_eventlog_GetLogInformation(struct ndr_pull *ndr, int flags, struct eventlog_GetLogInformation *r) + { ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_bytes_needed_0; + if (flags & NDR_IN) { +@@ -2502,10 +2524,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); ++ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.bytes_needed); + } +@@ -2686,8 +2709,10 @@ + { + uint32_t _ptr_user_sid; + uint32_t _ptr_strings; ++ uint32_t size_strings_1 = 0; + uint32_t cntr_strings_1; + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + uint32_t _ptr_record_number; + uint32_t _ptr_time_written; + TALLOC_CTX *_mem_save_handle_0; +@@ -2758,12 +2783,13 @@ + _mem_save_strings_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.strings)); +- NDR_PULL_ALLOC_N(ndr, r->in.strings, ndr_get_array_size(ndr, &r->in.strings)); ++ size_strings_1 = ndr_get_array_size(ndr, &r->in.strings); ++ NDR_PULL_ALLOC_N(ndr, r->in.strings, size_strings_1); + _mem_save_strings_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.strings, 0); +- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { ++ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { + } +- for (cntr_strings_1 = 0; cntr_strings_1 < r->in.num_of_strings; cntr_strings_1++) { ++ for (cntr_strings_1 = 0; cntr_strings_1 < size_strings_1; cntr_strings_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_strings)); + if (_ptr_strings) { + NDR_PULL_ALLOC(ndr, r->in.strings[cntr_strings_1]); +@@ -2790,8 +2816,9 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); +- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); ++ size_data_1 = ndr_get_array_size(ndr, &r->in.data); ++ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.flags)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_frsapi.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_frsapi.c 2012-04-12 12:09:51.707287480 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_frsapi.c 2012-04-12 12:19:20.643301001 -0500 +@@ -645,6 +645,8 @@ + static enum ndr_err_code ndr_pull_frsapi_IsPathReplicated(struct ndr_pull *ndr, int flags, struct frsapi_IsPathReplicated *r) + { + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + TALLOC_CTX *_mem_save_path_0; + TALLOC_CTX *_mem_save_replicated_0; + TALLOC_CTX *_mem_save_primary_0; +@@ -664,11 +666,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); +- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->in.path); ++ length_path_1 = ndr_get_array_length(ndr, &r->in.path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + NDR_CHECK(ndr_pull_frsapi_ReplicaSetType(ndr, NDR_SCALARS, &r->in.replica_set_type)); +@@ -842,7 +846,11 @@ + uint32_t _ptr_replica_set_guid; + uint32_t _ptr_connection_guid; + uint32_t _ptr_replica_set_name; ++ uint32_t size_replica_set_name_1 = 0; ++ uint32_t length_replica_set_name_1 = 0; + uint32_t _ptr_partner_dns_name; ++ uint32_t size_partner_dns_name_1 = 0; ++ uint32_t length_partner_dns_name_1 = 0; + TALLOC_CTX *_mem_save_replica_set_guid_0; + TALLOC_CTX *_mem_save_connection_guid_0; + TALLOC_CTX *_mem_save_replica_set_name_0; +@@ -883,11 +891,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.replica_set_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.replica_set_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.replica_set_name)); +- if (ndr_get_array_length(ndr, &r->in.replica_set_name) > ndr_get_array_size(ndr, &r->in.replica_set_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.replica_set_name), ndr_get_array_length(ndr, &r->in.replica_set_name)); ++ size_replica_set_name_1 = ndr_get_array_size(ndr, &r->in.replica_set_name); ++ length_replica_set_name_1 = ndr_get_array_length(ndr, &r->in.replica_set_name); ++ if (length_replica_set_name_1 > size_replica_set_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_replica_set_name_1, length_replica_set_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.replica_set_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.replica_set_name, ndr_get_array_length(ndr, &r->in.replica_set_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_replica_set_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.replica_set_name, length_replica_set_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_replica_set_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_partner_dns_name)); +@@ -901,11 +911,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.partner_dns_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.partner_dns_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.partner_dns_name)); +- if (ndr_get_array_length(ndr, &r->in.partner_dns_name) > ndr_get_array_size(ndr, &r->in.partner_dns_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.partner_dns_name), ndr_get_array_length(ndr, &r->in.partner_dns_name)); ++ size_partner_dns_name_1 = ndr_get_array_size(ndr, &r->in.partner_dns_name); ++ length_partner_dns_name_1 = ndr_get_array_length(ndr, &r->in.partner_dns_name); ++ if (length_partner_dns_name_1 > size_partner_dns_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_partner_dns_name_1, length_partner_dns_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.partner_dns_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.partner_dns_name, ndr_get_array_length(ndr, &r->in.partner_dns_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_partner_dns_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.partner_dns_name, length_partner_dns_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_partner_dns_name_0, 0); + } + } +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_frsrpc.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_frsrpc.c 2012-04-12 12:09:51.671287478 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_frsrpc.c 2012-04-12 12:19:20.651301001 -0500 +@@ -418,6 +418,7 @@ + + static enum ndr_err_code ndr_pull_frsrpc_CommPktChangeOrderCommand(struct ndr_pull *ndr, int ndr_flags, struct frsrpc_CommPktChangeOrderCommand *r) + { ++ uint32_t size_file_name_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sequence_number)); +@@ -456,7 +457,8 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->spare2bin)); + NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->event_time)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->file_name_length)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->file_name, 260 + 1, sizeof(uint16_t), CH_UTF16)); ++ size_file_name_0 = 260 + 1; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->file_name, size_file_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->padding1)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->padding2)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->padding3)); +@@ -579,6 +581,7 @@ + + static enum ndr_err_code ndr_pull_frsrpc_CommPktDataExtensionChecksum(struct ndr_pull *ndr, int ndr_flags, struct frsrpc_CommPktDataExtensionChecksum *r) + { ++ uint32_t size_data_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); +@@ -586,7 +589,8 @@ + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->prefix_size)); + NDR_CHECK(ndr_pull_frsrpc_CommPktDataExtensionType(ndr, NDR_SCALARS, &r->prefix_type)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 16)); ++ size_data_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1857,9 +1861,17 @@ + static enum ndr_err_code ndr_pull_frsrpc_FrsVerifyPromotionParent(struct ndr_pull *ndr, int flags, struct frsrpc_FrsVerifyPromotionParent *r) + { + uint32_t _ptr_parent_account; ++ uint32_t size_parent_account_1 = 0; ++ uint32_t length_parent_account_1 = 0; + uint32_t _ptr_parent_password; ++ uint32_t size_parent_password_1 = 0; ++ uint32_t length_parent_password_1 = 0; + uint32_t _ptr_replica_set_name; ++ uint32_t size_replica_set_name_1 = 0; ++ uint32_t length_replica_set_name_1 = 0; + uint32_t _ptr_replica_set_type; ++ uint32_t size_replica_set_type_1 = 0; ++ uint32_t length_replica_set_type_1 = 0; + TALLOC_CTX *_mem_save_parent_account_0; + TALLOC_CTX *_mem_save_parent_password_0; + TALLOC_CTX *_mem_save_replica_set_name_0; +@@ -1876,11 +1888,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.parent_account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.parent_account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.parent_account)); +- if (ndr_get_array_length(ndr, &r->in.parent_account) > ndr_get_array_size(ndr, &r->in.parent_account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.parent_account), ndr_get_array_length(ndr, &r->in.parent_account)); ++ size_parent_account_1 = ndr_get_array_size(ndr, &r->in.parent_account); ++ length_parent_account_1 = ndr_get_array_length(ndr, &r->in.parent_account); ++ if (length_parent_account_1 > size_parent_account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parent_account_1, length_parent_account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.parent_account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.parent_account, ndr_get_array_length(ndr, &r->in.parent_account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_parent_account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.parent_account, length_parent_account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parent_account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_parent_password)); +@@ -1894,11 +1908,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.parent_password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.parent_password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.parent_password)); +- if (ndr_get_array_length(ndr, &r->in.parent_password) > ndr_get_array_size(ndr, &r->in.parent_password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.parent_password), ndr_get_array_length(ndr, &r->in.parent_password)); ++ size_parent_password_1 = ndr_get_array_size(ndr, &r->in.parent_password); ++ length_parent_password_1 = ndr_get_array_length(ndr, &r->in.parent_password); ++ if (length_parent_password_1 > size_parent_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parent_password_1, length_parent_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.parent_password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.parent_password, ndr_get_array_length(ndr, &r->in.parent_password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_parent_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.parent_password, length_parent_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parent_password_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_replica_set_name)); +@@ -1912,11 +1928,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.replica_set_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.replica_set_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.replica_set_name)); +- if (ndr_get_array_length(ndr, &r->in.replica_set_name) > ndr_get_array_size(ndr, &r->in.replica_set_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.replica_set_name), ndr_get_array_length(ndr, &r->in.replica_set_name)); ++ size_replica_set_name_1 = ndr_get_array_size(ndr, &r->in.replica_set_name); ++ length_replica_set_name_1 = ndr_get_array_length(ndr, &r->in.replica_set_name); ++ if (length_replica_set_name_1 > size_replica_set_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_replica_set_name_1, length_replica_set_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.replica_set_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.replica_set_name, ndr_get_array_length(ndr, &r->in.replica_set_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_replica_set_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.replica_set_name, length_replica_set_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_replica_set_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_replica_set_type)); +@@ -1930,11 +1948,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.replica_set_type, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.replica_set_type)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.replica_set_type)); +- if (ndr_get_array_length(ndr, &r->in.replica_set_type) > ndr_get_array_size(ndr, &r->in.replica_set_type)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.replica_set_type), ndr_get_array_length(ndr, &r->in.replica_set_type)); ++ size_replica_set_type_1 = ndr_get_array_size(ndr, &r->in.replica_set_type); ++ length_replica_set_type_1 = ndr_get_array_length(ndr, &r->in.replica_set_type); ++ if (length_replica_set_type_1 > size_replica_set_type_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_replica_set_type_1, length_replica_set_type_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.replica_set_type), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.replica_set_type, ndr_get_array_length(ndr, &r->in.replica_set_type), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_replica_set_type_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.replica_set_type, length_replica_set_type_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_replica_set_type_0, 0); + } + NDR_CHECK(ndr_pull_frsrpc_PartnerAuthLevel(ndr, NDR_SCALARS, &r->in.partner_auth_level)); +@@ -2094,12 +2114,26 @@ + static enum ndr_err_code ndr_pull_frsrpc_FrsStartPromotionParent(struct ndr_pull *ndr, int flags, struct frsrpc_FrsStartPromotionParent *r) + { + uint32_t _ptr_parent_account; ++ uint32_t size_parent_account_1 = 0; ++ uint32_t length_parent_account_1 = 0; + uint32_t _ptr_parent_password; ++ uint32_t size_parent_password_1 = 0; ++ uint32_t length_parent_password_1 = 0; + uint32_t _ptr_replica_set_name; ++ uint32_t size_replica_set_name_1 = 0; ++ uint32_t length_replica_set_name_1 = 0; + uint32_t _ptr_replica_set_type; ++ uint32_t size_replica_set_type_1 = 0; ++ uint32_t length_replica_set_type_1 = 0; + uint32_t _ptr_connection_name; ++ uint32_t size_connection_name_1 = 0; ++ uint32_t length_connection_name_1 = 0; + uint32_t _ptr_partner_name; ++ uint32_t size_partner_name_1 = 0; ++ uint32_t length_partner_name_1 = 0; + uint32_t _ptr_partner_princ_name; ++ uint32_t size_partner_princ_name_1 = 0; ++ uint32_t length_partner_princ_name_1 = 0; + uint32_t _ptr_connection_guid; + uint32_t _ptr_partner_guid; + uint32_t _ptr_parent_guid; +@@ -2127,11 +2161,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.parent_account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.parent_account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.parent_account)); +- if (ndr_get_array_length(ndr, &r->in.parent_account) > ndr_get_array_size(ndr, &r->in.parent_account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.parent_account), ndr_get_array_length(ndr, &r->in.parent_account)); ++ size_parent_account_1 = ndr_get_array_size(ndr, &r->in.parent_account); ++ length_parent_account_1 = ndr_get_array_length(ndr, &r->in.parent_account); ++ if (length_parent_account_1 > size_parent_account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parent_account_1, length_parent_account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.parent_account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.parent_account, ndr_get_array_length(ndr, &r->in.parent_account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_parent_account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.parent_account, length_parent_account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parent_account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_parent_password)); +@@ -2145,11 +2181,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.parent_password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.parent_password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.parent_password)); +- if (ndr_get_array_length(ndr, &r->in.parent_password) > ndr_get_array_size(ndr, &r->in.parent_password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.parent_password), ndr_get_array_length(ndr, &r->in.parent_password)); ++ size_parent_password_1 = ndr_get_array_size(ndr, &r->in.parent_password); ++ length_parent_password_1 = ndr_get_array_length(ndr, &r->in.parent_password); ++ if (length_parent_password_1 > size_parent_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parent_password_1, length_parent_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.parent_password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.parent_password, ndr_get_array_length(ndr, &r->in.parent_password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_parent_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.parent_password, length_parent_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parent_password_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_replica_set_name)); +@@ -2163,11 +2201,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.replica_set_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.replica_set_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.replica_set_name)); +- if (ndr_get_array_length(ndr, &r->in.replica_set_name) > ndr_get_array_size(ndr, &r->in.replica_set_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.replica_set_name), ndr_get_array_length(ndr, &r->in.replica_set_name)); ++ size_replica_set_name_1 = ndr_get_array_size(ndr, &r->in.replica_set_name); ++ length_replica_set_name_1 = ndr_get_array_length(ndr, &r->in.replica_set_name); ++ if (length_replica_set_name_1 > size_replica_set_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_replica_set_name_1, length_replica_set_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.replica_set_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.replica_set_name, ndr_get_array_length(ndr, &r->in.replica_set_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_replica_set_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.replica_set_name, length_replica_set_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_replica_set_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_replica_set_type)); +@@ -2181,11 +2221,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.replica_set_type, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.replica_set_type)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.replica_set_type)); +- if (ndr_get_array_length(ndr, &r->in.replica_set_type) > ndr_get_array_size(ndr, &r->in.replica_set_type)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.replica_set_type), ndr_get_array_length(ndr, &r->in.replica_set_type)); ++ size_replica_set_type_1 = ndr_get_array_size(ndr, &r->in.replica_set_type); ++ length_replica_set_type_1 = ndr_get_array_length(ndr, &r->in.replica_set_type); ++ if (length_replica_set_type_1 > size_replica_set_type_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_replica_set_type_1, length_replica_set_type_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.replica_set_type), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.replica_set_type, ndr_get_array_length(ndr, &r->in.replica_set_type), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_replica_set_type_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.replica_set_type, length_replica_set_type_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_replica_set_type_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_connection_name)); +@@ -2199,11 +2241,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.connection_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.connection_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.connection_name)); +- if (ndr_get_array_length(ndr, &r->in.connection_name) > ndr_get_array_size(ndr, &r->in.connection_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.connection_name), ndr_get_array_length(ndr, &r->in.connection_name)); ++ size_connection_name_1 = ndr_get_array_size(ndr, &r->in.connection_name); ++ length_connection_name_1 = ndr_get_array_length(ndr, &r->in.connection_name); ++ if (length_connection_name_1 > size_connection_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_connection_name_1, length_connection_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.connection_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.connection_name, ndr_get_array_length(ndr, &r->in.connection_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_connection_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.connection_name, length_connection_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_connection_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_partner_name)); +@@ -2217,11 +2261,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.partner_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.partner_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.partner_name)); +- if (ndr_get_array_length(ndr, &r->in.partner_name) > ndr_get_array_size(ndr, &r->in.partner_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.partner_name), ndr_get_array_length(ndr, &r->in.partner_name)); ++ size_partner_name_1 = ndr_get_array_size(ndr, &r->in.partner_name); ++ length_partner_name_1 = ndr_get_array_length(ndr, &r->in.partner_name); ++ if (length_partner_name_1 > size_partner_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_partner_name_1, length_partner_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.partner_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.partner_name, ndr_get_array_length(ndr, &r->in.partner_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_partner_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.partner_name, length_partner_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_partner_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_partner_princ_name)); +@@ -2235,11 +2281,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.partner_princ_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.partner_princ_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.partner_princ_name)); +- if (ndr_get_array_length(ndr, &r->in.partner_princ_name) > ndr_get_array_size(ndr, &r->in.partner_princ_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.partner_princ_name), ndr_get_array_length(ndr, &r->in.partner_princ_name)); ++ size_partner_princ_name_1 = ndr_get_array_size(ndr, &r->in.partner_princ_name); ++ length_partner_princ_name_1 = ndr_get_array_length(ndr, &r->in.partner_princ_name); ++ if (length_partner_princ_name_1 > size_partner_princ_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_partner_princ_name_1, length_partner_princ_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.partner_princ_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.partner_princ_name, ndr_get_array_length(ndr, &r->in.partner_princ_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_partner_princ_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.partner_princ_name, length_partner_princ_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_partner_princ_name_0, 0); + } + NDR_CHECK(ndr_pull_frsrpc_PartnerAuthLevel(ndr, NDR_SCALARS, &r->in.partner_auth_level)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_frstrans.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_frstrans.c 2012-04-12 12:09:50.971287462 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_frstrans.c 2012-04-12 12:19:20.659301003 -0500 +@@ -193,6 +193,10 @@ + + static enum ndr_err_code ndr_pull_frstrans_Update(struct ndr_pull *ndr, int ndr_flags, struct frstrans_Update *r) + { ++ uint32_t size_sha1_hash_0 = 0; ++ uint32_t size_rdc_similarity_0 = 0; ++ uint32_t size_name_0 = 0; ++ uint32_t length_name_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); +@@ -205,8 +209,10 @@ + NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->clock)); + NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->create_time)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->content_set_guid)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->sha1_hash, 20)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->rdc_similarity, 16)); ++ size_sha1_hash_0 = 20; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->sha1_hash, size_sha1_hash_0)); ++ size_rdc_similarity_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->rdc_similarity, size_rdc_similarity_0)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->uid_db_guid)); + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->uid_version)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->gsvn_db_guid)); +@@ -214,11 +220,13 @@ + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->parent_db_guid)); + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->parent_version)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > 261) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", 261, ndr_get_array_length(ndr, &r->name)); ++ size_name_0 = 261; ++ length_name_0 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_0 > size_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_0, length_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->flags)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } +@@ -400,10 +408,12 @@ + static enum ndr_err_code ndr_pull_frstrans_AsyncVersionVectorResponse(struct ndr_pull *ndr, int ndr_flags, struct frstrans_AsyncVersionVectorResponse *r) + { + uint32_t _ptr_version_vector; ++ uint32_t size_version_vector_1 = 0; + uint32_t cntr_version_vector_1; + TALLOC_CTX *_mem_save_version_vector_0; + TALLOC_CTX *_mem_save_version_vector_1; + uint32_t _ptr_epoque_vector; ++ uint32_t size_epoque_vector_1 = 0; + uint32_t cntr_epoque_vector_1; + TALLOC_CTX *_mem_save_epoque_vector_0; + TALLOC_CTX *_mem_save_epoque_vector_1; +@@ -431,10 +441,11 @@ + _mem_save_version_vector_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->version_vector, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->version_vector)); +- NDR_PULL_ALLOC_N(ndr, r->version_vector, ndr_get_array_size(ndr, &r->version_vector)); ++ size_version_vector_1 = ndr_get_array_size(ndr, &r->version_vector); ++ NDR_PULL_ALLOC_N(ndr, r->version_vector, size_version_vector_1); + _mem_save_version_vector_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->version_vector, 0); +- for (cntr_version_vector_1 = 0; cntr_version_vector_1 < r->version_vector_count; cntr_version_vector_1++) { ++ for (cntr_version_vector_1 = 0; cntr_version_vector_1 < size_version_vector_1; cntr_version_vector_1++) { + NDR_CHECK(ndr_pull_frstrans_VersionVector(ndr, NDR_SCALARS, &r->version_vector[cntr_version_vector_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_version_vector_1, 0); +@@ -444,10 +455,11 @@ + _mem_save_epoque_vector_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->epoque_vector, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->epoque_vector)); +- NDR_PULL_ALLOC_N(ndr, r->epoque_vector, ndr_get_array_size(ndr, &r->epoque_vector)); ++ size_epoque_vector_1 = ndr_get_array_size(ndr, &r->epoque_vector); ++ NDR_PULL_ALLOC_N(ndr, r->epoque_vector, size_epoque_vector_1); + _mem_save_epoque_vector_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->epoque_vector, 0); +- for (cntr_epoque_vector_1 = 0; cntr_epoque_vector_1 < r->epoque_vector_count; cntr_epoque_vector_1++) { ++ for (cntr_epoque_vector_1 = 0; cntr_epoque_vector_1 < size_epoque_vector_1; cntr_epoque_vector_1++) { + NDR_CHECK(ndr_pull_frstrans_EpoqueVector(ndr, NDR_SCALARS, &r->epoque_vector[cntr_epoque_vector_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_epoque_vector_1, 0); +@@ -607,10 +619,12 @@ + + static enum ndr_err_code ndr_pull_frstrans_RdcParameterGeneric(struct ndr_pull *ndr, int ndr_flags, struct frstrans_RdcParameterGeneric *r) + { ++ uint32_t size_chunker_parameters_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 3)); + NDR_CHECK(ndr_pull_frstrans_RdcChunckerAlgorithm(ndr, NDR_SCALARS, &r->chunker_type)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->chunker_parameters, 64)); ++ size_chunker_parameters_0 = 64; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->chunker_parameters, size_chunker_parameters_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 3)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -955,6 +969,7 @@ + + static enum ndr_err_code ndr_pull_frstrans_RdcFileInfo(struct ndr_pull *ndr, int ndr_flags, struct frstrans_RdcFileInfo *r) + { ++ uint32_t size_rdc_filter_parameters_0 = 0; + uint32_t cntr_rdc_filter_parameters_0; + TALLOC_CTX *_mem_save_rdc_filter_parameters_0; + if (ndr_flags & NDR_SCALARS) { +@@ -969,10 +984,11 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_frstrans_RdcCompressionAlgorithm(ndr, NDR_SCALARS, &r->compression_algorithm)); +- NDR_PULL_ALLOC_N(ndr, r->rdc_filter_parameters, ndr_get_array_size(ndr, &r->rdc_filter_parameters)); ++ size_rdc_filter_parameters_0 = ndr_get_array_size(ndr, &r->rdc_filter_parameters); ++ NDR_PULL_ALLOC_N(ndr, r->rdc_filter_parameters, size_rdc_filter_parameters_0); + _mem_save_rdc_filter_parameters_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->rdc_filter_parameters, 0); +- for (cntr_rdc_filter_parameters_0 = 0; cntr_rdc_filter_parameters_0 < r->rdc_signature_levels; cntr_rdc_filter_parameters_0++) { ++ for (cntr_rdc_filter_parameters_0 = 0; cntr_rdc_filter_parameters_0 < size_rdc_filter_parameters_0; cntr_rdc_filter_parameters_0++) { + NDR_CHECK(ndr_pull_frstrans_RdcParameters(ndr, NDR_SCALARS, &r->rdc_filter_parameters[cntr_rdc_filter_parameters_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rdc_filter_parameters_0, 0); +@@ -1025,11 +1041,13 @@ + + static enum ndr_err_code ndr_pull_frstrans_BytePipe_chunk(struct ndr_pull *ndr, int ndr_flags, struct frstrans_BytePipe_chunk *r) + { ++ uint32_t size_array_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_uint3264(ndr, NDR_SCALARS, &r->count)); +- NDR_PULL_ALLOC_N(ndr, r->array, r->count); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->array, r->count)); ++ size_array_0 = r->count; ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->array, size_array_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1290,7 +1308,10 @@ + + static enum ndr_err_code ndr_pull_frstrans_RequestUpdates(struct ndr_pull *ndr, int flags, struct frstrans_RequestUpdates *r) + { ++ uint32_t size_version_vector_diff_1 = 0; + uint32_t cntr_version_vector_diff_1; ++ uint32_t size_frs_update_1 = 0; ++ uint32_t length_frs_update_1 = 0; + uint32_t cntr_frs_update_1; + TALLOC_CTX *_mem_save_version_vector_diff_1; + TALLOC_CTX *_mem_save_frs_update_1; +@@ -1317,12 +1338,13 @@ + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.version_vector_diff_count)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.version_vector_diff)); ++ size_version_vector_diff_1 = ndr_get_array_size(ndr, &r->in.version_vector_diff); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.version_vector_diff, ndr_get_array_size(ndr, &r->in.version_vector_diff)); ++ NDR_PULL_ALLOC_N(ndr, r->in.version_vector_diff, size_version_vector_diff_1); + } + _mem_save_version_vector_diff_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.version_vector_diff, 0); +- for (cntr_version_vector_diff_1 = 0; cntr_version_vector_diff_1 < r->in.version_vector_diff_count; cntr_version_vector_diff_1++) { ++ for (cntr_version_vector_diff_1 = 0; cntr_version_vector_diff_1 < size_version_vector_diff_1; cntr_version_vector_diff_1++) { + NDR_CHECK(ndr_pull_frstrans_VersionVector(ndr, NDR_SCALARS, &r->in.version_vector_diff[cntr_version_vector_diff_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_version_vector_diff_1, 0); +@@ -1343,15 +1365,17 @@ + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.frs_update)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.frs_update)); +- if (ndr_get_array_length(ndr, &r->out.frs_update) > ndr_get_array_size(ndr, &r->out.frs_update)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.frs_update), ndr_get_array_length(ndr, &r->out.frs_update)); ++ size_frs_update_1 = ndr_get_array_size(ndr, &r->out.frs_update); ++ length_frs_update_1 = ndr_get_array_length(ndr, &r->out.frs_update); ++ if (length_frs_update_1 > size_frs_update_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_frs_update_1, length_frs_update_1); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.frs_update, ndr_get_array_size(ndr, &r->out.frs_update)); ++ NDR_PULL_ALLOC_N(ndr, r->out.frs_update, size_frs_update_1); + } + _mem_save_frs_update_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.frs_update, 0); +- for (cntr_frs_update_1 = 0; cntr_frs_update_1 < ndr_get_array_length(ndr, &r->out.frs_update); cntr_frs_update_1++) { ++ for (cntr_frs_update_1 = 0; cntr_frs_update_1 < length_frs_update_1; cntr_frs_update_1++) { + NDR_CHECK(ndr_pull_frstrans_Update(ndr, NDR_SCALARS, &r->out.frs_update[cntr_frs_update_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_frs_update_1, 0); +@@ -1920,6 +1944,8 @@ + static enum ndr_err_code ndr_pull_frstrans_InitializeFileTransferAsync(struct ndr_pull *ndr, int flags, struct frstrans_InitializeFileTransferAsync *r) + { + uint32_t _ptr_rdc_file_info; ++ uint32_t size_data_buffer_1 = 0; ++ uint32_t length_data_buffer_1 = 0; + TALLOC_CTX *_mem_save_frs_update_0; + TALLOC_CTX *_mem_save_staging_policy_0; + TALLOC_CTX *_mem_save_server_context_0; +@@ -2010,13 +2036,15 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rdc_file_info_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data_buffer)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.data_buffer)); +- if (ndr_get_array_length(ndr, &r->out.data_buffer) > ndr_get_array_size(ndr, &r->out.data_buffer)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.data_buffer), ndr_get_array_length(ndr, &r->out.data_buffer)); ++ size_data_buffer_1 = ndr_get_array_size(ndr, &r->out.data_buffer); ++ length_data_buffer_1 = ndr_get_array_length(ndr, &r->out.data_buffer); ++ if (length_data_buffer_1 > size_data_buffer_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_buffer_1, length_data_buffer_1); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.data_buffer, ndr_get_array_size(ndr, &r->out.data_buffer)); ++ NDR_PULL_ALLOC_N(ndr, r->out.data_buffer, size_data_buffer_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data_buffer, ndr_get_array_length(ndr, &r->out.data_buffer))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data_buffer, length_data_buffer_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.size_read); + } +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_krb5pac.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_krb5pac.c 2012-04-12 12:09:51.775287481 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_krb5pac.c 2012-04-12 12:19:20.671301001 -0500 +@@ -22,11 +22,13 @@ + + static enum ndr_err_code ndr_pull_PAC_LOGON_NAME(struct ndr_pull *ndr, int ndr_flags, struct PAC_LOGON_NAME *r) + { ++ uint32_t size_account_name_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->logon_time)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, r->size, sizeof(uint8_t), CH_UTF16)); ++ size_account_name_0 = r->size; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, size_account_name_0, sizeof(uint8_t), CH_UTF16)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -474,25 +476,28 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_PAC_DATA(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA *r) + { ++ uint32_t size_buffers_0 = 0; + uint32_t cntr_buffers_0; + TALLOC_CTX *_mem_save_buffers_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_buffers)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); +- NDR_PULL_ALLOC_N(ndr, r->buffers, r->num_buffers); ++ size_buffers_0 = r->num_buffers; ++ NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_0); + _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); +- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { ++ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { + NDR_CHECK(ndr_pull_PAC_BUFFER(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_buffers_0 = r->num_buffers; + _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); +- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { ++ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { + NDR_CHECK(ndr_pull_PAC_BUFFER(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); +@@ -642,25 +647,28 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_PAC_DATA_RAW(struct ndr_pull *ndr, int ndr_flags, struct PAC_DATA_RAW *r) + { ++ uint32_t size_buffers_0 = 0; + uint32_t cntr_buffers_0; + TALLOC_CTX *_mem_save_buffers_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_buffers)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); +- NDR_PULL_ALLOC_N(ndr, r->buffers, r->num_buffers); ++ size_buffers_0 = r->num_buffers; ++ NDR_PULL_ALLOC_N(ndr, r->buffers, size_buffers_0); + _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); +- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { ++ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { + NDR_CHECK(ndr_pull_PAC_BUFFER_RAW(ndr, NDR_SCALARS, &r->buffers[cntr_buffers_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_buffers_0 = r->num_buffers; + _mem_save_buffers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->buffers, 0); +- for (cntr_buffers_0 = 0; cntr_buffers_0 < r->num_buffers; cntr_buffers_0++) { ++ for (cntr_buffers_0 = 0; cntr_buffers_0 < size_buffers_0; cntr_buffers_0++) { + NDR_CHECK(ndr_pull_PAC_BUFFER_RAW(ndr, NDR_BUFFERS, &r->buffers[cntr_buffers_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffers_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_libnetapi.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_libnetapi.c 2012-04-12 12:09:51.787287482 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_libnetapi.c 2012-04-12 12:19:20.679301003 -0500 +@@ -48,17 +48,21 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_domsid(struct ndr_pull *ndr, int ndr_flags, struct domsid *r) + { ++ uint32_t size_id_auth_0 = 0; ++ uint32_t size_sub_auths_0 = 0; + uint32_t cntr_sub_auths_0; + TALLOC_CTX *_mem_save_sub_auths_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_auths)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6)); +- NDR_PULL_ALLOC_N(ndr, r->sub_auths, MAXSUBAUTHS); ++ size_id_auth_0 = 6; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, size_id_auth_0)); ++ size_sub_auths_0 = MAXSUBAUTHS; ++ NDR_PULL_ALLOC_N(ndr, r->sub_auths, size_sub_auths_0); + _mem_save_sub_auths_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sub_auths, 0); +- for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < MAXSUBAUTHS; cntr_sub_auths_0++) { ++ for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < size_sub_auths_0; cntr_sub_auths_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sub_auths[cntr_sub_auths_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sub_auths_0, 0); +@@ -5035,10 +5039,12 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_USER_INFO_21(struct ndr_pull *ndr, int ndr_flags, struct USER_INFO_21 *r) + { ++ uint32_t size_usri21_password_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_PULL_ALLOC_N(ndr, r->usri21_password, ENCRYPTED_PWLEN); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri21_password, ENCRYPTED_PWLEN)); ++ size_usri21_password_0 = ENCRYPTED_PWLEN; ++ NDR_PULL_ALLOC_N(ndr, r->usri21_password, size_usri21_password_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri21_password, size_usri21_password_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -5095,13 +5101,15 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_USER_INFO_22(struct ndr_pull *ndr, int ndr_flags, struct USER_INFO_22 *r) + { ++ uint32_t size_usri22_password_0 = 0; + uint32_t _ptr_usri22_logon_hours; + TALLOC_CTX *_mem_save_usri22_logon_hours_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->usri22_name)); +- NDR_PULL_ALLOC_N(ndr, r->usri22_password, ENCRYPTED_PWLEN); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri22_password, ENCRYPTED_PWLEN)); ++ size_usri22_password_0 = ENCRYPTED_PWLEN; ++ NDR_PULL_ALLOC_N(ndr, r->usri22_password, size_usri22_password_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->usri22_password, size_usri22_password_0)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->usri22_password_age)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->usri22_priv)); + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->usri22_home_dir)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_lsa.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_lsa.c 2012-04-12 12:09:50.607287454 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_lsa.c 2012-04-12 12:19:20.707301002 -0500 +@@ -28,6 +28,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_String(struct ndr_pull *ndr, int ndr_flags, struct lsa_String *r) + { + uint32_t _ptr_string; ++ uint32_t size_string_1 = 0; ++ uint32_t length_string_1 = 0; + TALLOC_CTX *_mem_save_string_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -47,10 +49,12 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); +- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); ++ size_string_1 = ndr_get_array_size(ndr, &r->string); ++ length_string_1 = ndr_get_array_length(ndr, &r->string); ++ if (length_string_1 > size_string_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); + } +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); + } + if (r->string) { +@@ -102,6 +106,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_StringLarge(struct ndr_pull *ndr, int ndr_flags, struct lsa_StringLarge *r) + { + uint32_t _ptr_string; ++ uint32_t size_string_1 = 0; ++ uint32_t length_string_1 = 0; + TALLOC_CTX *_mem_save_string_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -121,10 +127,12 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); +- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); ++ size_string_1 = ndr_get_array_size(ndr, &r->string); ++ length_string_1 = ndr_get_array_length(ndr, &r->string); ++ if (length_string_1 > size_string_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); + } +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); + } + if (r->string) { +@@ -179,6 +187,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_Strings(struct ndr_pull *ndr, int ndr_flags, struct lsa_Strings *r) + { + uint32_t _ptr_names; ++ uint32_t size_names_1 = 0; + uint32_t cntr_names_1; + TALLOC_CTX *_mem_save_names_0; + TALLOC_CTX *_mem_save_names_1; +@@ -198,13 +207,14 @@ + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); +- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); ++ size_names_1 = ndr_get_array_size(ndr, &r->names); ++ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); + _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->names[cntr_names_1])); + } +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); +@@ -261,6 +271,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiString(struct ndr_pull *ndr, int ndr_flags, struct lsa_AsciiString *r) + { + uint32_t _ptr_string; ++ uint32_t size_string_1 = 0; ++ uint32_t length_string_1 = 0; + TALLOC_CTX *_mem_save_string_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -280,10 +292,12 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); +- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); ++ size_string_1 = ndr_get_array_size(ndr, &r->string); ++ length_string_1 = ndr_get_array_length(ndr, &r->string); ++ if (length_string_1 > size_string_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); + } +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint8_t), CH_DOS)); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint8_t), CH_DOS)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); + } + if (r->string) { +@@ -335,6 +349,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_AsciiStringLarge(struct ndr_pull *ndr, int ndr_flags, struct lsa_AsciiStringLarge *r) + { + uint32_t _ptr_string; ++ uint32_t size_string_1 = 0; ++ uint32_t length_string_1 = 0; + TALLOC_CTX *_mem_save_string_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -354,10 +370,12 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); +- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); ++ size_string_1 = ndr_get_array_size(ndr, &r->string); ++ length_string_1 = ndr_get_array_length(ndr, &r->string); ++ if (length_string_1 > size_string_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); + } +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint8_t), CH_DOS)); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint8_t), CH_DOS)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); + } + if (r->string) { +@@ -412,6 +430,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_BinaryString(struct ndr_pull *ndr, int ndr_flags, struct lsa_BinaryString *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; ++ uint32_t length_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -433,13 +453,15 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->array)); +- if (ndr_get_array_length(ndr, &r->array) > ndr_get_array_size(ndr, &r->array)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->array), ndr_get_array_length(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ length_array_1 = ndr_get_array_length(ndr, &r->array); ++ if (length_array_1 > size_array_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_array_1, length_array_1); + } +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < ndr_get_array_length(ndr, &r->array); cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < length_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -577,6 +599,7 @@ + static enum ndr_err_code ndr_pull_lsa_PrivArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_PrivArray *r) + { + uint32_t _ptr_privs; ++ uint32_t size_privs_1 = 0; + uint32_t cntr_privs_1; + TALLOC_CTX *_mem_save_privs_0; + TALLOC_CTX *_mem_save_privs_1; +@@ -596,13 +619,14 @@ + _mem_save_privs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->privs, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->privs)); +- NDR_PULL_ALLOC_N(ndr, r->privs, ndr_get_array_size(ndr, &r->privs)); ++ size_privs_1 = ndr_get_array_size(ndr, &r->privs); ++ NDR_PULL_ALLOC_N(ndr, r->privs, size_privs_1); + _mem_save_privs_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->privs, 0); +- for (cntr_privs_1 = 0; cntr_privs_1 < r->count; cntr_privs_1++) { ++ for (cntr_privs_1 = 0; cntr_privs_1 < size_privs_1; cntr_privs_1++) { + NDR_CHECK(ndr_pull_lsa_PrivEntry(ndr, NDR_SCALARS, &r->privs[cntr_privs_1])); + } +- for (cntr_privs_1 = 0; cntr_privs_1 < r->count; cntr_privs_1++) { ++ for (cntr_privs_1 = 0; cntr_privs_1 < size_privs_1; cntr_privs_1++) { + NDR_CHECK(ndr_pull_lsa_PrivEntry(ndr, NDR_BUFFERS, &r->privs[cntr_privs_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privs_1, 0); +@@ -715,6 +739,8 @@ + uint32_t _ptr_root_dir; + TALLOC_CTX *_mem_save_root_dir_0; + uint32_t _ptr_object_name; ++ uint32_t size_object_name_1 = 0; ++ uint32_t length_object_name_1 = 0; + TALLOC_CTX *_mem_save_object_name_0; + uint32_t _ptr_sec_desc; + TALLOC_CTX *_mem_save_sec_desc_0; +@@ -762,11 +788,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->object_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->object_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->object_name)); +- if (ndr_get_array_length(ndr, &r->object_name) > ndr_get_array_size(ndr, &r->object_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->object_name), ndr_get_array_length(ndr, &r->object_name)); ++ size_object_name_1 = ndr_get_array_size(ndr, &r->object_name); ++ length_object_name_1 = ndr_get_array_length(ndr, &r->object_name); ++ if (length_object_name_1 > size_object_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_object_name_1, length_object_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->object_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_name, ndr_get_array_length(ndr, &r->object_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_object_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->object_name, length_object_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_object_name_0, 0); + } + if (r->sec_desc) { +@@ -1029,6 +1057,7 @@ + static enum ndr_err_code ndr_pull_lsa_AuditEventsInfo(struct ndr_pull *ndr, int ndr_flags, struct lsa_AuditEventsInfo *r) + { + uint32_t _ptr_settings; ++ uint32_t size_settings_1 = 0; + uint32_t cntr_settings_1; + TALLOC_CTX *_mem_save_settings_0; + TALLOC_CTX *_mem_save_settings_1; +@@ -1049,10 +1078,11 @@ + _mem_save_settings_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->settings, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->settings)); +- NDR_PULL_ALLOC_N(ndr, r->settings, ndr_get_array_size(ndr, &r->settings)); ++ size_settings_1 = ndr_get_array_size(ndr, &r->settings); ++ NDR_PULL_ALLOC_N(ndr, r->settings, size_settings_1); + _mem_save_settings_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->settings, 0); +- for (cntr_settings_1 = 0; cntr_settings_1 < r->count; cntr_settings_1++) { ++ for (cntr_settings_1 = 0; cntr_settings_1 < size_settings_1; cntr_settings_1++) { + NDR_CHECK(ndr_pull_lsa_PolicyAuditPolicy(ndr, NDR_SCALARS, &r->settings[cntr_settings_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_settings_1, 0); +@@ -1948,6 +1978,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_SidArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_SidArray *r) + { + uint32_t _ptr_sids; ++ uint32_t size_sids_1 = 0; + uint32_t cntr_sids_1; + TALLOC_CTX *_mem_save_sids_0; + TALLOC_CTX *_mem_save_sids_1; +@@ -1970,13 +2001,14 @@ + _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); +- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); ++ size_sids_1 = ndr_get_array_size(ndr, &r->sids); ++ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); + _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); +- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_lsa_SidPtr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); + } +- for (cntr_sids_1 = 0; cntr_sids_1 < r->num_sids; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_lsa_SidPtr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); +@@ -2036,6 +2068,7 @@ + static enum ndr_err_code ndr_pull_lsa_DomainList(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainList *r) + { + uint32_t _ptr_domains; ++ uint32_t size_domains_1 = 0; + uint32_t cntr_domains_1; + TALLOC_CTX *_mem_save_domains_0; + TALLOC_CTX *_mem_save_domains_1; +@@ -2055,13 +2088,14 @@ + _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); +- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); ++ size_domains_1 = ndr_get_array_size(ndr, &r->domains); ++ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); + _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); +- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { ++ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { + NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); + } +- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { ++ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { + NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); +@@ -2190,6 +2224,7 @@ + static enum ndr_err_code ndr_pull_lsa_TransSidArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray *r) + { + uint32_t _ptr_sids; ++ uint32_t size_sids_1 = 0; + uint32_t cntr_sids_1; + TALLOC_CTX *_mem_save_sids_0; + TALLOC_CTX *_mem_save_sids_1; +@@ -2212,10 +2247,11 @@ + _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); +- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); ++ size_sids_1 = ndr_get_array_size(ndr, &r->sids); ++ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); + _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); +- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_lsa_TranslatedSid(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); +@@ -2276,6 +2312,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_RefDomainList(struct ndr_pull *ndr, int ndr_flags, struct lsa_RefDomainList *r) + { + uint32_t _ptr_domains; ++ uint32_t size_domains_1 = 0; + uint32_t cntr_domains_1; + TALLOC_CTX *_mem_save_domains_0; + TALLOC_CTX *_mem_save_domains_1; +@@ -2299,13 +2336,14 @@ + _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); +- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); ++ size_domains_1 = ndr_get_array_size(ndr, &r->domains); ++ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); + _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); +- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { ++ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { + NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); + } +- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { ++ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { + NDR_CHECK(ndr_pull_lsa_DomainInfo(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); +@@ -2437,6 +2475,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_TransNameArray(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransNameArray *r) + { + uint32_t _ptr_names; ++ uint32_t size_names_1 = 0; + uint32_t cntr_names_1; + TALLOC_CTX *_mem_save_names_0; + TALLOC_CTX *_mem_save_names_1; +@@ -2459,13 +2498,14 @@ + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); +- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); ++ size_names_1 = ndr_get_array_size(ndr, &r->names); ++ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); + _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_lsa_TranslatedName(ndr, NDR_SCALARS, &r->names[cntr_names_1])); + } +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_lsa_TranslatedName(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); +@@ -2555,6 +2595,7 @@ + + static enum ndr_err_code ndr_pull_lsa_PrivilegeSet(struct ndr_pull *ndr, int ndr_flags, struct lsa_PrivilegeSet *r) + { ++ uint32_t size_set_0 = 0; + uint32_t cntr_set_0; + TALLOC_CTX *_mem_save_set_0; + if (ndr_flags & NDR_SCALARS) { +@@ -2565,10 +2606,11 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown)); +- NDR_PULL_ALLOC_N(ndr, r->set, ndr_get_array_size(ndr, &r->set)); ++ size_set_0 = ndr_get_array_size(ndr, &r->set); ++ NDR_PULL_ALLOC_N(ndr, r->set, size_set_0); + _mem_save_set_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->set, 0); +- for (cntr_set_0 = 0; cntr_set_0 < r->count; cntr_set_0++) { ++ for (cntr_set_0 = 0; cntr_set_0 < size_set_0; cntr_set_0++) { + NDR_CHECK(ndr_pull_lsa_LUIDAttribute(ndr, NDR_SCALARS, &r->set[cntr_set_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_set_0, 0); +@@ -2627,6 +2669,8 @@ + static enum ndr_err_code ndr_pull_lsa_DATA_BUF(struct ndr_pull *ndr, int ndr_flags, struct lsa_DATA_BUF *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; ++ uint32_t length_data_1 = 0; + TALLOC_CTX *_mem_save_data_0; + { + uint32_t _flags_save_STRUCT = ndr->flags; +@@ -2649,11 +2693,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); +- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ length_data_1 = ndr_get_array_length(ndr, &r->data); ++ if (length_data_1 > size_data_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); + } +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_length(ndr, &r->data))); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, length_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + if (r->data) { +@@ -2714,6 +2760,7 @@ + static enum ndr_err_code ndr_pull_lsa_DATA_BUF2(struct ndr_pull *ndr, int ndr_flags, struct lsa_DATA_BUF2 *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_data_0; + { + uint32_t _flags_save_STRUCT = ndr->flags; +@@ -2737,8 +2784,9 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + if (r->data) { +@@ -2945,6 +2993,7 @@ + static enum ndr_err_code ndr_pull_lsa_TrustDomainInfoControllers(struct ndr_pull *ndr, int ndr_flags, struct lsa_TrustDomainInfoControllers *r) + { + uint32_t _ptr_netbios_names; ++ uint32_t size_netbios_names_1 = 0; + uint32_t cntr_netbios_names_1; + TALLOC_CTX *_mem_save_netbios_names_0; + TALLOC_CTX *_mem_save_netbios_names_1; +@@ -2964,13 +3013,14 @@ + _mem_save_netbios_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->netbios_names, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_names)); +- NDR_PULL_ALLOC_N(ndr, r->netbios_names, ndr_get_array_size(ndr, &r->netbios_names)); ++ size_netbios_names_1 = ndr_get_array_size(ndr, &r->netbios_names); ++ NDR_PULL_ALLOC_N(ndr, r->netbios_names, size_netbios_names_1); + _mem_save_netbios_names_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->netbios_names, 0); +- for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < r->entries; cntr_netbios_names_1++) { ++ for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < size_netbios_names_1; cntr_netbios_names_1++) { + NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_SCALARS, &r->netbios_names[cntr_netbios_names_1])); + } +- for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < r->entries; cntr_netbios_names_1++) { ++ for (cntr_netbios_names_1 = 0; cntr_netbios_names_1 < size_netbios_names_1; cntr_netbios_names_1++) { + NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_BUFFERS, &r->netbios_names[cntr_netbios_names_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_names_1, 0); +@@ -3590,6 +3640,7 @@ + static enum ndr_err_code ndr_pull_lsa_TrustDomainInfoInfoEx2Internal(struct ndr_pull *ndr, int ndr_flags, struct lsa_TrustDomainInfoInfoEx2Internal *r) + { + uint32_t _ptr_forest_trust_data; ++ uint32_t size_forest_trust_data_1 = 0; + TALLOC_CTX *_mem_save_forest_trust_data_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3609,8 +3660,9 @@ + _mem_save_forest_trust_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->forest_trust_data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->forest_trust_data)); +- NDR_PULL_ALLOC_N(ndr, r->forest_trust_data, ndr_get_array_size(ndr, &r->forest_trust_data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->forest_trust_data, ndr_get_array_size(ndr, &r->forest_trust_data))); ++ size_forest_trust_data_1 = ndr_get_array_size(ndr, &r->forest_trust_data); ++ NDR_PULL_ALLOC_N(ndr, r->forest_trust_data, size_forest_trust_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->forest_trust_data, size_forest_trust_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_trust_data_0, 0); + } + if (r->forest_trust_data) { +@@ -4107,6 +4159,7 @@ + static enum ndr_err_code ndr_pull_lsa_RightSet(struct ndr_pull *ndr, int ndr_flags, struct lsa_RightSet *r) + { + uint32_t _ptr_names; ++ uint32_t size_names_1 = 0; + uint32_t cntr_names_1; + TALLOC_CTX *_mem_save_names_0; + TALLOC_CTX *_mem_save_names_1; +@@ -4129,13 +4182,14 @@ + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); +- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); ++ size_names_1 = ndr_get_array_size(ndr, &r->names); ++ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); + _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_SCALARS, &r->names[cntr_names_1])); + } +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_lsa_StringLarge(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); +@@ -4195,6 +4249,7 @@ + static enum ndr_err_code ndr_pull_lsa_DomainListEx(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainListEx *r) + { + uint32_t _ptr_domains; ++ uint32_t size_domains_1 = 0; + uint32_t cntr_domains_1; + TALLOC_CTX *_mem_save_domains_0; + TALLOC_CTX *_mem_save_domains_1; +@@ -4214,13 +4269,14 @@ + _mem_save_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domains)); +- NDR_PULL_ALLOC_N(ndr, r->domains, ndr_get_array_size(ndr, &r->domains)); ++ size_domains_1 = ndr_get_array_size(ndr, &r->domains); ++ NDR_PULL_ALLOC_N(ndr, r->domains, size_domains_1); + _mem_save_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->domains, 0); +- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { ++ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { + NDR_CHECK(ndr_pull_lsa_TrustDomainInfoInfoEx(ndr, NDR_SCALARS, &r->domains[cntr_domains_1])); + } +- for (cntr_domains_1 = 0; cntr_domains_1 < r->count; cntr_domains_1++) { ++ for (cntr_domains_1 = 0; cntr_domains_1 < size_domains_1; cntr_domains_1++) { + NDR_CHECK(ndr_pull_lsa_TrustDomainInfoInfoEx(ndr, NDR_BUFFERS, &r->domains[cntr_domains_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domains_1, 0); +@@ -4344,6 +4400,7 @@ + static enum ndr_err_code ndr_pull_lsa_DomainInfoEfs(struct ndr_pull *ndr, int ndr_flags, struct lsa_DomainInfoEfs *r) + { + uint32_t _ptr_efs_blob; ++ uint32_t size_efs_blob_1 = 0; + TALLOC_CTX *_mem_save_efs_blob_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4361,8 +4418,9 @@ + _mem_save_efs_blob_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->efs_blob, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->efs_blob)); +- NDR_PULL_ALLOC_N(ndr, r->efs_blob, ndr_get_array_size(ndr, &r->efs_blob)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->efs_blob, ndr_get_array_size(ndr, &r->efs_blob))); ++ size_efs_blob_1 = ndr_get_array_size(ndr, &r->efs_blob); ++ NDR_PULL_ALLOC_N(ndr, r->efs_blob, size_efs_blob_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->efs_blob, size_efs_blob_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_efs_blob_0, 0); + } + if (r->efs_blob) { +@@ -4554,6 +4612,7 @@ + static enum ndr_err_code ndr_pull_lsa_TransNameArray2(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransNameArray2 *r) + { + uint32_t _ptr_names; ++ uint32_t size_names_1 = 0; + uint32_t cntr_names_1; + TALLOC_CTX *_mem_save_names_0; + TALLOC_CTX *_mem_save_names_1; +@@ -4576,13 +4635,14 @@ + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); +- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); ++ size_names_1 = ndr_get_array_size(ndr, &r->names); ++ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); + _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_lsa_TranslatedName2(ndr, NDR_SCALARS, &r->names[cntr_names_1])); + } +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_lsa_TranslatedName2(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); +@@ -4731,6 +4791,7 @@ + static enum ndr_err_code ndr_pull_lsa_TransSidArray2(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray2 *r) + { + uint32_t _ptr_sids; ++ uint32_t size_sids_1 = 0; + uint32_t cntr_sids_1; + TALLOC_CTX *_mem_save_sids_0; + TALLOC_CTX *_mem_save_sids_1; +@@ -4753,10 +4814,11 @@ + _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); +- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); ++ size_sids_1 = ndr_get_array_size(ndr, &r->sids); ++ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); + _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); +- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_lsa_TranslatedSid2(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); +@@ -4879,6 +4941,7 @@ + static enum ndr_err_code ndr_pull_lsa_TransSidArray3(struct ndr_pull *ndr, int ndr_flags, struct lsa_TransSidArray3 *r) + { + uint32_t _ptr_sids; ++ uint32_t size_sids_1 = 0; + uint32_t cntr_sids_1; + TALLOC_CTX *_mem_save_sids_0; + TALLOC_CTX *_mem_save_sids_1; +@@ -4901,13 +4964,14 @@ + _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); +- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); ++ size_sids_1 = ndr_get_array_size(ndr, &r->sids); ++ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); + _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); +- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_lsa_TranslatedSid3(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); + } +- for (cntr_sids_1 = 0; cntr_sids_1 < r->count; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_lsa_TranslatedSid3(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); +@@ -4961,6 +5025,7 @@ + static enum ndr_err_code ndr_pull_lsa_ForestTrustBinaryData(struct ndr_pull *ndr, int ndr_flags, struct lsa_ForestTrustBinaryData *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_data_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4981,8 +5046,9 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + if (r->data) { +@@ -5302,6 +5368,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_ForestTrustInformation(struct ndr_pull *ndr, int ndr_flags, struct lsa_ForestTrustInformation *r) + { + uint32_t _ptr_entries; ++ uint32_t size_entries_1 = 0; + uint32_t cntr_entries_1; + TALLOC_CTX *_mem_save_entries_0; + TALLOC_CTX *_mem_save_entries_1; +@@ -5325,10 +5392,11 @@ + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); ++ size_entries_1 = ndr_get_array_size(ndr, &r->entries); ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); + _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_entries)); + if (_ptr_entries) { + NDR_PULL_ALLOC(ndr, r->entries[cntr_entries_1]); +@@ -5336,7 +5404,7 @@ + r->entries[cntr_entries_1] = NULL; + } + } +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + if (r->entries[cntr_entries_1]) { + _mem_save_entries_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries[cntr_entries_1], 0); +@@ -5625,6 +5693,7 @@ + static enum ndr_err_code ndr_pull_lsa_ForestTrustCollisionInfo(struct ndr_pull *ndr, int ndr_flags, struct lsa_ForestTrustCollisionInfo *r) + { + uint32_t _ptr_entries; ++ uint32_t size_entries_1 = 0; + uint32_t cntr_entries_1; + TALLOC_CTX *_mem_save_entries_0; + TALLOC_CTX *_mem_save_entries_1; +@@ -5645,10 +5714,11 @@ + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); ++ size_entries_1 = ndr_get_array_size(ndr, &r->entries); ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); + _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_entries)); + if (_ptr_entries) { + NDR_PULL_ALLOC(ndr, r->entries[cntr_entries_1]); +@@ -5656,7 +5726,7 @@ + r->entries[cntr_entries_1] = NULL; + } + } +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + if (r->entries[cntr_entries_1]) { + _mem_save_entries_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries[cntr_entries_1], 0); +@@ -6976,6 +7046,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames(struct ndr_pull *ndr, int flags, struct lsa_LookupNames *r) + { ++ uint32_t size_names_0 = 0; + uint32_t cntr_names_0; + uint32_t _ptr_domains; + TALLOC_CTX *_mem_save_handle_0; +@@ -6999,13 +7070,14 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); +- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); ++ size_names_0 = ndr_get_array_size(ndr, &r->in.names); ++ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); +- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); + } +- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); +@@ -10065,6 +10137,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_OpenPolicy2(struct ndr_pull *ndr, int flags, struct lsa_OpenPolicy2 *r) + { + uint32_t _ptr_system_name; ++ uint32_t size_system_name_1 = 0; ++ uint32_t length_system_name_1 = 0; + TALLOC_CTX *_mem_save_system_name_0; + TALLOC_CTX *_mem_save_attr_0; + TALLOC_CTX *_mem_save_handle_0; +@@ -10082,11 +10156,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); +- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); ++ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); ++ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); ++ if (length_system_name_1 > size_system_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -10198,6 +10274,8 @@ + static enum ndr_err_code ndr_pull_lsa_GetUserName(struct ndr_pull *ndr, int flags, struct lsa_GetUserName *r) + { + uint32_t _ptr_system_name; ++ uint32_t size_system_name_1 = 0; ++ uint32_t length_system_name_1 = 0; + uint32_t _ptr_account_name; + uint32_t _ptr_authority_name; + TALLOC_CTX *_mem_save_system_name_0; +@@ -10219,11 +10297,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); +- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); ++ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); ++ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); ++ if (length_system_name_1 > size_system_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -11651,6 +11731,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames2(struct ndr_pull *ndr, int flags, struct lsa_LookupNames2 *r) + { ++ uint32_t size_names_0 = 0; + uint32_t cntr_names_0; + uint32_t _ptr_domains; + TALLOC_CTX *_mem_save_handle_0; +@@ -11674,13 +11755,14 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); +- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); ++ size_names_0 = ndr_get_array_size(ndr, &r->in.names); ++ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); +- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); + } +- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); +@@ -12311,6 +12393,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_lsa_LookupNames3(struct ndr_pull *ndr, int flags, struct lsa_LookupNames3 *r) + { ++ uint32_t size_names_0 = 0; + uint32_t cntr_names_0; + uint32_t _ptr_domains; + TALLOC_CTX *_mem_save_handle_0; +@@ -12334,13 +12417,14 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); +- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); ++ size_names_0 = ndr_get_array_size(ndr, &r->in.names); ++ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); +- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); + } +- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); +@@ -13157,6 +13241,7 @@ + + static enum ndr_err_code ndr_pull_lsa_LookupNames4(struct ndr_pull *ndr, int flags, struct lsa_LookupNames4 *r) + { ++ uint32_t size_names_0 = 0; + uint32_t cntr_names_0; + uint32_t _ptr_domains; + TALLOC_CTX *_mem_save_names_0; +@@ -13172,13 +13257,14 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); +- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); ++ size_names_0 = ndr_get_array_size(ndr, &r->in.names); ++ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); +- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); + } +- for (cntr_names_0 = 0; cntr_names_0 < r->in.num_names; cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_messaging.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_messaging.c 2012-04-12 12:09:50.491287450 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_messaging.c 2012-04-12 12:19:20.719301003 -0500 +@@ -148,15 +148,17 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_messaging_array(struct ndr_pull *ndr, int ndr_flags, struct messaging_array *r) + { ++ uint32_t size_messages_0 = 0; + uint32_t cntr_messages_0; + TALLOC_CTX *_mem_save_messages_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_messages)); +- NDR_PULL_ALLOC_N(ndr, r->messages, r->num_messages); ++ size_messages_0 = r->num_messages; ++ NDR_PULL_ALLOC_N(ndr, r->messages, size_messages_0); + _mem_save_messages_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->messages, 0); +- for (cntr_messages_0 = 0; cntr_messages_0 < r->num_messages; cntr_messages_0++) { ++ for (cntr_messages_0 = 0; cntr_messages_0 < size_messages_0; cntr_messages_0++) { + NDR_CHECK(ndr_pull_messaging_rec(ndr, NDR_SCALARS, &r->messages[cntr_messages_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_messages_0, 0); +@@ -210,27 +212,35 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_dbwrap_tdb2_changes(struct ndr_pull *ndr, int ndr_flags, struct dbwrap_tdb2_changes *r) + { ++ uint32_t size_magic_string_0 = 0; ++ uint32_t size_name_0 = 0; ++ uint32_t length_name_0 = 0; ++ uint32_t size_keys_0 = 0; + uint32_t cntr_keys_0; + TALLOC_CTX *_mem_save_keys_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic_string, 4, sizeof(uint8_t), CH_DOS)); ++ size_magic_string_0 = 4; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic_string, size_magic_string_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic_version)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_0 = ndr_get_array_size(ndr, &r->name); ++ length_name_0 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_0 > size_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_0, length_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_0, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_0, sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->old_seqnum)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->new_seqnum)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_changes)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_keys)); +- NDR_PULL_ALLOC_N(ndr, r->keys, r->num_keys); ++ size_keys_0 = r->num_keys; ++ NDR_PULL_ALLOC_N(ndr, r->keys, size_keys_0); + _mem_save_keys_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->keys, 0); +- for (cntr_keys_0 = 0; cntr_keys_0 < r->num_keys; cntr_keys_0++) { ++ for (cntr_keys_0 = 0; cntr_keys_0 < size_keys_0; cntr_keys_0++) { + NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->keys[cntr_keys_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keys_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_mgmt.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_mgmt.c 2012-04-12 12:09:51.571287476 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_mgmt.c 2012-04-12 12:19:20.719301003 -0500 +@@ -80,16 +80,18 @@ + + static enum ndr_err_code ndr_pull_rpc_if_id_vector_t(struct ndr_pull *ndr, int ndr_flags, struct rpc_if_id_vector_t *r) + { ++ uint32_t size_if_id_0 = 0; + uint32_t cntr_if_id_0; + TALLOC_CTX *_mem_save_if_id_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->if_id)); + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); +- NDR_PULL_ALLOC_N(ndr, r->if_id, ndr_get_array_size(ndr, &r->if_id)); ++ size_if_id_0 = ndr_get_array_size(ndr, &r->if_id); ++ NDR_PULL_ALLOC_N(ndr, r->if_id, size_if_id_0); + _mem_save_if_id_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->if_id, 0); +- for (cntr_if_id_0 = 0; cntr_if_id_0 < r->count; cntr_if_id_0++) { ++ for (cntr_if_id_0 = 0; cntr_if_id_0 < size_if_id_0; cntr_if_id_0++) { + NDR_CHECK(ndr_pull_ndr_syntax_id_p(ndr, NDR_SCALARS, &r->if_id[cntr_if_id_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_if_id_0, 0); +@@ -99,9 +101,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_if_id_0 = ndr_get_array_size(ndr, &r->if_id); + _mem_save_if_id_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->if_id, 0); +- for (cntr_if_id_0 = 0; cntr_if_id_0 < r->count; cntr_if_id_0++) { ++ for (cntr_if_id_0 = 0; cntr_if_id_0 < size_if_id_0; cntr_if_id_0++) { + NDR_CHECK(ndr_pull_ndr_syntax_id_p(ndr, NDR_BUFFERS, &r->if_id[cntr_if_id_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_if_id_0, 0); +@@ -144,16 +147,18 @@ + + static enum ndr_err_code ndr_pull_mgmt_statistics(struct ndr_pull *ndr, int ndr_flags, struct mgmt_statistics *r) + { ++ uint32_t size_statistics_0 = 0; + uint32_t cntr_statistics_0; + TALLOC_CTX *_mem_save_statistics_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->statistics)); + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); +- NDR_PULL_ALLOC_N(ndr, r->statistics, ndr_get_array_size(ndr, &r->statistics)); ++ size_statistics_0 = ndr_get_array_size(ndr, &r->statistics); ++ NDR_PULL_ALLOC_N(ndr, r->statistics, size_statistics_0); + _mem_save_statistics_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->statistics, 0); +- for (cntr_statistics_0 = 0; cntr_statistics_0 < r->count; cntr_statistics_0++) { ++ for (cntr_statistics_0 = 0; cntr_statistics_0 < size_statistics_0; cntr_statistics_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->statistics[cntr_statistics_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_statistics_0, 0); +@@ -456,6 +461,8 @@ + + static enum ndr_err_code ndr_pull_mgmt_inq_princ_name(struct ndr_pull *ndr, int flags, struct mgmt_inq_princ_name *r) + { ++ uint32_t size_princ_name_0 = 0; ++ uint32_t length_princ_name_0 = 0; + if (flags & NDR_IN) { + ZERO_STRUCT(r->out); + +@@ -465,11 +472,13 @@ + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.princ_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.princ_name)); +- if (ndr_get_array_length(ndr, &r->out.princ_name) > ndr_get_array_size(ndr, &r->out.princ_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.princ_name), ndr_get_array_length(ndr, &r->out.princ_name)); ++ size_princ_name_0 = ndr_get_array_size(ndr, &r->out.princ_name); ++ length_princ_name_0 = ndr_get_array_length(ndr, &r->out.princ_name); ++ if (length_princ_name_0 > size_princ_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_princ_name_0, length_princ_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->out.princ_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->out.princ_name, ndr_get_array_length(ndr, &r->out.princ_name), sizeof(uint8_t), CH_DOS)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_princ_name_0, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->out.princ_name, length_princ_name_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); + } + return NDR_ERR_SUCCESS; +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_misc.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_misc.c 2012-04-12 12:09:50.523287452 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_misc.c 2012-04-12 12:19:20.723301003 -0500 +@@ -21,13 +21,17 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_GUID(struct ndr_pull *ndr, int ndr_flags, struct GUID *r) + { ++ uint32_t size_clock_seq_0 = 0; ++ uint32_t size_node_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->time_low)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->time_mid)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->time_hi_and_version)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->clock_seq, 2)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->node, 6)); ++ size_clock_seq_0 = 2; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->clock_seq, size_clock_seq_0)); ++ size_node_0 = 6; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->node, size_node_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_named_pipe_auth.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_named_pipe_auth.c 2012-04-12 12:09:51.595287477 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_named_pipe_auth.c 2012-04-12 12:19:20.731301003 -0500 +@@ -54,12 +54,20 @@ + static enum ndr_err_code ndr_pull_named_pipe_auth_req_info4(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req_info4 *r) + { + uint32_t _ptr_client_name; ++ uint32_t size_client_name_1 = 0; ++ uint32_t length_client_name_1 = 0; + TALLOC_CTX *_mem_save_client_name_0; + uint32_t _ptr_client_addr; ++ uint32_t size_client_addr_1 = 0; ++ uint32_t length_client_addr_1 = 0; + TALLOC_CTX *_mem_save_client_addr_0; + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + uint32_t _ptr_server_addr; ++ uint32_t size_server_addr_1 = 0; ++ uint32_t length_server_addr_1 = 0; + TALLOC_CTX *_mem_save_server_addr_0; + uint32_t _ptr_session_info; + TALLOC_CTX *_mem_save_session_info_0; +@@ -105,11 +113,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client_name)); +- if (ndr_get_array_length(ndr, &r->client_name) > ndr_get_array_size(ndr, &r->client_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_name), ndr_get_array_length(ndr, &r->client_name)); ++ size_client_name_1 = ndr_get_array_size(ndr, &r->client_name); ++ length_client_name_1 = ndr_get_array_length(ndr, &r->client_name); ++ if (length_client_name_1 > size_client_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_name_1, length_client_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_name, ndr_get_array_length(ndr, &r->client_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_name, length_client_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_name_0, 0); + } + if (r->client_addr) { +@@ -117,11 +127,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client_addr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client_addr)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client_addr)); +- if (ndr_get_array_length(ndr, &r->client_addr) > ndr_get_array_size(ndr, &r->client_addr)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_addr), ndr_get_array_length(ndr, &r->client_addr)); ++ size_client_addr_1 = ndr_get_array_size(ndr, &r->client_addr); ++ length_client_addr_1 = ndr_get_array_length(ndr, &r->client_addr); ++ if (length_client_addr_1 > size_client_addr_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_addr_1, length_client_addr_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_addr), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_addr, ndr_get_array_length(ndr, &r->client_addr), sizeof(uint8_t), CH_DOS)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_addr_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_addr, length_client_addr_1, sizeof(uint8_t), CH_DOS)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_addr_0, 0); + } + if (r->server_name) { +@@ -129,11 +141,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); +- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (r->server_addr) { +@@ -141,11 +155,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_addr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_addr)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_addr)); +- if (ndr_get_array_length(ndr, &r->server_addr) > ndr_get_array_size(ndr, &r->server_addr)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_addr), ndr_get_array_length(ndr, &r->server_addr)); ++ size_server_addr_1 = ndr_get_array_size(ndr, &r->server_addr); ++ length_server_addr_1 = ndr_get_array_length(ndr, &r->server_addr); ++ if (length_server_addr_1 > size_server_addr_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_addr_1, length_server_addr_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_addr), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_addr, ndr_get_array_length(ndr, &r->server_addr), sizeof(uint8_t), CH_DOS)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_addr_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_addr, length_server_addr_1, sizeof(uint8_t), CH_DOS)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_addr_0, 0); + } + if (r->session_info) { +@@ -301,6 +317,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req *r) + { ++ uint32_t size_magic_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + { +@@ -309,7 +326,8 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); + ndr->flags = _flags_save_uint32; + } +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, 4, sizeof(uint8_t), CH_DOS)); ++ size_magic_0 = 4; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, size_magic_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->level)); + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->info, r->level)); + NDR_CHECK(ndr_pull_named_pipe_auth_req_info(ndr, NDR_SCALARS, &r->info)); +@@ -479,6 +497,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep *r) + { ++ uint32_t size_magic_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); + { +@@ -487,7 +506,8 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); + ndr->flags = _flags_save_uint32; + } +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, 4, sizeof(uint8_t), CH_DOS)); ++ size_magic_0 = 4; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->magic, size_magic_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->level)); + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->info, r->level)); + NDR_CHECK(ndr_pull_named_pipe_auth_rep_info(ndr, NDR_SCALARS, &r->info)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_nbt.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_nbt.c 2012-04-12 12:09:50.875287459 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_nbt.c 2012-04-12 12:19:20.735301003 -0500 +@@ -250,15 +250,17 @@ + + static enum ndr_err_code ndr_pull_nbt_rdata_netbios(struct ndr_pull *ndr, int ndr_flags, struct nbt_rdata_netbios *r) + { ++ uint32_t size_addresses_0 = 0; + uint32_t cntr_addresses_0; + TALLOC_CTX *_mem_save_addresses_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); +- NDR_PULL_ALLOC_N(ndr, r->addresses, r->length / 6); ++ size_addresses_0 = r->length / 6; ++ NDR_PULL_ALLOC_N(ndr, r->addresses, size_addresses_0); + _mem_save_addresses_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->addresses, 0); +- for (cntr_addresses_0 = 0; cntr_addresses_0 < r->length / 6; cntr_addresses_0++) { ++ for (cntr_addresses_0 = 0; cntr_addresses_0 < size_addresses_0; cntr_addresses_0++) { + NDR_CHECK(ndr_pull_nbt_rdata_address(ndr, NDR_SCALARS, &r->addresses[cntr_addresses_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_0, 0); +@@ -318,9 +320,11 @@ + + static enum ndr_err_code ndr_pull_nbt_statistics(struct ndr_pull *ndr, int ndr_flags, struct nbt_statistics *r) + { ++ uint32_t size_unit_id_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unit_id, 6)); ++ size_unit_id_0 = 6; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unit_id, size_unit_id_0)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->jumpers)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->test_result)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->version_number)); +@@ -391,9 +395,11 @@ + + static enum ndr_err_code ndr_pull_nbt_status_name(struct ndr_pull *ndr, int ndr_flags, struct nbt_status_name *r) + { ++ uint32_t size_name_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 2)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, 15, sizeof(uint8_t), CH_DOS)); ++ size_name_0 = 15; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, size_name_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_nbt_name_type(ndr, NDR_SCALARS, &r->type)); + NDR_CHECK(ndr_pull_nb_flags(ndr, NDR_SCALARS, &r->nb_flags)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 2)); +@@ -434,16 +440,18 @@ + + static enum ndr_err_code ndr_pull_nbt_rdata_status(struct ndr_pull *ndr, int ndr_flags, struct nbt_rdata_status *r) + { ++ uint32_t size_names_0 = 0; + uint32_t cntr_names_0; + TALLOC_CTX *_mem_save_names_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_names)); +- NDR_PULL_ALLOC_N(ndr, r->names, r->num_names); ++ size_names_0 = r->num_names; ++ NDR_PULL_ALLOC_N(ndr, r->names, size_names_0); + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); +- for (cntr_names_0 = 0; cntr_names_0 < r->num_names; cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < size_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_nbt_status_name(ndr, NDR_SCALARS, &r->names[cntr_names_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); +@@ -488,11 +496,13 @@ + + static enum ndr_err_code ndr_pull_nbt_rdata_data(struct ndr_pull *ndr, int ndr_flags, struct nbt_rdata_data *r) + { ++ uint32_t size_data_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 2)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length)); +- NDR_PULL_ALLOC_N(ndr, r->data, r->length); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, r->length)); ++ size_data_0 = r->length; ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 2)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -692,12 +702,16 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_nbt_name_packet(struct ndr_pull *ndr, int ndr_flags, struct nbt_name_packet *r) + { ++ uint32_t size_questions_0 = 0; + uint32_t cntr_questions_0; + TALLOC_CTX *_mem_save_questions_0; ++ uint32_t size_answers_0 = 0; + uint32_t cntr_answers_0; + TALLOC_CTX *_mem_save_answers_0; ++ uint32_t size_nsrecs_0 = 0; + uint32_t cntr_nsrecs_0; + TALLOC_CTX *_mem_save_nsrecs_0; ++ uint32_t size_additional_0 = 0; + uint32_t cntr_additional_0; + TALLOC_CTX *_mem_save_additional_0; + { +@@ -711,31 +725,35 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->ancount)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->nscount)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->arcount)); +- NDR_PULL_ALLOC_N(ndr, r->questions, r->qdcount); ++ size_questions_0 = r->qdcount; ++ NDR_PULL_ALLOC_N(ndr, r->questions, size_questions_0); + _mem_save_questions_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->questions, 0); +- for (cntr_questions_0 = 0; cntr_questions_0 < r->qdcount; cntr_questions_0++) { ++ for (cntr_questions_0 = 0; cntr_questions_0 < size_questions_0; cntr_questions_0++) { + NDR_CHECK(ndr_pull_nbt_name_question(ndr, NDR_SCALARS, &r->questions[cntr_questions_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_questions_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->answers, r->ancount); ++ size_answers_0 = r->ancount; ++ NDR_PULL_ALLOC_N(ndr, r->answers, size_answers_0); + _mem_save_answers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->answers, 0); +- for (cntr_answers_0 = 0; cntr_answers_0 < r->ancount; cntr_answers_0++) { ++ for (cntr_answers_0 = 0; cntr_answers_0 < size_answers_0; cntr_answers_0++) { + NDR_CHECK(ndr_pull_nbt_res_rec(ndr, NDR_SCALARS, &r->answers[cntr_answers_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_answers_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->nsrecs, r->nscount); ++ size_nsrecs_0 = r->nscount; ++ NDR_PULL_ALLOC_N(ndr, r->nsrecs, size_nsrecs_0); + _mem_save_nsrecs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->nsrecs, 0); +- for (cntr_nsrecs_0 = 0; cntr_nsrecs_0 < r->nscount; cntr_nsrecs_0++) { ++ for (cntr_nsrecs_0 = 0; cntr_nsrecs_0 < size_nsrecs_0; cntr_nsrecs_0++) { + NDR_CHECK(ndr_pull_nbt_res_rec(ndr, NDR_SCALARS, &r->nsrecs[cntr_nsrecs_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_nsrecs_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->additional, r->arcount); ++ size_additional_0 = r->arcount; ++ NDR_PULL_ALLOC_N(ndr, r->additional, size_additional_0); + _mem_save_additional_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->additional, 0); +- for (cntr_additional_0 = 0; cntr_additional_0 < r->arcount; cntr_additional_0++) { ++ for (cntr_additional_0 = 0; cntr_additional_0 < size_additional_0; cntr_additional_0++) { + NDR_CHECK(ndr_pull_nbt_res_rec(ndr, NDR_SCALARS, &r->additional[cntr_additional_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_additional_0, 0); +@@ -1104,6 +1122,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_dgram_smb_packet(struct ndr_pull *ndr, int ndr_flags, struct dgram_smb_packet *r) + { ++ uint32_t size_signature_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN|LIBNDR_FLAG_LITTLE_ENDIAN|LIBNDR_PRINT_ARRAY_HEX); +@@ -1116,7 +1135,8 @@ + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->flags)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->flags2)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->pid_high)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->signature, 8)); ++ size_signature_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->signature, size_signature_0)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->reserved)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->tid)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->pid)); +@@ -2485,6 +2505,7 @@ + + static enum ndr_err_code ndr_pull_NETLOGON_DB_CHANGE(struct ndr_pull *ndr, int ndr_flags, struct NETLOGON_DB_CHANGE *r) + { ++ uint32_t size_dbchange_0 = 0; + uint32_t cntr_dbchange_0; + TALLOC_CTX *_mem_save_dbchange_0; + if (ndr_flags & NDR_SCALARS) { +@@ -2524,10 +2545,11 @@ + ndr->flags = _flags_save_string; + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->db_count)); +- NDR_PULL_ALLOC_N(ndr, r->dbchange, r->db_count); ++ size_dbchange_0 = r->db_count; ++ NDR_PULL_ALLOC_N(ndr, r->dbchange, size_dbchange_0); + _mem_save_dbchange_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->dbchange, 0); +- for (cntr_dbchange_0 = 0; cntr_dbchange_0 < r->db_count; cntr_dbchange_0++) { ++ for (cntr_dbchange_0 = 0; cntr_dbchange_0 < size_dbchange_0; cntr_dbchange_0++) { + NDR_CHECK(ndr_pull_nbt_db_change_info(ndr, NDR_SCALARS, &r->dbchange[cntr_dbchange_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dbchange_0, 0); +@@ -2820,11 +2842,13 @@ + + static enum ndr_err_code ndr_pull_nbt_browse_host_announcement(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_host_announcement *r) + { ++ uint32_t size_ServerName_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->UpdateCount)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Periodicity)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, 16, sizeof(uint8_t), CH_DOS)); ++ size_ServerName_0 = 16; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, size_ServerName_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMajor)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMinor)); + NDR_CHECK(ndr_pull_svcctl_ServerType(ndr, NDR_SCALARS, &r->ServerType)); +@@ -3018,16 +3042,18 @@ + + static enum ndr_err_code ndr_pull_nbt_browse_backup_list_response(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_backup_list_response *r) + { ++ uint32_t size_BackupServerList_0 = 0; + uint32_t cntr_BackupServerList_0; + TALLOC_CTX *_mem_save_BackupServerList_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->BackupCount)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Token)); +- NDR_PULL_ALLOC_N(ndr, r->BackupServerList, r->BackupCount); ++ size_BackupServerList_0 = r->BackupCount; ++ NDR_PULL_ALLOC_N(ndr, r->BackupServerList, size_BackupServerList_0); + _mem_save_BackupServerList_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->BackupServerList, 0); +- for (cntr_BackupServerList_0 = 0; cntr_BackupServerList_0 < r->BackupCount; cntr_BackupServerList_0++) { ++ for (cntr_BackupServerList_0 = 0; cntr_BackupServerList_0 < size_BackupServerList_0; cntr_BackupServerList_0++) { + NDR_CHECK(ndr_pull_nbt_name(ndr, NDR_SCALARS, &r->BackupServerList[cntr_BackupServerList_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_BackupServerList_0, 0); +@@ -3124,11 +3150,13 @@ + + static enum ndr_err_code ndr_pull_nbt_browse_domain_announcement(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_domain_announcement *r) + { ++ uint32_t size_ServerName_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->UpdateCount)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Periodicity)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, 16, sizeof(uint8_t), CH_DOS)); ++ size_ServerName_0 = 16; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, size_ServerName_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMajor)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMinor)); + NDR_CHECK(ndr_pull_svcctl_ServerType(ndr, NDR_SCALARS, &r->ServerType)); +@@ -3266,11 +3294,13 @@ + + static enum ndr_err_code ndr_pull_nbt_browse_local_master_announcement(struct ndr_pull *ndr, int ndr_flags, struct nbt_browse_local_master_announcement *r) + { ++ uint32_t size_ServerName_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->UpdateCount)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Periodicity)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, 16, sizeof(uint8_t), CH_DOS)); ++ size_ServerName_0 = 16; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ServerName, size_ServerName_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMajor)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->OSMinor)); + NDR_CHECK(ndr_pull_svcctl_ServerType(ndr, NDR_SCALARS, &r->ServerType)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_netlogon.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_netlogon.c 2012-04-12 12:09:51.567287476 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_netlogon.c 2012-04-12 12:19:20.747301003 -0500 +@@ -61,12 +61,20 @@ + static enum ndr_err_code ndr_pull_netr_UasInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_UasInfo *r) + { + uint32_t _ptr_account_name; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; + TALLOC_CTX *_mem_save_account_name_0; + uint32_t _ptr_computer; ++ uint32_t size_computer_1 = 0; ++ uint32_t length_computer_1 = 0; + TALLOC_CTX *_mem_save_computer_0; + uint32_t _ptr_domain; ++ uint32_t size_domain_1 = 0; ++ uint32_t length_domain_1 = 0; + TALLOC_CTX *_mem_save_domain_0; + uint32_t _ptr_script_path; ++ uint32_t size_script_path_1 = 0; ++ uint32_t length_script_path_1 = 0; + TALLOC_CTX *_mem_save_script_path_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -114,11 +122,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->account_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->account_name)); +- if (ndr_get_array_length(ndr, &r->account_name) > ndr_get_array_size(ndr, &r->account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->account_name), ndr_get_array_length(ndr, &r->account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_name_0, 0); + } + if (r->computer) { +@@ -126,11 +136,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->computer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->computer)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->computer)); +- if (ndr_get_array_length(ndr, &r->computer) > ndr_get_array_size(ndr, &r->computer)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer), ndr_get_array_length(ndr, &r->computer)); ++ size_computer_1 = ndr_get_array_size(ndr, &r->computer); ++ length_computer_1 = ndr_get_array_length(ndr, &r->computer); ++ if (length_computer_1 > size_computer_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_1, length_computer_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer, ndr_get_array_length(ndr, &r->computer), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer, length_computer_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_0, 0); + } + if (r->domain) { +@@ -138,11 +150,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + if (r->script_path) { +@@ -150,11 +164,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->script_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->script_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->script_path)); +- if (ndr_get_array_length(ndr, &r->script_path) > ndr_get_array_size(ndr, &r->script_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->script_path), ndr_get_array_length(ndr, &r->script_path)); ++ size_script_path_1 = ndr_get_array_size(ndr, &r->script_path); ++ length_script_path_1 = ndr_get_array_length(ndr, &r->script_path); ++ if (length_script_path_1 > size_script_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_script_path_1, length_script_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->script_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->script_path, ndr_get_array_length(ndr, &r->script_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_script_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->script_path, length_script_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_script_path_0, 0); + } + } +@@ -446,6 +462,8 @@ + static enum ndr_err_code ndr_pull_netr_ChallengeResponse(struct ndr_pull *ndr, int ndr_flags, struct netr_ChallengeResponse *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; ++ uint32_t length_data_1 = 0; + TALLOC_CTX *_mem_save_data_0; + { + uint32_t _flags_save_STRUCT = ndr->flags; +@@ -468,11 +486,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); +- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ length_data_1 = ndr_get_array_length(ndr, &r->data); ++ if (length_data_1 > size_data_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); + } +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_length(ndr, &r->data))); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, length_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + if (r->data) { +@@ -533,13 +553,15 @@ + + static enum ndr_err_code ndr_pull_netr_NetworkInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_NetworkInfo *r) + { ++ uint32_t size_challenge_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_netr_IdentityInfo(ndr, NDR_SCALARS, &r->identity_info)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->challenge, 8)); ++ size_challenge_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->challenge, size_challenge_0)); + NDR_CHECK(ndr_pull_netr_ChallengeResponse(ndr, NDR_SCALARS, &r->nt)); + NDR_CHECK(ndr_pull_netr_ChallengeResponse(ndr, NDR_SCALARS, &r->lm)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); +@@ -600,6 +622,7 @@ + static enum ndr_err_code ndr_pull_netr_GenericInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_GenericInfo *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_data_0; + { + uint32_t _flags_save_STRUCT = ndr->flags; +@@ -624,8 +647,9 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + if (r->data) { +@@ -789,8 +813,11 @@ + uint32_t level; + uint16_t _level; + TALLOC_CTX *_mem_save_password_0; ++ uint32_t _ptr_password; + TALLOC_CTX *_mem_save_network_0; ++ uint32_t _ptr_network; + TALLOC_CTX *_mem_save_generic_0; ++ uint32_t _ptr_generic; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -802,7 +829,6 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + switch (level) { + case NetlogonInteractiveInformation: { +- uint32_t _ptr_password; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); + if (_ptr_password) { + NDR_PULL_ALLOC(ndr, r->password); +@@ -812,7 +838,6 @@ + break; } + + case NetlogonNetworkInformation: { +- uint32_t _ptr_network; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_network)); + if (_ptr_network) { + NDR_PULL_ALLOC(ndr, r->network); +@@ -822,7 +847,6 @@ + break; } + + case NetlogonServiceInformation: { +- uint32_t _ptr_password; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); + if (_ptr_password) { + NDR_PULL_ALLOC(ndr, r->password); +@@ -832,7 +856,6 @@ + break; } + + case NetlogonGenericInformation: { +- uint32_t _ptr_generic; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_generic)); + if (_ptr_generic) { + NDR_PULL_ALLOC(ndr, r->generic); +@@ -842,7 +865,6 @@ + break; } + + case NetlogonInteractiveTransitiveInformation: { +- uint32_t _ptr_password; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); + if (_ptr_password) { + NDR_PULL_ALLOC(ndr, r->password); +@@ -852,7 +874,6 @@ + break; } + + case NetlogonNetworkTransitiveInformation: { +- uint32_t _ptr_network; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_network)); + if (_ptr_network) { + NDR_PULL_ALLOC(ndr, r->network); +@@ -862,7 +883,6 @@ + break; } + + case NetlogonServiceTransitiveInformation: { +- uint32_t _ptr_password; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); + if (_ptr_password) { + NDR_PULL_ALLOC(ndr, r->password); +@@ -1043,12 +1063,14 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_netr_UserSessionKey(struct ndr_pull *ndr, int ndr_flags, struct netr_UserSessionKey *r) + { ++ uint32_t size_key_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, 16)); ++ size_key_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, size_key_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1091,12 +1113,14 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_netr_LMSessionKey(struct ndr_pull *ndr, int ndr_flags, struct netr_LMSessionKey *r) + { ++ uint32_t size_key_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, 8)); ++ size_key_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->key, size_key_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1207,6 +1231,7 @@ + { + uint32_t _ptr_domain_sid; + TALLOC_CTX *_mem_save_domain_sid_0; ++ uint32_t size_unknown_0 = 0; + uint32_t cntr_unknown_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -1239,7 +1264,8 @@ + } + NDR_CHECK(ndr_pull_netr_LMSessionKey(ndr, NDR_SCALARS, &r->LMSessKey)); + NDR_CHECK(ndr_pull_samr_AcctFlags(ndr, NDR_SCALARS, &r->acct_flags)); +- for (cntr_unknown_0 = 0; cntr_unknown_0 < 7; cntr_unknown_0++) { ++ size_unknown_0 = 7; ++ for (cntr_unknown_0 = 0; cntr_unknown_0 < size_unknown_0; cntr_unknown_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown[cntr_unknown_0])); + } + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); +@@ -1428,6 +1454,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_netr_SamInfo3(struct ndr_pull *ndr, int ndr_flags, struct netr_SamInfo3 *r) + { + uint32_t _ptr_sids; ++ uint32_t size_sids_1 = 0; + uint32_t cntr_sids_1; + TALLOC_CTX *_mem_save_sids_0; + TALLOC_CTX *_mem_save_sids_1; +@@ -1449,13 +1476,14 @@ + _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); +- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); ++ size_sids_1 = ndr_get_array_size(ndr, &r->sids); ++ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); + _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); +- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); + } +- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); +@@ -1526,9 +1554,11 @@ + static enum ndr_err_code ndr_pull_netr_SamInfo6(struct ndr_pull *ndr, int ndr_flags, struct netr_SamInfo6 *r) + { + uint32_t _ptr_sids; ++ uint32_t size_sids_1 = 0; + uint32_t cntr_sids_1; + TALLOC_CTX *_mem_save_sids_0; + TALLOC_CTX *_mem_save_sids_1; ++ uint32_t size_unknown4_0 = 0; + uint32_t cntr_unknown4_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -1542,7 +1572,8 @@ + } + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->dns_domainname)); + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->principle)); +- for (cntr_unknown4_0 = 0; cntr_unknown4_0 < 20; cntr_unknown4_0++) { ++ size_unknown4_0 = 20; ++ for (cntr_unknown4_0 = 0; cntr_unknown4_0 < size_unknown4_0; cntr_unknown4_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown4[cntr_unknown4_0])); + } + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); +@@ -1553,13 +1584,14 @@ + _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); +- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); ++ size_sids_1 = ndr_get_array_size(ndr, &r->sids); ++ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_1); + _mem_save_sids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); +- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_SCALARS, &r->sids[cntr_sids_1])); + } +- for (cntr_sids_1 = 0; cntr_sids_1 < r->sidcount; cntr_sids_1++) { ++ for (cntr_sids_1 = 0; cntr_sids_1 < size_sids_1; cntr_sids_1++) { + NDR_CHECK(ndr_pull_netr_SidAttr(ndr, NDR_BUFFERS, &r->sids[cntr_sids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_1, 0); +@@ -1650,9 +1682,12 @@ + static enum ndr_err_code ndr_pull_netr_PacInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_PacInfo *r) + { + uint32_t _ptr_pac; ++ uint32_t size_pac_1 = 0; + TALLOC_CTX *_mem_save_pac_0; + uint32_t _ptr_auth; ++ uint32_t size_auth_1 = 0; + TALLOC_CTX *_mem_save_auth_0; ++ uint32_t size_expansionroom_0 = 0; + uint32_t cntr_expansionroom_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -1674,7 +1709,8 @@ + r->auth = NULL; + } + NDR_CHECK(ndr_pull_netr_UserSessionKey(ndr, NDR_SCALARS, &r->user_session_key)); +- for (cntr_expansionroom_0 = 0; cntr_expansionroom_0 < 10; cntr_expansionroom_0++) { ++ size_expansionroom_0 = 10; ++ for (cntr_expansionroom_0 = 0; cntr_expansionroom_0 < size_expansionroom_0; cntr_expansionroom_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->expansionroom[cntr_expansionroom_0])); + } + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->unknown1)); +@@ -1688,8 +1724,9 @@ + _mem_save_pac_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->pac, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->pac)); +- NDR_PULL_ALLOC_N(ndr, r->pac, ndr_get_array_size(ndr, &r->pac)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pac, ndr_get_array_size(ndr, &r->pac))); ++ size_pac_1 = ndr_get_array_size(ndr, &r->pac); ++ NDR_PULL_ALLOC_N(ndr, r->pac, size_pac_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pac, size_pac_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pac_0, 0); + } + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->logon_domain)); +@@ -1699,8 +1736,9 @@ + _mem_save_auth_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->auth, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->auth)); +- NDR_PULL_ALLOC_N(ndr, r->auth, ndr_get_array_size(ndr, &r->auth)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->auth, ndr_get_array_size(ndr, &r->auth))); ++ size_auth_1 = ndr_get_array_size(ndr, &r->auth); ++ NDR_PULL_ALLOC_N(ndr, r->auth, size_auth_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->auth, size_auth_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_auth_0, 0); + } + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->unknown1)); +@@ -1779,6 +1817,7 @@ + static enum ndr_err_code ndr_pull_netr_GenericInfo2(struct ndr_pull *ndr, int ndr_flags, struct netr_GenericInfo2 *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_data_0; + { + uint32_t _flags_save_STRUCT = ndr->flags; +@@ -1799,8 +1838,9 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + if (r->data) { +@@ -1912,10 +1952,15 @@ + uint32_t level; + uint16_t _level; + TALLOC_CTX *_mem_save_sam2_0; ++ uint32_t _ptr_sam2; + TALLOC_CTX *_mem_save_sam3_0; ++ uint32_t _ptr_sam3; + TALLOC_CTX *_mem_save_pac_0; ++ uint32_t _ptr_pac; + TALLOC_CTX *_mem_save_generic_0; ++ uint32_t _ptr_generic; + TALLOC_CTX *_mem_save_sam6_0; ++ uint32_t _ptr_sam6; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -1927,7 +1972,6 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + switch (level) { + case NetlogonValidationSamInfo: { +- uint32_t _ptr_sam2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam2)); + if (_ptr_sam2) { + NDR_PULL_ALLOC(ndr, r->sam2); +@@ -1937,7 +1981,6 @@ + break; } + + case NetlogonValidationSamInfo2: { +- uint32_t _ptr_sam3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam3)); + if (_ptr_sam3) { + NDR_PULL_ALLOC(ndr, r->sam3); +@@ -1947,7 +1990,6 @@ + break; } + + case 4: { +- uint32_t _ptr_pac; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_pac)); + if (_ptr_pac) { + NDR_PULL_ALLOC(ndr, r->pac); +@@ -1957,7 +1999,6 @@ + break; } + + case NetlogonValidationGenericInfo2: { +- uint32_t _ptr_generic; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_generic)); + if (_ptr_generic) { + NDR_PULL_ALLOC(ndr, r->generic); +@@ -1967,7 +2008,6 @@ + break; } + + case NetlogonValidationSamInfo4: { +- uint32_t _ptr_sam6; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam6)); + if (_ptr_sam6) { + NDR_PULL_ALLOC(ndr, r->sam6); +@@ -2112,12 +2152,14 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_netr_Credential(struct ndr_pull *ndr, int ndr_flags, struct netr_Credential *r) + { ++ uint32_t size_data_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 8)); ++ size_data_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -2210,6 +2252,8 @@ + static enum ndr_err_code ndr_pull_netr_DELTA_DELETE_USER(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_DELETE_USER *r) + { + uint32_t _ptr_account_name; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; + TALLOC_CTX *_mem_save_account_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -2235,11 +2279,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->account_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->account_name)); +- if (ndr_get_array_length(ndr, &r->account_name) > ndr_get_array_size(ndr, &r->account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->account_name), ndr_get_array_length(ndr, &r->account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, ndr_get_array_length(ndr, &r->account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_name_0, 0); + } + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->unknown1)); +@@ -2335,6 +2381,8 @@ + + static enum ndr_err_code ndr_pull_netr_PasswordHistory(struct ndr_pull *ndr, int ndr_flags, struct netr_PasswordHistory *r) + { ++ uint32_t size_nt_history_0 = 0; ++ uint32_t size_lm_history_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->nt_length)); +@@ -2343,10 +2391,12 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm_length)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm_size)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->lm_flags)); +- NDR_PULL_ALLOC_N(ndr, r->nt_history, r->nt_length); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nt_history, r->nt_length)); +- NDR_PULL_ALLOC_N(ndr, r->lm_history, r->lm_length); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->lm_history, r->lm_length)); ++ size_nt_history_0 = r->nt_length; ++ NDR_PULL_ALLOC_N(ndr, r->nt_history, size_nt_history_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nt_history, size_nt_history_0)); ++ size_lm_history_0 = r->lm_length; ++ NDR_PULL_ALLOC_N(ndr, r->lm_history, size_lm_history_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->lm_history, size_lm_history_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -2509,6 +2559,7 @@ + static enum ndr_err_code ndr_pull_netr_USER_PRIVATE_INFO(struct ndr_pull *ndr, int ndr_flags, struct netr_USER_PRIVATE_INFO *r) + { + uint32_t _ptr_SensitiveData; ++ uint32_t size_SensitiveData_1 = 0; + TALLOC_CTX *_mem_save_SensitiveData_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -2535,8 +2586,9 @@ + _mem_save_SensitiveData_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->SensitiveData, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->SensitiveData)); +- NDR_PULL_ALLOC_N(ndr, r->SensitiveData, ndr_get_array_size(ndr, &r->SensitiveData)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SensitiveData, ndr_get_array_size(ndr, &r->SensitiveData))); ++ size_SensitiveData_1 = ndr_get_array_size(ndr, &r->SensitiveData); ++ NDR_PULL_ALLOC_N(ndr, r->SensitiveData, size_SensitiveData_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SensitiveData, size_SensitiveData_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_SensitiveData_0, 0); + } + ndr->flags = _flags_save_uint8; +@@ -3031,10 +3083,12 @@ + static enum ndr_err_code ndr_pull_netr_DELTA_GROUP_MEMBER(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_GROUP_MEMBER *r) + { + uint32_t _ptr_rids; ++ uint32_t size_rids_1 = 0; + uint32_t cntr_rids_1; + TALLOC_CTX *_mem_save_rids_0; + TALLOC_CTX *_mem_save_rids_1; + uint32_t _ptr_attribs; ++ uint32_t size_attribs_1 = 0; + uint32_t cntr_attribs_1; + TALLOC_CTX *_mem_save_attribs_0; + TALLOC_CTX *_mem_save_attribs_1; +@@ -3064,10 +3118,11 @@ + _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); +- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); ++ size_rids_1 = ndr_get_array_size(ndr, &r->rids); ++ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); + _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); +- for (cntr_rids_1 = 0; cntr_rids_1 < r->num_rids; cntr_rids_1++) { ++ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); +@@ -3077,10 +3132,11 @@ + _mem_save_attribs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->attribs, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->attribs)); +- NDR_PULL_ALLOC_N(ndr, r->attribs, ndr_get_array_size(ndr, &r->attribs)); ++ size_attribs_1 = ndr_get_array_size(ndr, &r->attribs); ++ NDR_PULL_ALLOC_N(ndr, r->attribs, size_attribs_1); + _mem_save_attribs_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->attribs, 0); +- for (cntr_attribs_1 = 0; cntr_attribs_1 < r->num_rids; cntr_attribs_1++) { ++ for (cntr_attribs_1 = 0; cntr_attribs_1 < size_attribs_1; cntr_attribs_1++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->attribs[cntr_attribs_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attribs_1, 0); +@@ -3356,6 +3412,7 @@ + static enum ndr_err_code ndr_pull_netr_DELTA_POLICY(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_POLICY *r) + { + uint32_t _ptr_eventauditoptions; ++ uint32_t size_eventauditoptions_1 = 0; + uint32_t cntr_eventauditoptions_1; + TALLOC_CTX *_mem_save_eventauditoptions_0; + TALLOC_CTX *_mem_save_eventauditoptions_1; +@@ -3400,10 +3457,11 @@ + _mem_save_eventauditoptions_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->eventauditoptions, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->eventauditoptions)); +- NDR_PULL_ALLOC_N(ndr, r->eventauditoptions, ndr_get_array_size(ndr, &r->eventauditoptions)); ++ size_eventauditoptions_1 = ndr_get_array_size(ndr, &r->eventauditoptions); ++ NDR_PULL_ALLOC_N(ndr, r->eventauditoptions, size_eventauditoptions_1); + _mem_save_eventauditoptions_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->eventauditoptions, 0); +- for (cntr_eventauditoptions_1 = 0; cntr_eventauditoptions_1 < r->maxauditeventcount + 1; cntr_eventauditoptions_1++) { ++ for (cntr_eventauditoptions_1 = 0; cntr_eventauditoptions_1 < size_eventauditoptions_1; cntr_eventauditoptions_1++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->eventauditoptions[cntr_eventauditoptions_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eventauditoptions_1, 0); +@@ -3515,6 +3573,7 @@ + static enum ndr_err_code ndr_pull_netr_DELTA_TRUSTED_DOMAIN(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_TRUSTED_DOMAIN *r) + { + uint32_t _ptr_controller_names; ++ uint32_t size_controller_names_1 = 0; + uint32_t cntr_controller_names_1; + TALLOC_CTX *_mem_save_controller_names_0; + TALLOC_CTX *_mem_save_controller_names_1; +@@ -3546,13 +3605,14 @@ + _mem_save_controller_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->controller_names, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->controller_names)); +- NDR_PULL_ALLOC_N(ndr, r->controller_names, ndr_get_array_size(ndr, &r->controller_names)); ++ size_controller_names_1 = ndr_get_array_size(ndr, &r->controller_names); ++ NDR_PULL_ALLOC_N(ndr, r->controller_names, size_controller_names_1); + _mem_save_controller_names_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->controller_names, 0); +- for (cntr_controller_names_1 = 0; cntr_controller_names_1 < r->num_controllers; cntr_controller_names_1++) { ++ for (cntr_controller_names_1 = 0; cntr_controller_names_1 < size_controller_names_1; cntr_controller_names_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->controller_names[cntr_controller_names_1])); + } +- for (cntr_controller_names_1 = 0; cntr_controller_names_1 < r->num_controllers; cntr_controller_names_1++) { ++ for (cntr_controller_names_1 = 0; cntr_controller_names_1 < size_controller_names_1; cntr_controller_names_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->controller_names[cntr_controller_names_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_controller_names_1, 0); +@@ -3654,10 +3714,12 @@ + static enum ndr_err_code ndr_pull_netr_DELTA_ACCOUNT(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_ACCOUNT *r) + { + uint32_t _ptr_privilege_attrib; ++ uint32_t size_privilege_attrib_1 = 0; + uint32_t cntr_privilege_attrib_1; + TALLOC_CTX *_mem_save_privilege_attrib_0; + TALLOC_CTX *_mem_save_privilege_attrib_1; + uint32_t _ptr_privilege_name; ++ uint32_t size_privilege_name_1 = 0; + uint32_t cntr_privilege_name_1; + TALLOC_CTX *_mem_save_privilege_name_0; + TALLOC_CTX *_mem_save_privilege_name_1; +@@ -3696,10 +3758,11 @@ + _mem_save_privilege_attrib_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->privilege_attrib, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->privilege_attrib)); +- NDR_PULL_ALLOC_N(ndr, r->privilege_attrib, ndr_get_array_size(ndr, &r->privilege_attrib)); ++ size_privilege_attrib_1 = ndr_get_array_size(ndr, &r->privilege_attrib); ++ NDR_PULL_ALLOC_N(ndr, r->privilege_attrib, size_privilege_attrib_1); + _mem_save_privilege_attrib_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->privilege_attrib, 0); +- for (cntr_privilege_attrib_1 = 0; cntr_privilege_attrib_1 < r->privilege_entries; cntr_privilege_attrib_1++) { ++ for (cntr_privilege_attrib_1 = 0; cntr_privilege_attrib_1 < size_privilege_attrib_1; cntr_privilege_attrib_1++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->privilege_attrib[cntr_privilege_attrib_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privilege_attrib_1, 0); +@@ -3709,13 +3772,14 @@ + _mem_save_privilege_name_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->privilege_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->privilege_name)); +- NDR_PULL_ALLOC_N(ndr, r->privilege_name, ndr_get_array_size(ndr, &r->privilege_name)); ++ size_privilege_name_1 = ndr_get_array_size(ndr, &r->privilege_name); ++ NDR_PULL_ALLOC_N(ndr, r->privilege_name, size_privilege_name_1); + _mem_save_privilege_name_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->privilege_name, 0); +- for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < r->privilege_entries; cntr_privilege_name_1++) { ++ for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < size_privilege_name_1; cntr_privilege_name_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->privilege_name[cntr_privilege_name_1])); + } +- for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < r->privilege_entries; cntr_privilege_name_1++) { ++ for (cntr_privilege_name_1 = 0; cntr_privilege_name_1 < size_privilege_name_1; cntr_privilege_name_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->privilege_name[cntr_privilege_name_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_privilege_name_1, 0); +@@ -3805,6 +3869,8 @@ + static enum ndr_err_code ndr_pull_netr_CIPHER_VALUE(struct ndr_pull *ndr, int ndr_flags, struct netr_CIPHER_VALUE *r) + { + uint32_t _ptr_cipher_data; ++ uint32_t size_cipher_data_1 = 0; ++ uint32_t length_cipher_data_1 = 0; + TALLOC_CTX *_mem_save_cipher_data_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3824,11 +3890,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->cipher_data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->cipher_data)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->cipher_data)); +- if (ndr_get_array_length(ndr, &r->cipher_data) > ndr_get_array_size(ndr, &r->cipher_data)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->cipher_data), ndr_get_array_length(ndr, &r->cipher_data)); ++ size_cipher_data_1 = ndr_get_array_size(ndr, &r->cipher_data); ++ length_cipher_data_1 = ndr_get_array_length(ndr, &r->cipher_data); ++ if (length_cipher_data_1 > size_cipher_data_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_cipher_data_1, length_cipher_data_1); + } +- NDR_PULL_ALLOC_N(ndr, r->cipher_data, ndr_get_array_size(ndr, &r->cipher_data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->cipher_data, ndr_get_array_length(ndr, &r->cipher_data))); ++ NDR_PULL_ALLOC_N(ndr, r->cipher_data, size_cipher_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->cipher_data, length_cipher_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_cipher_data_0, 0); + } + if (r->cipher_data) { +@@ -4214,21 +4282,37 @@ + uint32_t level; + uint16_t _level; + TALLOC_CTX *_mem_save_domain_0; ++ uint32_t _ptr_domain; + TALLOC_CTX *_mem_save_group_0; ++ uint32_t _ptr_group; + TALLOC_CTX *_mem_save_rename_group_0; ++ uint32_t _ptr_rename_group; + TALLOC_CTX *_mem_save_user_0; ++ uint32_t _ptr_user; + TALLOC_CTX *_mem_save_rename_user_0; ++ uint32_t _ptr_rename_user; + TALLOC_CTX *_mem_save_group_member_0; ++ uint32_t _ptr_group_member; + TALLOC_CTX *_mem_save_alias_0; ++ uint32_t _ptr_alias; + TALLOC_CTX *_mem_save_rename_alias_0; ++ uint32_t _ptr_rename_alias; + TALLOC_CTX *_mem_save_alias_member_0; ++ uint32_t _ptr_alias_member; + TALLOC_CTX *_mem_save_policy_0; ++ uint32_t _ptr_policy; + TALLOC_CTX *_mem_save_trusted_domain_0; ++ uint32_t _ptr_trusted_domain; + TALLOC_CTX *_mem_save_account_0; ++ uint32_t _ptr_account; + TALLOC_CTX *_mem_save_secret_0; ++ uint32_t _ptr_secret; + TALLOC_CTX *_mem_save_delete_group_0; ++ uint32_t _ptr_delete_group; + TALLOC_CTX *_mem_save_delete_user_0; ++ uint32_t _ptr_delete_user; + TALLOC_CTX *_mem_save_modified_count_0; ++ uint32_t _ptr_modified_count; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -4240,7 +4324,6 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + switch (level) { + case NETR_DELTA_DOMAIN: { +- uint32_t _ptr_domain; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); + if (_ptr_domain) { + NDR_PULL_ALLOC(ndr, r->domain); +@@ -4250,7 +4333,6 @@ + break; } + + case NETR_DELTA_GROUP: { +- uint32_t _ptr_group; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group)); + if (_ptr_group) { + NDR_PULL_ALLOC(ndr, r->group); +@@ -4263,7 +4345,6 @@ + break; } + + case NETR_DELTA_RENAME_GROUP: { +- uint32_t _ptr_rename_group; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_group)); + if (_ptr_rename_group) { + NDR_PULL_ALLOC(ndr, r->rename_group); +@@ -4273,7 +4354,6 @@ + break; } + + case NETR_DELTA_USER: { +- uint32_t _ptr_user; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); + if (_ptr_user) { + NDR_PULL_ALLOC(ndr, r->user); +@@ -4286,7 +4366,6 @@ + break; } + + case NETR_DELTA_RENAME_USER: { +- uint32_t _ptr_rename_user; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_user)); + if (_ptr_rename_user) { + NDR_PULL_ALLOC(ndr, r->rename_user); +@@ -4296,7 +4375,6 @@ + break; } + + case NETR_DELTA_GROUP_MEMBER: { +- uint32_t _ptr_group_member; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_member)); + if (_ptr_group_member) { + NDR_PULL_ALLOC(ndr, r->group_member); +@@ -4306,7 +4384,6 @@ + break; } + + case NETR_DELTA_ALIAS: { +- uint32_t _ptr_alias; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_alias)); + if (_ptr_alias) { + NDR_PULL_ALLOC(ndr, r->alias); +@@ -4319,7 +4396,6 @@ + break; } + + case NETR_DELTA_RENAME_ALIAS: { +- uint32_t _ptr_rename_alias; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_rename_alias)); + if (_ptr_rename_alias) { + NDR_PULL_ALLOC(ndr, r->rename_alias); +@@ -4329,7 +4405,6 @@ + break; } + + case NETR_DELTA_ALIAS_MEMBER: { +- uint32_t _ptr_alias_member; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_alias_member)); + if (_ptr_alias_member) { + NDR_PULL_ALLOC(ndr, r->alias_member); +@@ -4339,7 +4414,6 @@ + break; } + + case NETR_DELTA_POLICY: { +- uint32_t _ptr_policy; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_policy)); + if (_ptr_policy) { + NDR_PULL_ALLOC(ndr, r->policy); +@@ -4349,7 +4423,6 @@ + break; } + + case NETR_DELTA_TRUSTED_DOMAIN: { +- uint32_t _ptr_trusted_domain; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_trusted_domain)); + if (_ptr_trusted_domain) { + NDR_PULL_ALLOC(ndr, r->trusted_domain); +@@ -4362,7 +4435,6 @@ + break; } + + case NETR_DELTA_ACCOUNT: { +- uint32_t _ptr_account; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_account)); + if (_ptr_account) { + NDR_PULL_ALLOC(ndr, r->account); +@@ -4375,7 +4447,6 @@ + break; } + + case NETR_DELTA_SECRET: { +- uint32_t _ptr_secret; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_secret)); + if (_ptr_secret) { + NDR_PULL_ALLOC(ndr, r->secret); +@@ -4388,7 +4459,6 @@ + break; } + + case NETR_DELTA_DELETE_GROUP2: { +- uint32_t _ptr_delete_group; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_delete_group)); + if (_ptr_delete_group) { + NDR_PULL_ALLOC(ndr, r->delete_group); +@@ -4398,7 +4468,6 @@ + break; } + + case NETR_DELTA_DELETE_USER2: { +- uint32_t _ptr_delete_user; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_delete_user)); + if (_ptr_delete_user) { + NDR_PULL_ALLOC(ndr, r->delete_user); +@@ -4408,7 +4477,6 @@ + break; } + + case NETR_DELTA_MODIFY_COUNT: { +- uint32_t _ptr_modified_count; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_modified_count)); + if (_ptr_modified_count) { + NDR_PULL_ALLOC(ndr, r->modified_count); +@@ -4978,7 +5046,11 @@ + uint32_t level; + uint16_t _level; + TALLOC_CTX *_mem_save_sid_0; ++ uint32_t _ptr_sid; + TALLOC_CTX *_mem_save_name_0; ++ uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -5038,7 +5110,6 @@ + break; } + + case NETR_DELTA_POLICY: { +- uint32_t _ptr_sid; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); + if (_ptr_sid) { + NDR_PULL_ALLOC(ndr, r->sid); +@@ -5048,7 +5119,6 @@ + break; } + + case NETR_DELTA_TRUSTED_DOMAIN: { +- uint32_t _ptr_sid; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); + if (_ptr_sid) { + NDR_PULL_ALLOC(ndr, r->sid); +@@ -5058,7 +5128,6 @@ + break; } + + case NETR_DELTA_DELETE_TRUST: { +- uint32_t _ptr_sid; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); + if (_ptr_sid) { + NDR_PULL_ALLOC(ndr, r->sid); +@@ -5068,7 +5137,6 @@ + break; } + + case NETR_DELTA_ACCOUNT: { +- uint32_t _ptr_sid; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); + if (_ptr_sid) { + NDR_PULL_ALLOC(ndr, r->sid); +@@ -5078,7 +5146,6 @@ + break; } + + case NETR_DELTA_DELETE_ACCOUNT: { +- uint32_t _ptr_sid; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); + if (_ptr_sid) { + NDR_PULL_ALLOC(ndr, r->sid); +@@ -5088,7 +5155,6 @@ + break; } + + case NETR_DELTA_SECRET: { +- uint32_t _ptr_name; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_name)); + if (_ptr_name) { + NDR_PULL_ALLOC(ndr, r->name); +@@ -5098,7 +5164,6 @@ + break; } + + case NETR_DELTA_DELETE_SECRET: { +- uint32_t _ptr_name; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_name)); + if (_ptr_name) { + NDR_PULL_ALLOC(ndr, r->name); +@@ -5212,11 +5277,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + break; +@@ -5227,11 +5294,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + break; +@@ -5462,6 +5531,7 @@ + static enum ndr_err_code ndr_pull_netr_DELTA_ENUM_ARRAY(struct ndr_pull *ndr, int ndr_flags, struct netr_DELTA_ENUM_ARRAY *r) + { + uint32_t _ptr_delta_enum; ++ uint32_t size_delta_enum_1 = 0; + uint32_t cntr_delta_enum_1; + TALLOC_CTX *_mem_save_delta_enum_0; + TALLOC_CTX *_mem_save_delta_enum_1; +@@ -5481,13 +5551,14 @@ + _mem_save_delta_enum_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->delta_enum, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->delta_enum)); +- NDR_PULL_ALLOC_N(ndr, r->delta_enum, ndr_get_array_size(ndr, &r->delta_enum)); ++ size_delta_enum_1 = ndr_get_array_size(ndr, &r->delta_enum); ++ NDR_PULL_ALLOC_N(ndr, r->delta_enum, size_delta_enum_1); + _mem_save_delta_enum_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->delta_enum, 0); +- for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < r->num_deltas; cntr_delta_enum_1++) { ++ for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < size_delta_enum_1; cntr_delta_enum_1++) { + NDR_CHECK(ndr_pull_netr_DELTA_ENUM(ndr, NDR_SCALARS, &r->delta_enum[cntr_delta_enum_1])); + } +- for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < r->num_deltas; cntr_delta_enum_1++) { ++ for (cntr_delta_enum_1 = 0; cntr_delta_enum_1 < size_delta_enum_1; cntr_delta_enum_1++) { + NDR_CHECK(ndr_pull_netr_DELTA_ENUM(ndr, NDR_BUFFERS, &r->delta_enum[cntr_delta_enum_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_delta_enum_1, 0); +@@ -5542,12 +5613,14 @@ + + static enum ndr_err_code ndr_pull_netr_UAS_INFO_0(struct ndr_pull *ndr, int ndr_flags, struct netr_UAS_INFO_0 *r) + { ++ uint32_t size_computer_name_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->computer_name, 16)); ++ size_computer_name_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->computer_name, size_computer_name_0)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->timecreated)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->serial_number)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); +@@ -5707,6 +5780,8 @@ + static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_2(struct ndr_pull *ndr, int ndr_flags, struct netr_NETLOGON_INFO_2 *r) + { + uint32_t _ptr_trusted_dc_name; ++ uint32_t size_trusted_dc_name_1 = 0; ++ uint32_t length_trusted_dc_name_1 = 0; + TALLOC_CTX *_mem_save_trusted_dc_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -5727,11 +5802,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->trusted_dc_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_dc_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->trusted_dc_name)); +- if (ndr_get_array_length(ndr, &r->trusted_dc_name) > ndr_get_array_size(ndr, &r->trusted_dc_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->trusted_dc_name), ndr_get_array_length(ndr, &r->trusted_dc_name)); ++ size_trusted_dc_name_1 = ndr_get_array_size(ndr, &r->trusted_dc_name); ++ length_trusted_dc_name_1 = ndr_get_array_length(ndr, &r->trusted_dc_name); ++ if (length_trusted_dc_name_1 > size_trusted_dc_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_dc_name_1, length_trusted_dc_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_dc_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, length_trusted_dc_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_dc_name_0, 0); + } + } +@@ -5834,8 +5911,12 @@ + static enum ndr_err_code ndr_pull_netr_NETLOGON_INFO_4(struct ndr_pull *ndr, int ndr_flags, struct netr_NETLOGON_INFO_4 *r) + { + uint32_t _ptr_trusted_dc_name; ++ uint32_t size_trusted_dc_name_1 = 0; ++ uint32_t length_trusted_dc_name_1 = 0; + TALLOC_CTX *_mem_save_trusted_dc_name_0; + uint32_t _ptr_trusted_domain_name; ++ uint32_t size_trusted_domain_name_1 = 0; ++ uint32_t length_trusted_domain_name_1 = 0; + TALLOC_CTX *_mem_save_trusted_domain_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -5859,11 +5940,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->trusted_dc_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_dc_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->trusted_dc_name)); +- if (ndr_get_array_length(ndr, &r->trusted_dc_name) > ndr_get_array_size(ndr, &r->trusted_dc_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->trusted_dc_name), ndr_get_array_length(ndr, &r->trusted_dc_name)); ++ size_trusted_dc_name_1 = ndr_get_array_size(ndr, &r->trusted_dc_name); ++ length_trusted_dc_name_1 = ndr_get_array_length(ndr, &r->trusted_dc_name); ++ if (length_trusted_dc_name_1 > size_trusted_dc_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_dc_name_1, length_trusted_dc_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, ndr_get_array_length(ndr, &r->trusted_dc_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_dc_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_dc_name, length_trusted_dc_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_dc_name_0, 0); + } + if (r->trusted_domain_name) { +@@ -5871,11 +5954,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->trusted_domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->trusted_domain_name)); +- if (ndr_get_array_length(ndr, &r->trusted_domain_name) > ndr_get_array_size(ndr, &r->trusted_domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->trusted_domain_name), ndr_get_array_length(ndr, &r->trusted_domain_name)); ++ size_trusted_domain_name_1 = ndr_get_array_size(ndr, &r->trusted_domain_name); ++ length_trusted_domain_name_1 = ndr_get_array_length(ndr, &r->trusted_domain_name); ++ if (length_trusted_domain_name_1 > size_trusted_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_domain_name_1, length_trusted_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->trusted_domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_domain_name, ndr_get_array_length(ndr, &r->trusted_domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->trusted_domain_name, length_trusted_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_domain_name_0, 0); + } + } +@@ -5972,9 +6057,13 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + TALLOC_CTX *_mem_save_info2_0; ++ uint32_t _ptr_info2; + TALLOC_CTX *_mem_save_info3_0; ++ uint32_t _ptr_info3; + TALLOC_CTX *_mem_save_info4_0; ++ uint32_t _ptr_info4; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -5986,7 +6075,6 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -5996,7 +6084,6 @@ + break; } + + case 2: { +- uint32_t _ptr_info2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); + if (_ptr_info2) { + NDR_PULL_ALLOC(ndr, r->info2); +@@ -6006,7 +6093,6 @@ + break; } + + case 3: { +- uint32_t _ptr_info3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); + if (_ptr_info3) { + NDR_PULL_ALLOC(ndr, r->info3); +@@ -6016,7 +6102,6 @@ + break; } + + case 4: { +- uint32_t _ptr_info4; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); + if (_ptr_info4) { + NDR_PULL_ALLOC(ndr, r->info4); +@@ -6278,7 +6363,13 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_domain_0; ++ uint32_t _ptr_domain; ++ uint32_t size_domain_1 = 0; ++ uint32_t length_domain_1 = 0; + TALLOC_CTX *_mem_save_user_0; ++ uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -6290,7 +6381,6 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + switch (level) { + case NETLOGON_CONTROL_REDISCOVER: { +- uint32_t _ptr_domain; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); + if (_ptr_domain) { + NDR_PULL_ALLOC(ndr, r->domain); +@@ -6300,7 +6390,6 @@ + break; } + + case NETLOGON_CONTROL_TC_QUERY: { +- uint32_t _ptr_domain; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); + if (_ptr_domain) { + NDR_PULL_ALLOC(ndr, r->domain); +@@ -6310,7 +6399,6 @@ + break; } + + case NETLOGON_CONTROL_TRANSPORT_NOTIFY: { +- uint32_t _ptr_domain; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); + if (_ptr_domain) { + NDR_PULL_ALLOC(ndr, r->domain); +@@ -6320,7 +6408,6 @@ + break; } + + case NETLOGON_CONTROL_CHANGE_PASSWORD: { +- uint32_t _ptr_domain; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); + if (_ptr_domain) { + NDR_PULL_ALLOC(ndr, r->domain); +@@ -6330,7 +6417,6 @@ + break; } + + case NETLOGON_CONTROL_TC_VERIFY: { +- uint32_t _ptr_domain; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); + if (_ptr_domain) { + NDR_PULL_ALLOC(ndr, r->domain); +@@ -6340,7 +6426,6 @@ + break; } + + case NETLOGON_CONTROL_FIND_USER: { +- uint32_t _ptr_user; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); + if (_ptr_user) { + NDR_PULL_ALLOC(ndr, r->user); +@@ -6366,11 +6451,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + break; +@@ -6381,11 +6468,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + break; +@@ -6396,11 +6485,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + break; +@@ -6411,11 +6502,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + break; +@@ -6426,11 +6519,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + break; +@@ -6441,11 +6536,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); +- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->user); ++ length_user_1 = ndr_get_array_length(ndr, &r->user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + break; +@@ -6821,6 +6918,7 @@ + static enum ndr_err_code ndr_pull_netr_Blob(struct ndr_pull *ndr, int ndr_flags, struct netr_Blob *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_data_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -6838,8 +6936,9 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + if (r->data) { +@@ -7025,16 +7124,28 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_netr_DsRGetDCNameInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRGetDCNameInfo *r) + { + uint32_t _ptr_dc_unc; ++ uint32_t size_dc_unc_1 = 0; ++ uint32_t length_dc_unc_1 = 0; + TALLOC_CTX *_mem_save_dc_unc_0; + uint32_t _ptr_dc_address; ++ uint32_t size_dc_address_1 = 0; ++ uint32_t length_dc_address_1 = 0; + TALLOC_CTX *_mem_save_dc_address_0; + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + TALLOC_CTX *_mem_save_domain_name_0; + uint32_t _ptr_forest_name; ++ uint32_t size_forest_name_1 = 0; ++ uint32_t length_forest_name_1 = 0; + TALLOC_CTX *_mem_save_forest_name_0; + uint32_t _ptr_dc_site_name; ++ uint32_t size_dc_site_name_1 = 0; ++ uint32_t length_dc_site_name_1 = 0; + TALLOC_CTX *_mem_save_dc_site_name_0; + uint32_t _ptr_client_site_name; ++ uint32_t size_client_site_name_1 = 0; ++ uint32_t length_client_site_name_1 = 0; + TALLOC_CTX *_mem_save_client_site_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7085,11 +7196,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dc_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_unc)); +- if (ndr_get_array_length(ndr, &r->dc_unc) > ndr_get_array_size(ndr, &r->dc_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_unc), ndr_get_array_length(ndr, &r->dc_unc)); ++ size_dc_unc_1 = ndr_get_array_size(ndr, &r->dc_unc); ++ length_dc_unc_1 = ndr_get_array_length(ndr, &r->dc_unc); ++ if (length_dc_unc_1 > size_dc_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_unc_1, length_dc_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_unc, ndr_get_array_length(ndr, &r->dc_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_unc, length_dc_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_unc_0, 0); + } + if (r->dc_address) { +@@ -7097,11 +7210,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dc_address, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_address)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_address)); +- if (ndr_get_array_length(ndr, &r->dc_address) > ndr_get_array_size(ndr, &r->dc_address)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_address), ndr_get_array_length(ndr, &r->dc_address)); ++ size_dc_address_1 = ndr_get_array_size(ndr, &r->dc_address); ++ length_dc_address_1 = ndr_get_array_length(ndr, &r->dc_address); ++ if (length_dc_address_1 > size_dc_address_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_address_1, length_dc_address_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_address), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_address, ndr_get_array_length(ndr, &r->dc_address), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_address_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_address, length_dc_address_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_address_0, 0); + } + if (r->domain_name) { +@@ -7109,11 +7224,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); +- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); + } + if (r->forest_name) { +@@ -7121,11 +7238,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->forest_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->forest_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->forest_name)); +- if (ndr_get_array_length(ndr, &r->forest_name) > ndr_get_array_size(ndr, &r->forest_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->forest_name), ndr_get_array_length(ndr, &r->forest_name)); ++ size_forest_name_1 = ndr_get_array_size(ndr, &r->forest_name); ++ length_forest_name_1 = ndr_get_array_length(ndr, &r->forest_name); ++ if (length_forest_name_1 > size_forest_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_forest_name_1, length_forest_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->forest_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest_name, ndr_get_array_length(ndr, &r->forest_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_forest_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->forest_name, length_forest_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_forest_name_0, 0); + } + if (r->dc_site_name) { +@@ -7133,11 +7252,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dc_site_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dc_site_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dc_site_name)); +- if (ndr_get_array_length(ndr, &r->dc_site_name) > ndr_get_array_size(ndr, &r->dc_site_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dc_site_name), ndr_get_array_length(ndr, &r->dc_site_name)); ++ size_dc_site_name_1 = ndr_get_array_size(ndr, &r->dc_site_name); ++ length_dc_site_name_1 = ndr_get_array_length(ndr, &r->dc_site_name); ++ if (length_dc_site_name_1 > size_dc_site_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dc_site_name_1, length_dc_site_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dc_site_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_site_name, ndr_get_array_length(ndr, &r->dc_site_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dc_site_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dc_site_name, length_dc_site_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dc_site_name_0, 0); + } + if (r->client_site_name) { +@@ -7145,11 +7266,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client_site_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client_site_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client_site_name)); +- if (ndr_get_array_length(ndr, &r->client_site_name) > ndr_get_array_size(ndr, &r->client_site_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_site_name), ndr_get_array_length(ndr, &r->client_site_name)); ++ size_client_site_name_1 = ndr_get_array_size(ndr, &r->client_site_name); ++ length_client_site_name_1 = ndr_get_array_length(ndr, &r->client_site_name); ++ if (length_client_site_name_1 > size_client_site_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_site_name_1, length_client_site_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_site_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_site_name, ndr_get_array_length(ndr, &r->client_site_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_site_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_site_name, length_client_site_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_site_name_0, 0); + } + } +@@ -7412,6 +7535,7 @@ + static enum ndr_err_code ndr_pull_netr_LsaPolicyInformation(struct ndr_pull *ndr, int ndr_flags, struct netr_LsaPolicyInformation *r) + { + uint32_t _ptr_policy; ++ uint32_t size_policy_1 = 0; + TALLOC_CTX *_mem_save_policy_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7429,8 +7553,9 @@ + _mem_save_policy_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->policy, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->policy)); +- NDR_PULL_ALLOC_N(ndr, r->policy, ndr_get_array_size(ndr, &r->policy)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->policy, ndr_get_array_size(ndr, &r->policy))); ++ size_policy_1 = ndr_get_array_size(ndr, &r->policy); ++ NDR_PULL_ALLOC_N(ndr, r->policy, size_policy_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->policy, size_policy_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_policy_0, 0); + } + if (r->policy) { +@@ -7710,16 +7835,28 @@ + static enum ndr_err_code ndr_pull_netr_WorkstationInformation(struct ndr_pull *ndr, int ndr_flags, struct netr_WorkstationInformation *r) + { + uint32_t _ptr_dns_hostname; ++ uint32_t size_dns_hostname_1 = 0; ++ uint32_t length_dns_hostname_1 = 0; + TALLOC_CTX *_mem_save_dns_hostname_0; + uint32_t _ptr_sitename; ++ uint32_t size_sitename_1 = 0; ++ uint32_t length_sitename_1 = 0; + TALLOC_CTX *_mem_save_sitename_0; + uint32_t _ptr_dummy1; ++ uint32_t size_dummy1_1 = 0; ++ uint32_t length_dummy1_1 = 0; + TALLOC_CTX *_mem_save_dummy1_0; + uint32_t _ptr_dummy2; ++ uint32_t size_dummy2_1 = 0; ++ uint32_t length_dummy2_1 = 0; + TALLOC_CTX *_mem_save_dummy2_0; + uint32_t _ptr_dummy3; ++ uint32_t size_dummy3_1 = 0; ++ uint32_t length_dummy3_1 = 0; + TALLOC_CTX *_mem_save_dummy3_0; + uint32_t _ptr_dummy4; ++ uint32_t size_dummy4_1 = 0; ++ uint32_t length_dummy4_1 = 0; + TALLOC_CTX *_mem_save_dummy4_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7777,11 +7914,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dns_hostname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_hostname)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_hostname)); +- if (ndr_get_array_length(ndr, &r->dns_hostname) > ndr_get_array_size(ndr, &r->dns_hostname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_hostname), ndr_get_array_length(ndr, &r->dns_hostname)); ++ size_dns_hostname_1 = ndr_get_array_size(ndr, &r->dns_hostname); ++ length_dns_hostname_1 = ndr_get_array_length(ndr, &r->dns_hostname); ++ if (length_dns_hostname_1 > size_dns_hostname_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_hostname_1, length_dns_hostname_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_hostname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_hostname, ndr_get_array_length(ndr, &r->dns_hostname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_hostname_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_hostname, length_dns_hostname_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_hostname_0, 0); + } + if (r->sitename) { +@@ -7789,11 +7928,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sitename)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->sitename)); +- if (ndr_get_array_length(ndr, &r->sitename) > ndr_get_array_size(ndr, &r->sitename)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->sitename), ndr_get_array_length(ndr, &r->sitename)); ++ size_sitename_1 = ndr_get_array_size(ndr, &r->sitename); ++ length_sitename_1 = ndr_get_array_length(ndr, &r->sitename); ++ if (length_sitename_1 > size_sitename_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sitename_1, length_sitename_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->sitename), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sitename, ndr_get_array_length(ndr, &r->sitename), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_sitename_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sitename, length_sitename_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sitename_0, 0); + } + if (r->dummy1) { +@@ -7801,11 +7942,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dummy1, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dummy1)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dummy1)); +- if (ndr_get_array_length(ndr, &r->dummy1) > ndr_get_array_size(ndr, &r->dummy1)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dummy1), ndr_get_array_length(ndr, &r->dummy1)); ++ size_dummy1_1 = ndr_get_array_size(ndr, &r->dummy1); ++ length_dummy1_1 = ndr_get_array_length(ndr, &r->dummy1); ++ if (length_dummy1_1 > size_dummy1_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dummy1_1, length_dummy1_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dummy1), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy1, ndr_get_array_length(ndr, &r->dummy1), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dummy1_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy1, length_dummy1_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dummy1_0, 0); + } + if (r->dummy2) { +@@ -7813,11 +7956,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dummy2, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dummy2)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dummy2)); +- if (ndr_get_array_length(ndr, &r->dummy2) > ndr_get_array_size(ndr, &r->dummy2)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dummy2), ndr_get_array_length(ndr, &r->dummy2)); ++ size_dummy2_1 = ndr_get_array_size(ndr, &r->dummy2); ++ length_dummy2_1 = ndr_get_array_length(ndr, &r->dummy2); ++ if (length_dummy2_1 > size_dummy2_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dummy2_1, length_dummy2_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dummy2), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy2, ndr_get_array_length(ndr, &r->dummy2), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dummy2_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy2, length_dummy2_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dummy2_0, 0); + } + if (r->dummy3) { +@@ -7825,11 +7970,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dummy3, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dummy3)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dummy3)); +- if (ndr_get_array_length(ndr, &r->dummy3) > ndr_get_array_size(ndr, &r->dummy3)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dummy3), ndr_get_array_length(ndr, &r->dummy3)); ++ size_dummy3_1 = ndr_get_array_size(ndr, &r->dummy3); ++ length_dummy3_1 = ndr_get_array_length(ndr, &r->dummy3); ++ if (length_dummy3_1 > size_dummy3_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dummy3_1, length_dummy3_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dummy3), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy3, ndr_get_array_length(ndr, &r->dummy3), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dummy3_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy3, length_dummy3_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dummy3_0, 0); + } + if (r->dummy4) { +@@ -7837,11 +7984,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dummy4, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dummy4)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dummy4)); +- if (ndr_get_array_length(ndr, &r->dummy4) > ndr_get_array_size(ndr, &r->dummy4)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dummy4), ndr_get_array_length(ndr, &r->dummy4)); ++ size_dummy4_1 = ndr_get_array_size(ndr, &r->dummy4); ++ length_dummy4_1 = ndr_get_array_length(ndr, &r->dummy4); ++ if (length_dummy4_1 > size_dummy4_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dummy4_1, length_dummy4_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dummy4), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy4, ndr_get_array_length(ndr, &r->dummy4), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dummy4_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dummy4, length_dummy4_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dummy4_0, 0); + } + NDR_CHECK(ndr_pull_netr_OsVersionContainer(ndr, NDR_BUFFERS, &r->os_version)); +@@ -7953,7 +8102,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_workstation_info_0; ++ uint32_t _ptr_workstation_info; + TALLOC_CTX *_mem_save_lsa_policy_info_0; ++ uint32_t _ptr_lsa_policy_info; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -7965,7 +8116,6 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_workstation_info; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_workstation_info)); + if (_ptr_workstation_info) { + NDR_PULL_ALLOC(ndr, r->workstation_info); +@@ -7975,7 +8125,6 @@ + break; } + + case 2: { +- uint32_t _ptr_lsa_policy_info; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_lsa_policy_info)); + if (_ptr_lsa_policy_info) { + NDR_PULL_ALLOC(ndr, r->lsa_policy_info); +@@ -8327,6 +8476,7 @@ + static enum ndr_err_code ndr_pull_netr_DomainInformation(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainInformation *r) + { + uint32_t _ptr_trusted_domains; ++ uint32_t size_trusted_domains_1 = 0; + uint32_t cntr_trusted_domains_1; + TALLOC_CTX *_mem_save_trusted_domains_0; + TALLOC_CTX *_mem_save_trusted_domains_1; +@@ -8357,13 +8507,14 @@ + _mem_save_trusted_domains_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->trusted_domains, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->trusted_domains)); +- NDR_PULL_ALLOC_N(ndr, r->trusted_domains, ndr_get_array_size(ndr, &r->trusted_domains)); ++ size_trusted_domains_1 = ndr_get_array_size(ndr, &r->trusted_domains); ++ NDR_PULL_ALLOC_N(ndr, r->trusted_domains, size_trusted_domains_1); + _mem_save_trusted_domains_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->trusted_domains, 0); +- for (cntr_trusted_domains_1 = 0; cntr_trusted_domains_1 < r->trusted_domain_count; cntr_trusted_domains_1++) { ++ for (cntr_trusted_domains_1 = 0; cntr_trusted_domains_1 < size_trusted_domains_1; cntr_trusted_domains_1++) { + NDR_CHECK(ndr_pull_netr_OneDomainInfo(ndr, NDR_SCALARS, &r->trusted_domains[cntr_trusted_domains_1])); + } +- for (cntr_trusted_domains_1 = 0; cntr_trusted_domains_1 < r->trusted_domain_count; cntr_trusted_domains_1++) { ++ for (cntr_trusted_domains_1 = 0; cntr_trusted_domains_1 < size_trusted_domains_1; cntr_trusted_domains_1++) { + NDR_CHECK(ndr_pull_netr_OneDomainInfo(ndr, NDR_BUFFERS, &r->trusted_domains[cntr_trusted_domains_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_domains_1, 0); +@@ -8460,7 +8611,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_domain_info_0; ++ uint32_t _ptr_domain_info; + TALLOC_CTX *_mem_save_lsa_policy_info_0; ++ uint32_t _ptr_lsa_policy_info; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -8472,7 +8625,6 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_domain_info; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_info)); + if (_ptr_domain_info) { + NDR_PULL_ALLOC(ndr, r->domain_info); +@@ -8482,7 +8634,6 @@ + break; } + + case 2: { +- uint32_t _ptr_lsa_policy_info; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_lsa_policy_info)); + if (_ptr_lsa_policy_info) { + NDR_PULL_ALLOC(ndr, r->lsa_policy_info); +@@ -8571,12 +8722,14 @@ + + static enum ndr_err_code ndr_pull_netr_CryptPassword(struct ndr_pull *ndr, int ndr_flags, struct netr_CryptPassword *r) + { ++ uint32_t size_data_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 512)); ++ size_data_0 = 512; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->length)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } +@@ -8628,6 +8781,7 @@ + static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesWCtr(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddressToSitenamesWCtr *r) + { + uint32_t _ptr_sitename; ++ uint32_t size_sitename_1 = 0; + uint32_t cntr_sitename_1; + TALLOC_CTX *_mem_save_sitename_0; + TALLOC_CTX *_mem_save_sitename_1; +@@ -8647,13 +8801,14 @@ + _mem_save_sitename_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sitename)); +- NDR_PULL_ALLOC_N(ndr, r->sitename, ndr_get_array_size(ndr, &r->sitename)); ++ size_sitename_1 = ndr_get_array_size(ndr, &r->sitename); ++ NDR_PULL_ALLOC_N(ndr, r->sitename, size_sitename_1); + _mem_save_sitename_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); +- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { ++ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sitename[cntr_sitename_1])); + } +- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { ++ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sitename[cntr_sitename_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sitename_1, 0); +@@ -8707,6 +8862,7 @@ + static enum ndr_err_code ndr_pull_netr_DsRAddress(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddress *r) + { + uint32_t _ptr_buffer; ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_buffer_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -8724,8 +8880,9 @@ + _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->buffer)); +- NDR_PULL_ALLOC_N(ndr, r->buffer, ndr_get_array_size(ndr, &r->buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, ndr_get_array_size(ndr, &r->buffer))); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->buffer); ++ NDR_PULL_ALLOC_N(ndr, r->buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, size_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + if (r->buffer) { +@@ -8842,8 +8999,12 @@ + static enum ndr_err_code ndr_pull_netr_DomainTrust(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainTrust *r) + { + uint32_t _ptr_netbios_name; ++ uint32_t size_netbios_name_1 = 0; ++ uint32_t length_netbios_name_1 = 0; + TALLOC_CTX *_mem_save_netbios_name_0; + uint32_t _ptr_dns_name; ++ uint32_t size_dns_name_1 = 0; ++ uint32_t length_dns_name_1 = 0; + TALLOC_CTX *_mem_save_dns_name_0; + uint32_t _ptr_sid; + TALLOC_CTX *_mem_save_sid_0; +@@ -8880,11 +9041,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->netbios_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->netbios_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->netbios_name)); +- if (ndr_get_array_length(ndr, &r->netbios_name) > ndr_get_array_size(ndr, &r->netbios_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->netbios_name), ndr_get_array_length(ndr, &r->netbios_name)); ++ size_netbios_name_1 = ndr_get_array_size(ndr, &r->netbios_name); ++ length_netbios_name_1 = ndr_get_array_length(ndr, &r->netbios_name); ++ if (length_netbios_name_1 > size_netbios_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_netbios_name_1, length_netbios_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, ndr_get_array_length(ndr, &r->netbios_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_netbios_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->netbios_name, length_netbios_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_netbios_name_0, 0); + } + if (r->dns_name) { +@@ -8892,11 +9055,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dns_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_name)); +- if (ndr_get_array_length(ndr, &r->dns_name) > ndr_get_array_size(ndr, &r->dns_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_name), ndr_get_array_length(ndr, &r->dns_name)); ++ size_dns_name_1 = ndr_get_array_size(ndr, &r->dns_name); ++ length_dns_name_1 = ndr_get_array_length(ndr, &r->dns_name); ++ if (length_dns_name_1 > size_dns_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_name_1, length_dns_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, ndr_get_array_length(ndr, &r->dns_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_name, length_dns_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_name_0, 0); + } + if (r->sid) { +@@ -8966,6 +9131,7 @@ + static enum ndr_err_code ndr_pull_netr_DomainTrustList(struct ndr_pull *ndr, int ndr_flags, struct netr_DomainTrustList *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -8985,13 +9151,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_netr_DomainTrust(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_netr_DomainTrust(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -9062,10 +9229,12 @@ + static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExWCtr(struct ndr_pull *ndr, int ndr_flags, struct netr_DsRAddressToSitenamesExWCtr *r) + { + uint32_t _ptr_sitename; ++ uint32_t size_sitename_1 = 0; + uint32_t cntr_sitename_1; + TALLOC_CTX *_mem_save_sitename_0; + TALLOC_CTX *_mem_save_sitename_1; + uint32_t _ptr_subnetname; ++ uint32_t size_subnetname_1 = 0; + uint32_t cntr_subnetname_1; + TALLOC_CTX *_mem_save_subnetname_0; + TALLOC_CTX *_mem_save_subnetname_1; +@@ -9091,13 +9260,14 @@ + _mem_save_sitename_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sitename)); +- NDR_PULL_ALLOC_N(ndr, r->sitename, ndr_get_array_size(ndr, &r->sitename)); ++ size_sitename_1 = ndr_get_array_size(ndr, &r->sitename); ++ NDR_PULL_ALLOC_N(ndr, r->sitename, size_sitename_1); + _mem_save_sitename_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sitename, 0); +- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { ++ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sitename[cntr_sitename_1])); + } +- for (cntr_sitename_1 = 0; cntr_sitename_1 < r->count; cntr_sitename_1++) { ++ for (cntr_sitename_1 = 0; cntr_sitename_1 < size_sitename_1; cntr_sitename_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sitename[cntr_sitename_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sitename_1, 0); +@@ -9107,13 +9277,14 @@ + _mem_save_subnetname_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->subnetname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->subnetname)); +- NDR_PULL_ALLOC_N(ndr, r->subnetname, ndr_get_array_size(ndr, &r->subnetname)); ++ size_subnetname_1 = ndr_get_array_size(ndr, &r->subnetname); ++ NDR_PULL_ALLOC_N(ndr, r->subnetname, size_subnetname_1); + _mem_save_subnetname_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->subnetname, 0); +- for (cntr_subnetname_1 = 0; cntr_subnetname_1 < r->count; cntr_subnetname_1++) { ++ for (cntr_subnetname_1 = 0; cntr_subnetname_1 < size_subnetname_1; cntr_subnetname_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->subnetname[cntr_subnetname_1])); + } +- for (cntr_subnetname_1 = 0; cntr_subnetname_1 < r->count; cntr_subnetname_1++) { ++ for (cntr_subnetname_1 = 0; cntr_subnetname_1 < size_subnetname_1; cntr_subnetname_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->subnetname[cntr_subnetname_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_subnetname_1, 0); +@@ -9188,6 +9359,7 @@ + static enum ndr_err_code ndr_pull_DcSitesCtr(struct ndr_pull *ndr, int ndr_flags, struct DcSitesCtr *r) + { + uint32_t _ptr_sites; ++ uint32_t size_sites_1 = 0; + uint32_t cntr_sites_1; + TALLOC_CTX *_mem_save_sites_0; + TALLOC_CTX *_mem_save_sites_1; +@@ -9207,13 +9379,14 @@ + _mem_save_sites_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sites, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sites)); +- NDR_PULL_ALLOC_N(ndr, r->sites, ndr_get_array_size(ndr, &r->sites)); ++ size_sites_1 = ndr_get_array_size(ndr, &r->sites); ++ NDR_PULL_ALLOC_N(ndr, r->sites, size_sites_1); + _mem_save_sites_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sites, 0); +- for (cntr_sites_1 = 0; cntr_sites_1 < r->num_sites; cntr_sites_1++) { ++ for (cntr_sites_1 = 0; cntr_sites_1 < size_sites_1; cntr_sites_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->sites[cntr_sites_1])); + } +- for (cntr_sites_1 = 0; cntr_sites_1 < r->num_sites; cntr_sites_1++) { ++ for (cntr_sites_1 = 0; cntr_sites_1 < size_sites_1; cntr_sites_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->sites[cntr_sites_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sites_1, 0); +@@ -9282,10 +9455,12 @@ + static enum ndr_err_code ndr_pull_netr_TrustInfo(struct ndr_pull *ndr, int ndr_flags, struct netr_TrustInfo *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + uint32_t cntr_data_1; + TALLOC_CTX *_mem_save_data_0; + TALLOC_CTX *_mem_save_data_1; + uint32_t _ptr_entries; ++ uint32_t size_entries_1 = 0; + uint32_t cntr_entries_1; + TALLOC_CTX *_mem_save_entries_0; + TALLOC_CTX *_mem_save_entries_1; +@@ -9312,10 +9487,11 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); + _mem_save_data_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); +- for (cntr_data_1 = 0; cntr_data_1 < r->count; cntr_data_1++) { ++ for (cntr_data_1 = 0; cntr_data_1 < size_data_1; cntr_data_1++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->data[cntr_data_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_1, 0); +@@ -9325,13 +9501,14 @@ + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); ++ size_entries_1 = ndr_get_array_size(ndr, &r->entries); ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); + _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); + } +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); +@@ -9469,6 +9646,8 @@ + static enum ndr_err_code ndr_pull_NL_DNS_NAME_INFO(struct ndr_pull *ndr, int ndr_flags, struct NL_DNS_NAME_INFO *r) + { + uint32_t _ptr_dns_domain_info; ++ uint32_t size_dns_domain_info_1 = 0; ++ uint32_t length_dns_domain_info_1 = 0; + TALLOC_CTX *_mem_save_dns_domain_info_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -9493,11 +9672,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dns_domain_info, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dns_domain_info)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dns_domain_info)); +- if (ndr_get_array_length(ndr, &r->dns_domain_info) > ndr_get_array_size(ndr, &r->dns_domain_info)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dns_domain_info), ndr_get_array_length(ndr, &r->dns_domain_info)); ++ size_dns_domain_info_1 = ndr_get_array_size(ndr, &r->dns_domain_info); ++ length_dns_domain_info_1 = ndr_get_array_length(ndr, &r->dns_domain_info); ++ if (length_dns_domain_info_1 > size_dns_domain_info_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_domain_info_1, length_dns_domain_info_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dns_domain_info), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain_info, ndr_get_array_length(ndr, &r->dns_domain_info), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_domain_info_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dns_domain_info, length_dns_domain_info_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dns_domain_info_0, 0); + } + } +@@ -9551,6 +9732,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_NL_DNS_NAME_INFO_ARRAY(struct ndr_pull *ndr, int ndr_flags, struct NL_DNS_NAME_INFO_ARRAY *r) + { + uint32_t _ptr_names; ++ uint32_t size_names_1 = 0; + uint32_t cntr_names_1; + TALLOC_CTX *_mem_save_names_0; + TALLOC_CTX *_mem_save_names_1; +@@ -9570,13 +9752,14 @@ + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->names)); +- NDR_PULL_ALLOC_N(ndr, r->names, ndr_get_array_size(ndr, &r->names)); ++ size_names_1 = ndr_get_array_size(ndr, &r->names); ++ NDR_PULL_ALLOC_N(ndr, r->names, size_names_1); + _mem_save_names_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->names, 0); +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_NL_DNS_NAME_INFO(ndr, NDR_SCALARS, &r->names[cntr_names_1])); + } +- for (cntr_names_1 = 0; cntr_names_1 < r->count; cntr_names_1++) { ++ for (cntr_names_1 = 0; cntr_names_1 < size_names_1; cntr_names_1++) { + NDR_CHECK(ndr_pull_NL_DNS_NAME_INFO(ndr, NDR_BUFFERS, &r->names[cntr_names_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_1, 0); +@@ -9651,6 +9834,12 @@ + static enum ndr_err_code ndr_pull_netr_LogonUasLogon(struct ndr_pull *ndr, int flags, struct netr_LogonUasLogon *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; ++ uint32_t size_workstation_1 = 0; ++ uint32_t length_workstation_1 = 0; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_info_0; +@@ -9669,27 +9858,33 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); +- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.workstation)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.workstation)); +- if (ndr_get_array_length(ndr, &r->in.workstation) > ndr_get_array_size(ndr, &r->in.workstation)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.workstation), ndr_get_array_length(ndr, &r->in.workstation)); ++ size_workstation_1 = ndr_get_array_size(ndr, &r->in.workstation); ++ length_workstation_1 = ndr_get_array_length(ndr, &r->in.workstation); ++ if (length_workstation_1 > size_workstation_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_1, length_workstation_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, length_workstation_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_ALLOC(ndr, r->out.info); + ZERO_STRUCTP(r->out.info); + } +@@ -9800,6 +9995,12 @@ + static enum ndr_err_code ndr_pull_netr_LogonUasLogoff(struct ndr_pull *ndr, int flags, struct netr_LogonUasLogoff *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; ++ uint32_t size_workstation_1 = 0; ++ uint32_t length_workstation_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -9816,27 +10017,33 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); +- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.workstation)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.workstation)); +- if (ndr_get_array_length(ndr, &r->in.workstation) > ndr_get_array_size(ndr, &r->in.workstation)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.workstation), ndr_get_array_length(ndr, &r->in.workstation)); ++ size_workstation_1 = ndr_get_array_size(ndr, &r->in.workstation); ++ length_workstation_1 = ndr_get_array_length(ndr, &r->in.workstation); ++ if (length_workstation_1 > size_workstation_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_workstation_1, length_workstation_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, ndr_get_array_length(ndr, &r->in.workstation), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_workstation_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.workstation, length_workstation_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_ALLOC(ndr, r->out.info); + ZERO_STRUCTP(r->out.info); + } +@@ -9948,7 +10155,11 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_netr_LogonSamLogon(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogon *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_computer_name; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + uint32_t _ptr_credential; + uint32_t _ptr_return_authenticator; + TALLOC_CTX *_mem_save_server_name_0; +@@ -9972,11 +10183,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); +@@ -9990,11 +10203,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); +@@ -10179,7 +10394,11 @@ + static enum ndr_err_code ndr_pull_netr_LogonSamLogoff(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogoff *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_computer_name; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + uint32_t _ptr_credential; + uint32_t _ptr_return_authenticator; + TALLOC_CTX *_mem_save_server_name_0; +@@ -10200,11 +10419,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); +@@ -10218,11 +10439,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); +@@ -10361,6 +10584,10 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_netr_ServerReqChallenge(struct ndr_pull *ndr, int flags, struct netr_ServerReqChallenge *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credentials_0; + TALLOC_CTX *_mem_save_return_credentials_0; +@@ -10378,20 +10605,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credentials); + } +@@ -10498,6 +10729,12 @@ + static enum ndr_err_code ndr_pull_netr_ServerAuthenticate(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credentials_0; + TALLOC_CTX *_mem_save_return_credentials_0; +@@ -10515,28 +10752,34 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); +- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credentials); + } +@@ -10652,6 +10895,12 @@ + static enum ndr_err_code ndr_pull_netr_ServerPasswordSet(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordSet *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -10670,28 +10919,34 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); +- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -10826,6 +11081,10 @@ + + static enum ndr_err_code ndr_pull_netr_DatabaseDeltas(struct ndr_pull *ndr, int flags, struct netr_DatabaseDeltas *r) + { ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; ++ uint32_t size_computername_1 = 0; ++ uint32_t length_computername_1 = 0; + uint32_t _ptr_delta_enum_array; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -10837,18 +11096,22 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); +- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); ++ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); ++ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); ++ if (length_computername_1 > size_computername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -11033,6 +11296,10 @@ + + static enum ndr_err_code ndr_pull_netr_DatabaseSync(struct ndr_pull *ndr, int flags, struct netr_DatabaseSync *r) + { ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; ++ uint32_t size_computername_1 = 0; ++ uint32_t length_computername_1 = 0; + uint32_t _ptr_delta_enum_array; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -11044,18 +11311,22 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); +- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); ++ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); ++ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); ++ if (length_computername_1 > size_computername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -11246,6 +11517,10 @@ + static enum ndr_err_code ndr_pull_netr_AccountDeltas(struct ndr_pull *ndr, int flags, struct netr_AccountDeltas *r) + { + uint32_t _ptr_logon_server; ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; ++ uint32_t size_computername_1 = 0; ++ uint32_t length_computername_1 = 0; + TALLOC_CTX *_mem_save_logon_server_0; + TALLOC_CTX *_mem_save_return_authenticator_0; + TALLOC_CTX *_mem_save_buffer_0; +@@ -11266,20 +11541,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); +- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); ++ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); ++ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); ++ if (length_computername_1 > size_computername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.return_authenticator); +@@ -11478,6 +11757,10 @@ + static enum ndr_err_code ndr_pull_netr_AccountSync(struct ndr_pull *ndr, int flags, struct netr_AccountSync *r) + { + uint32_t _ptr_logon_server; ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; ++ uint32_t size_computername_1 = 0; ++ uint32_t length_computername_1 = 0; + TALLOC_CTX *_mem_save_logon_server_0; + TALLOC_CTX *_mem_save_return_authenticator_0; + TALLOC_CTX *_mem_save_buffer_0; +@@ -11499,20 +11782,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); +- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); ++ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); ++ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); ++ if (length_computername_1 > size_computername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.return_authenticator); +@@ -11701,8 +11988,14 @@ + + static enum ndr_err_code ndr_pull_netr_GetDcName(struct ndr_pull *ndr, int flags, struct netr_GetDcName *r) + { ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; + uint32_t _ptr_domainname; ++ uint32_t size_domainname_1 = 0; ++ uint32_t length_domainname_1 = 0; + uint32_t _ptr_dcname; ++ uint32_t size_dcname_2 = 0; ++ uint32_t length_dcname_2 = 0; + TALLOC_CTX *_mem_save_domainname_0; + TALLOC_CTX *_mem_save_dcname_0; + TALLOC_CTX *_mem_save_dcname_1; +@@ -11711,11 +12004,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domainname)); + if (_ptr_domainname) { + NDR_PULL_ALLOC(ndr, r->in.domainname); +@@ -11727,11 +12022,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.domainname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domainname)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domainname)); +- if (ndr_get_array_length(ndr, &r->in.domainname) > ndr_get_array_size(ndr, &r->in.domainname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domainname), ndr_get_array_length(ndr, &r->in.domainname)); ++ size_domainname_1 = ndr_get_array_size(ndr, &r->in.domainname); ++ length_domainname_1 = ndr_get_array_length(ndr, &r->in.domainname); ++ if (length_domainname_1 > size_domainname_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domainname_1, length_domainname_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domainname_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, length_domainname_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domainname_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.dcname); +@@ -11754,11 +12051,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.dcname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.dcname)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.dcname)); +- if (ndr_get_array_length(ndr, r->out.dcname) > ndr_get_array_size(ndr, r->out.dcname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.dcname), ndr_get_array_length(ndr, r->out.dcname)); ++ size_dcname_2 = ndr_get_array_size(ndr, r->out.dcname); ++ length_dcname_2 = ndr_get_array_length(ndr, r->out.dcname); ++ if (length_dcname_2 > size_dcname_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dcname_2, length_dcname_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dcname_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, length_dcname_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_0, LIBNDR_FLAG_REF_ALLOC); +@@ -11835,6 +12134,8 @@ + static enum ndr_err_code ndr_pull_netr_LogonControl(struct ndr_pull *ndr, int flags, struct netr_LogonControl *r) + { + uint32_t _ptr_logon_server; ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; + TALLOC_CTX *_mem_save_logon_server_0; + TALLOC_CTX *_mem_save_query_0; + if (flags & NDR_IN) { +@@ -11851,11 +12152,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); + } + NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); +@@ -11949,8 +12252,14 @@ + static enum ndr_err_code ndr_pull_netr_GetAnyDCName(struct ndr_pull *ndr, int flags, struct netr_GetAnyDCName *r) + { + uint32_t _ptr_logon_server; ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; + uint32_t _ptr_domainname; ++ uint32_t size_domainname_1 = 0; ++ uint32_t length_domainname_1 = 0; + uint32_t _ptr_dcname; ++ uint32_t size_dcname_2 = 0; ++ uint32_t length_dcname_2 = 0; + TALLOC_CTX *_mem_save_logon_server_0; + TALLOC_CTX *_mem_save_domainname_0; + TALLOC_CTX *_mem_save_dcname_0; +@@ -11969,11 +12278,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domainname)); +@@ -11987,11 +12298,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.domainname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domainname)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domainname)); +- if (ndr_get_array_length(ndr, &r->in.domainname) > ndr_get_array_size(ndr, &r->in.domainname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domainname), ndr_get_array_length(ndr, &r->in.domainname)); ++ size_domainname_1 = ndr_get_array_size(ndr, &r->in.domainname); ++ length_domainname_1 = ndr_get_array_length(ndr, &r->in.domainname); ++ if (length_domainname_1 > size_domainname_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domainname_1, length_domainname_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, ndr_get_array_length(ndr, &r->in.domainname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domainname_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domainname, length_domainname_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domainname_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.dcname); +@@ -12014,11 +12327,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.dcname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.dcname)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.dcname)); +- if (ndr_get_array_length(ndr, r->out.dcname) > ndr_get_array_size(ndr, r->out.dcname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.dcname), ndr_get_array_length(ndr, r->out.dcname)); ++ size_dcname_2 = ndr_get_array_size(ndr, r->out.dcname); ++ length_dcname_2 = ndr_get_array_length(ndr, r->out.dcname); ++ if (length_dcname_2 > size_dcname_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dcname_2, length_dcname_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, ndr_get_array_length(ndr, r->out.dcname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dcname_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.dcname, length_dcname_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dcname_0, LIBNDR_FLAG_REF_ALLOC); +@@ -12102,6 +12417,8 @@ + static enum ndr_err_code ndr_pull_netr_LogonControl2(struct ndr_pull *ndr, int flags, struct netr_LogonControl2 *r) + { + uint32_t _ptr_logon_server; ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; + TALLOC_CTX *_mem_save_logon_server_0; + TALLOC_CTX *_mem_save_data_0; + TALLOC_CTX *_mem_save_query_0; +@@ -12119,11 +12436,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); + } + NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); +@@ -12244,6 +12563,12 @@ + static enum ndr_err_code ndr_pull_netr_ServerAuthenticate2(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate2 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credentials_0; + TALLOC_CTX *_mem_save_return_credentials_0; +@@ -12262,28 +12587,34 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); +- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credentials); + } +@@ -12432,6 +12763,10 @@ + + static enum ndr_err_code ndr_pull_netr_DatabaseSync2(struct ndr_pull *ndr, int flags, struct netr_DatabaseSync2 *r) + { ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; ++ uint32_t size_computername_1 = 0; ++ uint32_t length_computername_1 = 0; + uint32_t _ptr_delta_enum_array; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -12443,18 +12778,22 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); +- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); ++ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); ++ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); ++ if (length_computername_1 > size_computername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -12638,6 +12977,10 @@ + + static enum ndr_err_code ndr_pull_netr_DatabaseRedo(struct ndr_pull *ndr, int flags, struct netr_DatabaseRedo *r) + { ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; ++ uint32_t size_computername_1 = 0; ++ uint32_t length_computername_1 = 0; + uint32_t _ptr_delta_enum_array; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -12648,18 +12991,22 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computername)); +- if (ndr_get_array_length(ndr, &r->in.computername) > ndr_get_array_size(ndr, &r->in.computername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computername), ndr_get_array_length(ndr, &r->in.computername)); ++ size_computername_1 = ndr_get_array_size(ndr, &r->in.computername); ++ length_computername_1 = ndr_get_array_length(ndr, &r->in.computername); ++ if (length_computername_1 > size_computername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computername_1, length_computername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, ndr_get_array_length(ndr, &r->in.computername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computername, length_computername_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -12802,6 +13149,8 @@ + static enum ndr_err_code ndr_pull_netr_LogonControl2Ex(struct ndr_pull *ndr, int flags, struct netr_LogonControl2Ex *r) + { + uint32_t _ptr_logon_server; ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; + TALLOC_CTX *_mem_save_logon_server_0; + TALLOC_CTX *_mem_save_data_0; + TALLOC_CTX *_mem_save_query_0; +@@ -12819,11 +13168,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.logon_server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.logon_server)); +- if (ndr_get_array_length(ndr, &r->in.logon_server) > ndr_get_array_size(ndr, &r->in.logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.logon_server), ndr_get_array_length(ndr, &r->in.logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->in.logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->in.logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, ndr_get_array_length(ndr, &r->in.logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); + } + NDR_CHECK(ndr_pull_netr_LogonControlCode(ndr, NDR_SCALARS, &r->in.function_code)); +@@ -12917,6 +13268,8 @@ + static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomains(struct ndr_pull *ndr, int flags, struct netr_NetrEnumerateTrustedDomains *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_trusted_domains_blob_0; + if (flags & NDR_IN) { +@@ -12933,11 +13286,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.trusted_domains_blob); +@@ -13031,7 +13386,11 @@ + static enum ndr_err_code ndr_pull_netr_DsRGetDCName(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCName *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + uint32_t _ptr_domain_guid; + uint32_t _ptr_site_guid; + uint32_t _ptr_info; +@@ -13055,11 +13414,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); +@@ -13073,11 +13434,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); +@@ -13232,7 +13595,11 @@ + + static enum ndr_err_code ndr_pull_netr_LogonGetCapabilities(struct ndr_pull *ndr, int flags, struct netr_LogonGetCapabilities *r) + { ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_computer_name; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_computer_name_0; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -13242,11 +13609,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); + if (_ptr_computer_name) { + NDR_PULL_ALLOC(ndr, r->in.computer_name); +@@ -13258,11 +13627,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -13429,7 +13800,11 @@ + static enum ndr_err_code ndr_pull_netr_LogonGetTrustRid(struct ndr_pull *ndr, int flags, struct netr_LogonGetTrustRid *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_domain_name_0; + TALLOC_CTX *_mem_save_rid_0; +@@ -13447,11 +13822,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); +@@ -13465,11 +13842,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.rid); +@@ -13665,6 +14044,12 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_netr_ServerAuthenticate3(struct ndr_pull *ndr, int flags, struct netr_ServerAuthenticate3 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credentials_0; + TALLOC_CTX *_mem_save_return_credentials_0; +@@ -13684,28 +14069,34 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); +- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credentials); + } +@@ -13857,9 +14248,15 @@ + static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCNameEx *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + uint32_t _ptr_domain_guid; + uint32_t _ptr_site_name; ++ uint32_t size_site_name_1 = 0; ++ uint32_t length_site_name_1 = 0; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_domain_name_0; +@@ -13881,11 +14278,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_name)); +@@ -13899,11 +14298,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); +@@ -13929,11 +14330,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); +- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); ++ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); ++ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); ++ if (length_site_name_1 > size_site_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); + } + NDR_CHECK(ndr_pull_netr_DsRGetDCName_flags(ndr, NDR_SCALARS, &r->in.flags)); +@@ -14050,7 +14453,11 @@ + static enum ndr_err_code ndr_pull_netr_DsRGetSiteName(struct ndr_pull *ndr, int flags, struct netr_DsRGetSiteName *r) + { + uint32_t _ptr_computer_name; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + uint32_t _ptr_site; ++ uint32_t size_site_2 = 0; ++ uint32_t length_site_2 = 0; + TALLOC_CTX *_mem_save_computer_name_0; + TALLOC_CTX *_mem_save_site_0; + TALLOC_CTX *_mem_save_site_1; +@@ -14068,11 +14475,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.site); +@@ -14095,11 +14504,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.site, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.site)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.site)); +- if (ndr_get_array_length(ndr, r->out.site) > ndr_get_array_size(ndr, r->out.site)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.site), ndr_get_array_length(ndr, r->out.site)); ++ size_site_2 = ndr_get_array_size(ndr, r->out.site); ++ length_site_2 = ndr_get_array_length(ndr, r->out.site); ++ if (length_site_2 > size_site_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_2, length_site_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.site), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.site, ndr_get_array_length(ndr, r->out.site), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.site, length_site_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_0, LIBNDR_FLAG_REF_ALLOC); +@@ -14194,7 +14605,11 @@ + + static enum ndr_err_code ndr_pull_netr_LogonGetDomainInfo(struct ndr_pull *ndr, int flags, struct netr_LogonGetDomainInfo *r) + { ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_computer_name; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_computer_name_0; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -14205,11 +14620,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); + if (_ptr_computer_name) { + NDR_PULL_ALLOC(ndr, r->in.computer_name); +@@ -14221,11 +14638,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -14379,6 +14798,12 @@ + static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordSet2 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -14397,28 +14822,34 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); +- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -14545,6 +14976,12 @@ + static enum ndr_err_code ndr_pull_netr_ServerPasswordGet(struct ndr_pull *ndr, int flags, struct netr_ServerPasswordGet *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -14563,28 +15000,34 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); +- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -14747,6 +15190,9 @@ + static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesW(struct ndr_pull *ndr, int flags, struct netr_DsRAddressToSitenamesW *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_addresses_1 = 0; + uint32_t cntr_addresses_1; + uint32_t _ptr_ctr; + TALLOC_CTX *_mem_save_server_name_0; +@@ -14767,11 +15213,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); +@@ -14779,15 +15227,16 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.addresses)); ++ size_addresses_1 = ndr_get_array_size(ndr, &r->in.addresses); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.addresses, ndr_get_array_size(ndr, &r->in.addresses)); ++ NDR_PULL_ALLOC_N(ndr, r->in.addresses, size_addresses_1); + } + _mem_save_addresses_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.addresses, 0); +- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { ++ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { + NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_SCALARS, &r->in.addresses[cntr_addresses_1])); + } +- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { ++ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { + NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_BUFFERS, &r->in.addresses[cntr_addresses_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_1, 0); +@@ -14923,10 +15372,18 @@ + static enum ndr_err_code ndr_pull_netr_DsRGetDCNameEx2(struct ndr_pull *ndr, int flags, struct netr_DsRGetDCNameEx2 *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_client_account; ++ uint32_t size_client_account_1 = 0; ++ uint32_t length_client_account_1 = 0; + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + uint32_t _ptr_domain_guid; + uint32_t _ptr_site_name; ++ uint32_t size_site_name_1 = 0; ++ uint32_t length_site_name_1 = 0; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_client_account_0; +@@ -14949,11 +15406,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client_account)); +@@ -14967,11 +15426,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.client_account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.client_account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.client_account)); +- if (ndr_get_array_length(ndr, &r->in.client_account) > ndr_get_array_size(ndr, &r->in.client_account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.client_account), ndr_get_array_length(ndr, &r->in.client_account)); ++ size_client_account_1 = ndr_get_array_size(ndr, &r->in.client_account); ++ length_client_account_1 = ndr_get_array_length(ndr, &r->in.client_account); ++ if (length_client_account_1 > size_client_account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_account_1, length_client_account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.client_account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client_account, ndr_get_array_length(ndr, &r->in.client_account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client_account, length_client_account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_account_0, 0); + } + NDR_CHECK(ndr_pull_samr_AcctFlags(ndr, NDR_SCALARS, &r->in.mask)); +@@ -14986,11 +15447,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); +@@ -15016,11 +15479,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); +- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); ++ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); ++ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); ++ if (length_site_name_1 > size_site_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); + } + NDR_CHECK(ndr_pull_netr_DsRGetDCName_flags(ndr, NDR_SCALARS, &r->in.flags)); +@@ -15180,6 +15645,8 @@ + static enum ndr_err_code ndr_pull_netr_NetrEnumerateTrustedDomainsEx(struct ndr_pull *ndr, int flags, struct netr_NetrEnumerateTrustedDomainsEx *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_dom_trust_list_0; + if (flags & NDR_IN) { +@@ -15196,11 +15663,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.dom_trust_list); +@@ -15290,6 +15759,9 @@ + static enum ndr_err_code ndr_pull_netr_DsRAddressToSitenamesExW(struct ndr_pull *ndr, int flags, struct netr_DsRAddressToSitenamesExW *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_addresses_1 = 0; + uint32_t cntr_addresses_1; + uint32_t _ptr_ctr; + TALLOC_CTX *_mem_save_server_name_0; +@@ -15310,11 +15782,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); +@@ -15322,15 +15796,16 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.addresses)); ++ size_addresses_1 = ndr_get_array_size(ndr, &r->in.addresses); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.addresses, ndr_get_array_size(ndr, &r->in.addresses)); ++ NDR_PULL_ALLOC_N(ndr, r->in.addresses, size_addresses_1); + } + _mem_save_addresses_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.addresses, 0); +- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { ++ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { + NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_SCALARS, &r->in.addresses[cntr_addresses_1])); + } +- for (cntr_addresses_1 = 0; cntr_addresses_1 < r->in.count; cntr_addresses_1++) { ++ for (cntr_addresses_1 = 0; cntr_addresses_1 < size_addresses_1; cntr_addresses_1++) { + NDR_CHECK(ndr_pull_netr_DsRAddress(ndr, NDR_BUFFERS, &r->in.addresses[cntr_addresses_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addresses_1, 0); +@@ -15439,6 +15914,8 @@ + static enum ndr_err_code ndr_pull_netr_DsrGetDcSiteCoverageW(struct ndr_pull *ndr, int flags, struct netr_DsrGetDcSiteCoverageW *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_ctr; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_ctr_0; +@@ -15457,11 +15934,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.ctr); +@@ -15579,7 +16058,11 @@ + static enum ndr_err_code ndr_pull_netr_LogonSamLogonEx(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogonEx *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_computer_name; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_computer_name_0; + TALLOC_CTX *_mem_save_logon_0; +@@ -15600,11 +16083,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); +@@ -15618,11 +16103,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); + } + NDR_CHECK(ndr_pull_netr_LogonInfoClass(ndr, NDR_SCALARS, &r->in.logon_level)); +@@ -15760,6 +16247,8 @@ + static enum ndr_err_code ndr_pull_netr_DsrEnumerateDomainTrusts(struct ndr_pull *ndr, int flags, struct netr_DsrEnumerateDomainTrusts *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_trusts_0; + if (flags & NDR_IN) { +@@ -15776,11 +16265,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_netr_TrustFlags(ndr, NDR_SCALARS, &r->in.trust_flags)); +@@ -15875,9 +16366,15 @@ + static enum ndr_err_code ndr_pull_netr_DsrDeregisterDNSHostRecords(struct ndr_pull *ndr, int flags, struct netr_DsrDeregisterDNSHostRecords *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_domain; ++ uint32_t size_domain_1 = 0; ++ uint32_t length_domain_1 = 0; + uint32_t _ptr_domain_guid; + uint32_t _ptr_dsa_guid; ++ uint32_t size_dns_host_1 = 0; ++ uint32_t length_dns_host_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_domain_0; + TALLOC_CTX *_mem_save_domain_guid_0; +@@ -15894,11 +16391,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain)); +@@ -15912,11 +16411,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain)); +- if (ndr_get_array_length(ndr, &r->in.domain) > ndr_get_array_size(ndr, &r->in.domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain), ndr_get_array_length(ndr, &r->in.domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->in.domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->in.domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); +@@ -15945,11 +16446,13 @@ + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dns_host)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dns_host)); +- if (ndr_get_array_length(ndr, &r->in.dns_host) > ndr_get_array_size(ndr, &r->in.dns_host)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dns_host), ndr_get_array_length(ndr, &r->in.dns_host)); ++ size_dns_host_1 = ndr_get_array_size(ndr, &r->in.dns_host); ++ length_dns_host_1 = ndr_get_array_length(ndr, &r->in.dns_host); ++ if (length_dns_host_1 > size_dns_host_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dns_host_1, length_dns_host_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dns_host), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_host, ndr_get_array_length(ndr, &r->in.dns_host), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dns_host_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dns_host, length_dns_host_1, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -16058,6 +16561,12 @@ + static enum ndr_err_code ndr_pull_netr_ServerTrustPasswordsGet(struct ndr_pull *ndr, int flags, struct netr_ServerTrustPasswordsGet *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -16077,28 +16586,34 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); +- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -16228,7 +16743,11 @@ + static enum ndr_err_code ndr_pull_netr_DsRGetForestTrustInformation(struct ndr_pull *ndr, int flags, struct netr_DsRGetForestTrustInformation *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_trusted_domain_name; ++ uint32_t size_trusted_domain_name_1 = 0; ++ uint32_t length_trusted_domain_name_1 = 0; + uint32_t _ptr_forest_trust_info; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_trusted_domain_name_0; +@@ -16248,11 +16767,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_trusted_domain_name)); +@@ -16266,11 +16787,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.trusted_domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.trusted_domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.trusted_domain_name)); +- if (ndr_get_array_length(ndr, &r->in.trusted_domain_name) > ndr_get_array_size(ndr, &r->in.trusted_domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.trusted_domain_name), ndr_get_array_length(ndr, &r->in.trusted_domain_name)); ++ size_trusted_domain_name_1 = ndr_get_array_size(ndr, &r->in.trusted_domain_name); ++ length_trusted_domain_name_1 = ndr_get_array_length(ndr, &r->in.trusted_domain_name); ++ if (length_trusted_domain_name_1 > size_trusted_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_trusted_domain_name_1, length_trusted_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, ndr_get_array_length(ndr, &r->in.trusted_domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_trusted_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.trusted_domain_name, length_trusted_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_trusted_domain_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); +@@ -16388,6 +16911,10 @@ + static enum ndr_err_code ndr_pull_netr_GetForestTrustInformation(struct ndr_pull *ndr, int flags, struct netr_GetForestTrustInformation *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + uint32_t _ptr_forest_trust_info; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credential_0; +@@ -16408,20 +16935,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -16579,7 +17110,11 @@ + static enum ndr_err_code ndr_pull_netr_LogonSamLogonWithFlags(struct ndr_pull *ndr, int flags, struct netr_LogonSamLogonWithFlags *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_computer_name; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + uint32_t _ptr_credential; + uint32_t _ptr_return_authenticator; + TALLOC_CTX *_mem_save_server_name_0; +@@ -16604,11 +17139,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_computer_name)); +@@ -16622,11 +17159,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.computer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_credential)); +@@ -16851,6 +17390,12 @@ + static enum ndr_err_code ndr_pull_netr_ServerGetTrustInfo(struct ndr_pull *ndr, int flags, struct netr_ServerGetTrustInfo *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_account_name_1 = 0; ++ uint32_t length_account_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + uint32_t _ptr_trust_info; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credential_0; +@@ -16873,28 +17418,34 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_name)); +- if (ndr_get_array_length(ndr, &r->in.account_name) > ndr_get_array_size(ndr, &r->in.account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_name), ndr_get_array_length(ndr, &r->in.account_name)); ++ size_account_name_1 = ndr_get_array_size(ndr, &r->in.account_name); ++ length_account_name_1 = ndr_get_array_length(ndr, &r->in.account_name); ++ if (length_account_name_1 > size_account_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_1, length_account_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, ndr_get_array_length(ndr, &r->in.account_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_name, length_account_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->in.secure_channel_type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -17111,7 +17662,13 @@ + static enum ndr_err_code ndr_pull_netr_DsrUpdateReadOnlyServerDnsRecords(struct ndr_pull *ndr, int flags, struct netr_DsrUpdateReadOnlyServerDnsRecords *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_computer_name_1 = 0; ++ uint32_t length_computer_name_1 = 0; + uint32_t _ptr_site_name; ++ uint32_t size_site_name_1 = 0; ++ uint32_t length_site_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_credential_0; + TALLOC_CTX *_mem_save_return_authenticator_0; +@@ -17131,20 +17688,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_1 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_1 > size_computer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_1, length_computer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.credential); + } +@@ -17163,11 +17724,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); +- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); ++ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); ++ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); ++ if (length_site_name_1 > size_site_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.dns_ttl)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_notify.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_notify.c 2012-04-12 12:09:51.679287479 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_notify.c 2012-04-12 12:19:20.759301004 -0500 +@@ -87,15 +87,17 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_notify_entry_array(struct ndr_pull *ndr, int ndr_flags, struct notify_entry_array *r) + { ++ uint32_t size_entries_0 = 0; + uint32_t cntr_entries_0; + TALLOC_CTX *_mem_save_entries_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, r->num_entries); ++ size_entries_0 = r->num_entries; ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_0); + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { ++ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { + NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_SCALARS, &r->entries[cntr_entries_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); +@@ -142,6 +144,7 @@ + + static enum ndr_err_code ndr_pull_notify_depth(struct ndr_pull *ndr, int ndr_flags, struct notify_depth *r) + { ++ uint32_t size_entries_0 = 0; + uint32_t cntr_entries_0; + TALLOC_CTX *_mem_save_entries_0; + if (ndr_flags & NDR_SCALARS) { +@@ -149,10 +152,11 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->max_mask_subdir)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, r->num_entries); ++ size_entries_0 = r->num_entries; ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_0); + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_0 = 0; cntr_entries_0 < r->num_entries; cntr_entries_0++) { ++ for (cntr_entries_0 = 0; cntr_entries_0 < size_entries_0; cntr_entries_0++) { + NDR_CHECK(ndr_pull_notify_entry(ndr, NDR_SCALARS, &r->entries[cntr_entries_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_0, 0); +@@ -199,15 +203,17 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_notify_array(struct ndr_pull *ndr, int ndr_flags, struct notify_array *r) + { ++ uint32_t size_depth_0 = 0; + uint32_t cntr_depth_0; + TALLOC_CTX *_mem_save_depth_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_depths)); +- NDR_PULL_ALLOC_N(ndr, r->depth, r->num_depths); ++ size_depth_0 = r->num_depths; ++ NDR_PULL_ALLOC_N(ndr, r->depth, size_depth_0); + _mem_save_depth_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->depth, 0); +- for (cntr_depth_0 = 0; cntr_depth_0 < r->num_depths; cntr_depth_0++) { ++ for (cntr_depth_0 = 0; cntr_depth_0 < size_depth_0; cntr_depth_0++) { + NDR_CHECK(ndr_pull_notify_depth(ndr, NDR_SCALARS, &r->depth[cntr_depth_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_depth_0, 0); +@@ -341,6 +347,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_FILE_NOTIFY_INFORMATION(struct ndr_pull *ndr, int ndr_flags, struct FILE_NOTIFY_INFORMATION *r) + { ++ uint32_t size_FileName1_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN4); +@@ -352,7 +359,8 @@ + { + uint32_t _flags_save_uint16 = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NOTERM); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->FileName1, r->FileNameLength, sizeof(uint16_t), CH_UTF16)); ++ size_FileName1_0 = r->FileNameLength; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->FileName1, size_FileName1_0, sizeof(uint16_t), CH_UTF16)); + ndr->flags = _flags_save_uint16; + } + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_ntlmssp.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_ntlmssp.c 2012-04-12 12:09:51.967287485 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_ntlmssp.c 2012-04-12 12:19:20.763301004 -0500 +@@ -170,12 +170,14 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_ntlmssp_VERSION(struct ndr_pull *ndr, int ndr_flags, struct ntlmssp_VERSION *r) + { ++ uint32_t size_Reserved_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 2)); + NDR_CHECK(ndr_pull_ntlmssp_WindowsMajorVersion(ndr, NDR_SCALARS, &r->ProductMajorVersion)); + NDR_CHECK(ndr_pull_ntlmssp_WindowsMinorVersion(ndr, NDR_SCALARS, &r->ProductMinorVersion)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->ProductBuild)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Reserved, 3)); ++ size_Reserved_0 = 3; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Reserved, size_Reserved_0)); + NDR_CHECK(ndr_pull_ntlmssp_NTLMRevisionCurrent(ndr, NDR_SCALARS, &r->NTLMRevisionCurrent)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 2)); + } +@@ -320,13 +322,15 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_NEGOTIATE_MESSAGE(struct ndr_pull *ndr, int ndr_flags, struct NEGOTIATE_MESSAGE *r) + { ++ uint32_t size_Signature_0 = 0; + uint32_t _ptr_DomainName; + TALLOC_CTX *_mem_save_DomainName_0; + uint32_t _ptr_Workstation; + TALLOC_CTX *_mem_save_Workstation_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, 8, sizeof(uint8_t), CH_DOS)); ++ size_Signature_0 = 8; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, size_Signature_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_ntlmssp_MessageType(ndr, NDR_SCALARS, &r->MessageType)); + NDR_CHECK(ndr_pull_NEGOTIATE(ndr, NDR_SCALARS, &r->NegotiateFlags)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->DomainNameLen)); +@@ -494,13 +498,15 @@ + + static enum ndr_err_code ndr_pull_Restriction_Encoding(struct ndr_pull *ndr, int ndr_flags, struct Restriction_Encoding *r) + { ++ uint32_t size_MachineId_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Size)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Z4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->IntegrityLevel)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->SubjectIntegrityLevel)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->MachineId, 32)); ++ size_MachineId_0 = 32; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->MachineId, size_MachineId_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -686,6 +692,7 @@ + static enum ndr_err_code ndr_pull_ntlmssp_AvValue(struct ndr_pull *ndr, int ndr_flags, union ntlmssp_AvValue *r) + { + uint32_t level; ++ uint32_t size_ChannelBindings_0 = 0; + { + uint32_t _flags_save_UNION = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN); +@@ -763,7 +770,8 @@ + break; } + + case MsvChannelBindings: { +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChannelBindings, 16)); ++ size_ChannelBindings_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChannelBindings, size_ChannelBindings_0)); + break; } + + default: { +@@ -1045,8 +1053,11 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_CHALLENGE_MESSAGE(struct ndr_pull *ndr, int ndr_flags, struct CHALLENGE_MESSAGE *r) + { ++ uint32_t size_Signature_0 = 0; + uint32_t _ptr_TargetName; + TALLOC_CTX *_mem_save_TargetName_0; ++ uint32_t size_ServerChallenge_0 = 0; ++ uint32_t size_Reserved_0 = 0; + uint32_t _ptr_TargetInfo; + TALLOC_CTX *_mem_save_TargetInfo_0; + { +@@ -1054,7 +1065,8 @@ + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, 8, sizeof(uint8_t), CH_DOS)); ++ size_Signature_0 = 8; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, size_Signature_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_ntlmssp_MessageType(ndr, NDR_SCALARS, &r->MessageType)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->TargetNameLen)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->TargetNameMaxLen)); +@@ -1071,8 +1083,10 @@ + ndr->flags = _flags_save_string; + } + NDR_CHECK(ndr_pull_NEGOTIATE(ndr, NDR_SCALARS, &r->NegotiateFlags)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ServerChallenge, 8)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Reserved, 8)); ++ size_ServerChallenge_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ServerChallenge, size_ServerChallenge_0)); ++ size_Reserved_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Reserved, size_Reserved_0)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->TargetInfoLen)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->TargetNameInfoMaxLen)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_TargetInfo)); +@@ -1190,12 +1204,14 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_LM_RESPONSE(struct ndr_pull *ndr, int ndr_flags, struct LM_RESPONSE *r) + { ++ uint32_t size_Response_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, 24)); ++ size_Response_0 = 24; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, size_Response_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1239,13 +1255,17 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_LMv2_RESPONSE(struct ndr_pull *ndr, int ndr_flags, struct LMv2_RESPONSE *r) + { ++ uint32_t size_Response_0 = 0; ++ uint32_t size_ChallengeFromClient_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, 16)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChallengeFromClient, 8)); ++ size_Response_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, size_Response_0)); ++ size_ChallengeFromClient_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChallengeFromClient, size_ChallengeFromClient_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1363,12 +1383,14 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_NTLM_RESPONSE(struct ndr_pull *ndr, int ndr_flags, struct NTLM_RESPONSE *r) + { ++ uint32_t size_Response_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, 24)); ++ size_Response_0 = 24; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, size_Response_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -1433,6 +1455,7 @@ + + static enum ndr_err_code ndr_pull_NTLMv2_CLIENT_CHALLENGE(struct ndr_pull *ndr, int ndr_flags, struct NTLMv2_CLIENT_CHALLENGE *r) + { ++ uint32_t size_ChallengeFromClient_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); +@@ -1443,7 +1466,8 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Reserved1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Reserved2)); + NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->TimeStamp)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChallengeFromClient, 8)); ++ size_ChallengeFromClient_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->ChallengeFromClient, size_ChallengeFromClient_0)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Reserved3)); + { + uint32_t _flags_save_AV_PAIR_LIST = ndr->flags; +@@ -1512,12 +1536,14 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_NTLMv2_RESPONSE(struct ndr_pull *ndr, int ndr_flags, struct NTLMv2_RESPONSE *r) + { ++ uint32_t size_Response_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, 16)); ++ size_Response_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Response, size_Response_0)); + NDR_CHECK(ndr_pull_NTLMv2_CLIENT_CHALLENGE(ndr, NDR_SCALARS, &r->Challenge)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } +@@ -1772,6 +1798,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_AUTHENTICATE_MESSAGE(struct ndr_pull *ndr, int ndr_flags, struct AUTHENTICATE_MESSAGE *r) + { ++ uint32_t size_Signature_0 = 0; + uint32_t _ptr_LmChallengeResponse; + TALLOC_CTX *_mem_save_LmChallengeResponse_0; + uint32_t _ptr_NtChallengeResponse; +@@ -1789,7 +1816,8 @@ + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_REMAINING); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, 8, sizeof(uint8_t), CH_DOS)); ++ size_Signature_0 = 8; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Signature, size_Signature_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_ntlmssp_MessageType(ndr, NDR_SCALARS, &r->MessageType)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->LmChallengeResponseLen)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->LmChallengeResponseMaxLen)); +@@ -2129,13 +2157,15 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_NTLMSSP_MESSAGE_SIGNATURE_NTLMv2(struct ndr_pull *ndr, int ndr_flags, struct NTLMSSP_MESSAGE_SIGNATURE_NTLMv2 *r) + { ++ uint32_t size_Checksum_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->Version)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, 8)); ++ size_Checksum_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, size_Checksum_0)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->SeqNum)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_ntsvcs.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_ntsvcs.c 2012-04-12 12:09:51.687287479 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_ntsvcs.c 2012-04-12 12:19:20.767301004 -0500 +@@ -54,11 +54,13 @@ + + static enum ndr_err_code ndr_pull_PNP_HwProfInfo(struct ndr_pull *ndr, int ndr_flags, struct PNP_HwProfInfo *r) + { ++ uint32_t size_friendly_name_0 = 0; + uint32_t cntr_friendly_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->profile_handle)); +- for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < 80; cntr_friendly_name_0++) { ++ size_friendly_name_0 = 80; ++ for (cntr_friendly_name_0 = 0; cntr_friendly_name_0 < size_friendly_name_0; cntr_friendly_name_0++) { + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->friendly_name[cntr_friendly_name_0])); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->flags)); +@@ -378,14 +380,18 @@ + + static enum ndr_err_code ndr_pull_PNP_ValidateDeviceInstance(struct ndr_pull *ndr, int flags, struct PNP_ValidateDeviceInstance *r) + { ++ uint32_t size_devicepath_1 = 0; ++ uint32_t length_devicepath_1 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); +- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); ++ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); ++ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); ++ if (length_devicepath_1 > size_devicepath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + } + if (flags & NDR_OUT) { +@@ -586,6 +592,10 @@ + static enum ndr_err_code ndr_pull_PNP_GetDeviceList(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceList *r) + { + uint32_t _ptr_filter; ++ uint32_t size_filter_1 = 0; ++ uint32_t length_filter_1 = 0; ++ uint32_t size_buffer_1 = 0; ++ uint32_t length_buffer_1 = 0; + uint32_t cntr_buffer_1; + TALLOC_CTX *_mem_save_filter_0; + TALLOC_CTX *_mem_save_buffer_1; +@@ -604,11 +614,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.filter, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.filter)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.filter)); +- if (ndr_get_array_length(ndr, &r->in.filter) > ndr_get_array_size(ndr, &r->in.filter)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.filter), ndr_get_array_length(ndr, &r->in.filter)); ++ size_filter_1 = ndr_get_array_size(ndr, &r->in.filter); ++ length_filter_1 = ndr_get_array_length(ndr, &r->in.filter); ++ if (length_filter_1 > size_filter_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_filter_1, length_filter_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.filter), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.filter, ndr_get_array_length(ndr, &r->in.filter), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_filter_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.filter, length_filter_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_filter_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -627,15 +639,17 @@ + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer)); +- if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); ++ length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer); ++ if (length_buffer_1 > size_buffer_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); ++ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); + } + _mem_save_buffer_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.buffer, 0); +- for (cntr_buffer_1 = 0; cntr_buffer_1 < ndr_get_array_length(ndr, &r->out.buffer); cntr_buffer_1++) { ++ for (cntr_buffer_1 = 0; cntr_buffer_1 < length_buffer_1; cntr_buffer_1++) { + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.buffer[cntr_buffer_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_1, 0); +@@ -729,6 +743,8 @@ + static enum ndr_err_code ndr_pull_PNP_GetDeviceListSize(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceListSize *r) + { + uint32_t _ptr_devicename; ++ uint32_t size_devicename_1 = 0; ++ uint32_t length_devicename_1 = 0; + TALLOC_CTX *_mem_save_devicename_0; + TALLOC_CTX *_mem_save_size_0; + if (flags & NDR_IN) { +@@ -745,11 +761,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.devicename, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicename)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicename)); +- if (ndr_get_array_length(ndr, &r->in.devicename) > ndr_get_array_size(ndr, &r->in.devicename)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicename), ndr_get_array_length(ndr, &r->in.devicename)); ++ size_devicename_1 = ndr_get_array_size(ndr, &r->in.devicename); ++ length_devicename_1 = ndr_get_array_length(ndr, &r->in.devicename); ++ if (length_devicename_1 > size_devicename_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicename_1, length_devicename_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicename), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicename, ndr_get_array_length(ndr, &r->in.devicename), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicename_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicename, length_devicename_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_devicename_0, 0); + } + NDR_CHECK(ndr_pull_PNP_GetIdListFlags(ndr, NDR_SCALARS, &r->in.flags)); +@@ -896,6 +914,10 @@ + + static enum ndr_err_code ndr_pull_PNP_GetDeviceRegProp(struct ndr_pull *ndr, int flags, struct PNP_GetDeviceRegProp *r) + { ++ uint32_t size_devicepath_1 = 0; ++ uint32_t length_devicepath_1 = 0; ++ uint32_t size_buffer_1 = 0; ++ uint32_t length_buffer_1 = 0; + TALLOC_CTX *_mem_save_reg_data_type_0; + TALLOC_CTX *_mem_save_buffer_size_0; + TALLOC_CTX *_mem_save_needed_0; +@@ -904,11 +926,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); +- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); ++ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); ++ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); ++ if (length_devicepath_1 > size_devicepath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.property)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.reg_data_type); +@@ -951,13 +975,15 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_reg_data_type_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer)); +- if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); ++ length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer); ++ if (length_buffer_1 > size_buffer_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); ++ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_length(ndr, &r->out.buffer))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, length_buffer_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.buffer_size); + } +@@ -2187,9 +2213,15 @@ + + static enum ndr_err_code ndr_pull_PNP_HwProfFlags(struct ndr_pull *ndr, int flags, struct PNP_HwProfFlags *r) + { ++ uint32_t size_devicepath_1 = 0; ++ uint32_t length_devicepath_1 = 0; + uint32_t _ptr_veto_type; + uint32_t _ptr_unknown5; ++ uint32_t size_unknown5_1 = 0; ++ uint32_t length_unknown5_1 = 0; + uint32_t _ptr_unknown5a; ++ uint32_t size_unknown5a_2 = 0; ++ uint32_t length_unknown5a_2 = 0; + TALLOC_CTX *_mem_save_profile_flags_0; + TALLOC_CTX *_mem_save_veto_type_0; + TALLOC_CTX *_mem_save_unknown5_0; +@@ -2201,11 +2233,13 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.action)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.devicepath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.devicepath)); +- if (ndr_get_array_length(ndr, &r->in.devicepath) > ndr_get_array_size(ndr, &r->in.devicepath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.devicepath), ndr_get_array_length(ndr, &r->in.devicepath)); ++ size_devicepath_1 = ndr_get_array_size(ndr, &r->in.devicepath); ++ length_devicepath_1 = ndr_get_array_length(ndr, &r->in.devicepath); ++ if (length_devicepath_1 > size_devicepath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devicepath_1, length_devicepath_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, ndr_get_array_length(ndr, &r->in.devicepath), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_devicepath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.devicepath, length_devicepath_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.config)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.profile_flags); +@@ -2237,11 +2271,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown5, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown5)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown5)); +- if (ndr_get_array_length(ndr, &r->in.unknown5) > ndr_get_array_size(ndr, &r->in.unknown5)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown5), ndr_get_array_length(ndr, &r->in.unknown5)); ++ size_unknown5_1 = ndr_get_array_size(ndr, &r->in.unknown5); ++ length_unknown5_1 = ndr_get_array_length(ndr, &r->in.unknown5); ++ if (length_unknown5_1 > size_unknown5_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown5_1, length_unknown5_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, ndr_get_array_length(ndr, &r->in.unknown5), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown5_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown5, length_unknown5_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_length)); +@@ -2289,11 +2325,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.unknown5a, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.unknown5a)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.unknown5a)); +- if (ndr_get_array_length(ndr, r->out.unknown5a) > ndr_get_array_size(ndr, r->out.unknown5a)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.unknown5a), ndr_get_array_length(ndr, r->out.unknown5a)); ++ size_unknown5a_2 = ndr_get_array_size(ndr, r->out.unknown5a); ++ length_unknown5a_2 = ndr_get_array_length(ndr, r->out.unknown5a); ++ if (length_unknown5a_2 > size_unknown5a_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown5a_2, length_unknown5a_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.unknown5a), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.unknown5a, ndr_get_array_length(ndr, r->out.unknown5a), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown5a_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.unknown5a, length_unknown5a_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5a_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown5a_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_orpc.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_orpc.c 2012-04-12 12:09:51.463287474 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_orpc.c 2012-04-12 12:19:20.771301004 -0500 +@@ -57,13 +57,15 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_ORPC_EXTENT(struct ndr_pull *ndr, int ndr_flags, struct ORPC_EXTENT *r) + { ++ uint32_t size_data_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->id)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); ++ size_data_0 = ndr_get_array_size(ndr, &r->data); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + if (r->data) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->data, ((r->size + 7) & ~7))); + } +@@ -114,6 +116,7 @@ + static enum ndr_err_code ndr_pull_ORPC_EXTENT_ARRAY(struct ndr_pull *ndr, int ndr_flags, struct ORPC_EXTENT_ARRAY *r) + { + uint32_t _ptr_extent; ++ uint32_t size_extent_1 = 0; + uint32_t cntr_extent_1; + TALLOC_CTX *_mem_save_extent_0; + TALLOC_CTX *_mem_save_extent_1; +@@ -135,10 +138,11 @@ + _mem_save_extent_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->extent, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->extent)); +- NDR_PULL_ALLOC_N(ndr, r->extent, ndr_get_array_size(ndr, &r->extent)); ++ size_extent_1 = ndr_get_array_size(ndr, &r->extent); ++ NDR_PULL_ALLOC_N(ndr, r->extent, size_extent_1); + _mem_save_extent_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->extent, 0); +- for (cntr_extent_1 = 0; cntr_extent_1 < ((r->size + 1) & ~1); cntr_extent_1++) { ++ for (cntr_extent_1 = 0; cntr_extent_1 < size_extent_1; cntr_extent_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_extent)); + if (_ptr_extent) { + NDR_PULL_ALLOC(ndr, r->extent[cntr_extent_1]); +@@ -146,7 +150,7 @@ + r->extent[cntr_extent_1] = NULL; + } + } +- for (cntr_extent_1 = 0; cntr_extent_1 < ((r->size + 1) & ~1); cntr_extent_1++) { ++ for (cntr_extent_1 = 0; cntr_extent_1 < size_extent_1; cntr_extent_1++) { + if (r->extent[cntr_extent_1]) { + _mem_save_extent_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->extent[cntr_extent_1], 0); +@@ -580,13 +584,15 @@ + + static enum ndr_err_code ndr_pull_u_custom(struct ndr_pull *ndr, int ndr_flags, struct u_custom *r) + { ++ uint32_t size_pData_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->clsid)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->cbExtension)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); +- NDR_PULL_ALLOC_N(ndr, r->pData, r->size); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pData, r->size)); ++ size_pData_0 = r->size; ++ NDR_PULL_ALLOC_N(ndr, r->pData, size_pData_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->pData, size_pData_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_oxidresolver.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_oxidresolver.c 2012-04-12 12:09:50.595287453 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_oxidresolver.c 2012-04-12 12:19:20.775301004 -0500 +@@ -75,6 +75,7 @@ + + static enum ndr_err_code ndr_pull_ResolveOxid(struct ndr_pull *ndr, int flags, struct ResolveOxid *r) + { ++ uint32_t size_arRequestedProtseqs_0 = 0; + uint32_t cntr_arRequestedProtseqs_0; + uint32_t _ptr_ppdsaOxidBindings; + TALLOC_CTX *_mem_save_arRequestedProtseqs_0; +@@ -88,10 +89,11 @@ + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->in.pOxid)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.cRequestedProtseqs)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.arRequestedProtseqs)); +- NDR_PULL_ALLOC_N(ndr, r->in.arRequestedProtseqs, ndr_get_array_size(ndr, &r->in.arRequestedProtseqs)); ++ size_arRequestedProtseqs_0 = ndr_get_array_size(ndr, &r->in.arRequestedProtseqs); ++ NDR_PULL_ALLOC_N(ndr, r->in.arRequestedProtseqs, size_arRequestedProtseqs_0); + _mem_save_arRequestedProtseqs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.arRequestedProtseqs, 0); +- for (cntr_arRequestedProtseqs_0 = 0; cntr_arRequestedProtseqs_0 < r->in.cRequestedProtseqs; cntr_arRequestedProtseqs_0++) { ++ for (cntr_arRequestedProtseqs_0 = 0; cntr_arRequestedProtseqs_0 < size_arRequestedProtseqs_0; cntr_arRequestedProtseqs_0++) { + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.arRequestedProtseqs[cntr_arRequestedProtseqs_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_arRequestedProtseqs_0, 0); +@@ -286,7 +288,9 @@ + + static enum ndr_err_code ndr_pull_ComplexPing(struct ndr_pull *ndr, int flags, struct ComplexPing *r) + { ++ uint32_t size_AddToSet_0 = 0; + uint32_t cntr_AddToSet_0; ++ uint32_t size_DelFromSet_0 = 0; + uint32_t cntr_DelFromSet_0; + TALLOC_CTX *_mem_save_SetId_0; + TALLOC_CTX *_mem_save_AddToSet_0; +@@ -306,18 +310,20 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.cAddToSet)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.cDelFromSet)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.AddToSet)); +- NDR_PULL_ALLOC_N(ndr, r->in.AddToSet, ndr_get_array_size(ndr, &r->in.AddToSet)); ++ size_AddToSet_0 = ndr_get_array_size(ndr, &r->in.AddToSet); ++ NDR_PULL_ALLOC_N(ndr, r->in.AddToSet, size_AddToSet_0); + _mem_save_AddToSet_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.AddToSet, 0); +- for (cntr_AddToSet_0 = 0; cntr_AddToSet_0 < r->in.cAddToSet; cntr_AddToSet_0++) { ++ for (cntr_AddToSet_0 = 0; cntr_AddToSet_0 < size_AddToSet_0; cntr_AddToSet_0++) { + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->in.AddToSet[cntr_AddToSet_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_AddToSet_0, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DelFromSet)); +- NDR_PULL_ALLOC_N(ndr, r->in.DelFromSet, ndr_get_array_size(ndr, &r->in.DelFromSet)); ++ size_DelFromSet_0 = ndr_get_array_size(ndr, &r->in.DelFromSet); ++ NDR_PULL_ALLOC_N(ndr, r->in.DelFromSet, size_DelFromSet_0); + _mem_save_DelFromSet_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.DelFromSet, 0); +- for (cntr_DelFromSet_0 = 0; cntr_DelFromSet_0 < r->in.cDelFromSet; cntr_DelFromSet_0++) { ++ for (cntr_DelFromSet_0 = 0; cntr_DelFromSet_0 < size_DelFromSet_0; cntr_DelFromSet_0++) { + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->in.DelFromSet[cntr_DelFromSet_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DelFromSet_0, 0); +@@ -483,6 +489,7 @@ + + static enum ndr_err_code ndr_pull_ResolveOxid2(struct ndr_pull *ndr, int flags, struct ResolveOxid2 *r) + { ++ uint32_t size_arRequestedProtseqs_0 = 0; + uint32_t cntr_arRequestedProtseqs_0; + uint32_t _ptr_pdsaOxidBindings; + TALLOC_CTX *_mem_save_arRequestedProtseqs_0; +@@ -497,10 +504,11 @@ + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->in.pOxid)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.cRequestedProtseqs)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.arRequestedProtseqs)); +- NDR_PULL_ALLOC_N(ndr, r->in.arRequestedProtseqs, ndr_get_array_size(ndr, &r->in.arRequestedProtseqs)); ++ size_arRequestedProtseqs_0 = ndr_get_array_size(ndr, &r->in.arRequestedProtseqs); ++ NDR_PULL_ALLOC_N(ndr, r->in.arRequestedProtseqs, size_arRequestedProtseqs_0); + _mem_save_arRequestedProtseqs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.arRequestedProtseqs, 0); +- for (cntr_arRequestedProtseqs_0 = 0; cntr_arRequestedProtseqs_0 < r->in.cRequestedProtseqs; cntr_arRequestedProtseqs_0++) { ++ for (cntr_arRequestedProtseqs_0 = 0; cntr_arRequestedProtseqs_0 < size_arRequestedProtseqs_0; cntr_arRequestedProtseqs_0++) { + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.arRequestedProtseqs[cntr_arRequestedProtseqs_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_arRequestedProtseqs_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_perfcount.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_perfcount.c 2012-04-12 12:09:51.775287481 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_perfcount.c 2012-04-12 12:19:20.779301005 -0500 +@@ -132,11 +132,13 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_PERF_COUNTER_BLOCK(struct ndr_pull *ndr, int ndr_flags, struct PERF_COUNTER_BLOCK *r) + { ++ uint32_t size_data_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ByteLength)); +- NDR_PULL_ALLOC_N(ndr, r->data, r->ByteLength); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, r->ByteLength)); ++ size_data_0 = r->ByteLength; ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -268,8 +270,10 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_PERF_OBJECT_TYPE(struct ndr_pull *ndr, int ndr_flags, struct PERF_OBJECT_TYPE *r) + { ++ uint32_t size_counters_0 = 0; + uint32_t cntr_counters_0; + TALLOC_CTX *_mem_save_counters_0; ++ uint32_t size_instances_0 = 0; + uint32_t cntr_instances_0; + TALLOC_CTX *_mem_save_instances_0; + if (ndr_flags & NDR_SCALARS) { +@@ -288,17 +292,19 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->CodePage)); + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->PerfTime)); + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->PerfFreq)); +- NDR_PULL_ALLOC_N(ndr, r->counters, r->NumCounters); ++ size_counters_0 = r->NumCounters; ++ NDR_PULL_ALLOC_N(ndr, r->counters, size_counters_0); + _mem_save_counters_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->counters, 0); +- for (cntr_counters_0 = 0; cntr_counters_0 < r->NumCounters; cntr_counters_0++) { ++ for (cntr_counters_0 = 0; cntr_counters_0 < size_counters_0; cntr_counters_0++) { + NDR_CHECK(ndr_pull_PERF_COUNTER_DEFINITION(ndr, NDR_SCALARS, &r->counters[cntr_counters_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_counters_0, 0); +- NDR_PULL_ALLOC_N(ndr, r->instances, r->NumInstances); ++ size_instances_0 = r->NumInstances; ++ NDR_PULL_ALLOC_N(ndr, r->instances, size_instances_0); + _mem_save_instances_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->instances, 0); +- for (cntr_instances_0 = 0; cntr_instances_0 < r->NumInstances; cntr_instances_0++) { ++ for (cntr_instances_0 = 0; cntr_instances_0 < size_instances_0; cntr_instances_0++) { + NDR_CHECK(ndr_pull_PERF_INSTANCE_DEFINITION(ndr, NDR_SCALARS, &r->instances[cntr_instances_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_instances_0, 0); +@@ -306,9 +312,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_instances_0 = r->NumInstances; + _mem_save_instances_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->instances, 0); +- for (cntr_instances_0 = 0; cntr_instances_0 < r->NumInstances; cntr_instances_0++) { ++ for (cntr_instances_0 = 0; cntr_instances_0 < size_instances_0; cntr_instances_0++) { + NDR_CHECK(ndr_pull_PERF_INSTANCE_DEFINITION(ndr, NDR_BUFFERS, &r->instances[cntr_instances_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_instances_0, 0); +@@ -395,14 +402,17 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_PERF_DATA_BLOCK(struct ndr_pull *ndr, int ndr_flags, struct PERF_DATA_BLOCK *r) + { ++ uint32_t size_Signature_0 = 0; + uint32_t cntr_Signature_0; + uint32_t _ptr_data; + TALLOC_CTX *_mem_save_data_0; ++ uint32_t size_objects_0 = 0; + uint32_t cntr_objects_0; + TALLOC_CTX *_mem_save_objects_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); +- for (cntr_Signature_0 = 0; cntr_Signature_0 < 4; cntr_Signature_0++) { ++ size_Signature_0 = 4; ++ for (cntr_Signature_0 = 0; cntr_Signature_0 < size_Signature_0; cntr_Signature_0++) { + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Signature[cntr_Signature_0])); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->LittleEndian)); +@@ -425,10 +435,11 @@ + } else { + r->data = NULL; + } +- NDR_PULL_ALLOC_N(ndr, r->objects, r->NumObjectTypes); ++ size_objects_0 = r->NumObjectTypes; ++ NDR_PULL_ALLOC_N(ndr, r->objects, size_objects_0); + _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); +- for (cntr_objects_0 = 0; cntr_objects_0 < r->NumObjectTypes; cntr_objects_0++) { ++ for (cntr_objects_0 = 0; cntr_objects_0 < size_objects_0; cntr_objects_0++) { + NDR_CHECK(ndr_pull_PERF_OBJECT_TYPE(ndr, NDR_SCALARS, &r->objects[cntr_objects_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_0, 0); +@@ -441,9 +452,10 @@ + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, r->data)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } ++ size_objects_0 = r->NumObjectTypes; + _mem_save_objects_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->objects, 0); +- for (cntr_objects_0 = 0; cntr_objects_0 < r->NumObjectTypes; cntr_objects_0++) { ++ for (cntr_objects_0 = 0; cntr_objects_0 < size_objects_0; cntr_objects_0++) { + NDR_CHECK(ndr_pull_PERF_OBJECT_TYPE(ndr, NDR_BUFFERS, &r->objects[cntr_objects_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_objects_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_preg.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_preg.c 2012-04-12 12:09:51.687287479 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_preg.c 2012-04-12 12:19:20.791301004 -0500 +@@ -38,30 +38,44 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_preg_entry(struct ndr_pull *ndr, int ndr_flags, struct preg_entry *r) + { ++ uint32_t size__opening_bracket_0 = 0; ++ uint32_t size__sep1_0 = 0; ++ uint32_t size__sep2_0 = 0; ++ uint32_t size__sep3_0 = 0; ++ uint32_t size__sep4_0 = 0; ++ uint32_t size_data_0 = 0; ++ uint32_t size__closing_bracket_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_opening_bracket, 2, sizeof(uint8_t), CH_DOS)); ++ size__opening_bracket_0 = 2; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_opening_bracket, size__opening_bracket_0, sizeof(uint8_t), CH_DOS)); + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM|LIBNDR_FLAG_ALIGN2); + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->keyname)); + ndr->flags = _flags_save_string; + } +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_sep1, 2, sizeof(uint8_t), CH_DOS)); ++ size__sep1_0 = 2; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_sep1, size__sep1_0, sizeof(uint8_t), CH_DOS)); + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM|LIBNDR_FLAG_ALIGN2); + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->valuename)); + ndr->flags = _flags_save_string; + } +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_sep2, 2, sizeof(uint8_t), CH_DOS)); ++ size__sep2_0 = 2; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_sep2, size__sep2_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, &r->type)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_sep3, 2, sizeof(uint8_t), CH_DOS)); ++ size__sep3_0 = 2; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_sep3, size__sep3_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_sep4, 2, sizeof(uint8_t), CH_DOS)); +- NDR_PULL_ALLOC_N(ndr, r->data, r->size); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, r->size)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_closing_bracket, 2, sizeof(uint8_t), CH_DOS)); ++ size__sep4_0 = 2; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_sep4, size__sep4_0, sizeof(uint8_t), CH_DOS)); ++ size_data_0 = r->size; ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); ++ size__closing_bracket_0 = 2; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->_closing_bracket, size__closing_bracket_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -97,9 +111,11 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_preg_header(struct ndr_pull *ndr, int ndr_flags, struct preg_header *r) + { ++ uint32_t size_signature_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->signature, 4, sizeof(uint8_t), CH_DOS)); ++ size_signature_0 = 4; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->signature, size_signature_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_printcap.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_printcap.c 2012-04-12 12:09:50.667287455 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_printcap.c 2012-04-12 12:19:20.803301005 -0500 +@@ -38,10 +38,16 @@ + static enum ndr_err_code ndr_pull_pcap_printer(struct ndr_pull *ndr, int ndr_flags, struct pcap_printer *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_info; ++ uint32_t size_info_1 = 0; ++ uint32_t length_info_1 = 0; + TALLOC_CTX *_mem_save_info_0; + uint32_t _ptr_location; ++ uint32_t size_location_1 = 0; ++ uint32_t length_location_1 = 0; + TALLOC_CTX *_mem_save_location_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -71,11 +77,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->info) { +@@ -83,11 +91,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->info, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->info)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->info)); +- if (ndr_get_array_length(ndr, &r->info) > ndr_get_array_size(ndr, &r->info)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->info), ndr_get_array_length(ndr, &r->info)); ++ size_info_1 = ndr_get_array_size(ndr, &r->info); ++ length_info_1 = ndr_get_array_length(ndr, &r->info); ++ if (length_info_1 > size_info_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_info_1, length_info_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->info), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->info, ndr_get_array_length(ndr, &r->info), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_info_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->info, length_info_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); + } + if (r->location) { +@@ -95,11 +105,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->location, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->location)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->location)); +- if (ndr_get_array_length(ndr, &r->location) > ndr_get_array_size(ndr, &r->location)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->location), ndr_get_array_length(ndr, &r->location)); ++ size_location_1 = ndr_get_array_size(ndr, &r->location); ++ length_location_1 = ndr_get_array_length(ndr, &r->location); ++ if (length_location_1 > size_location_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_location_1, length_location_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->location), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->location, ndr_get_array_length(ndr, &r->location), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_location_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->location, length_location_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_location_0, 0); + } + } +@@ -155,6 +167,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_pcap_data(struct ndr_pull *ndr, int ndr_flags, struct pcap_data *r) + { ++ uint32_t size_printers_0 = 0; + uint32_t cntr_printers_0; + TALLOC_CTX *_mem_save_printers_0; + if (ndr_flags & NDR_SCALARS) { +@@ -162,10 +175,11 @@ + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->status)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); +- NDR_PULL_ALLOC_N(ndr, r->printers, ndr_get_array_size(ndr, &r->printers)); ++ size_printers_0 = ndr_get_array_size(ndr, &r->printers); ++ NDR_PULL_ALLOC_N(ndr, r->printers, size_printers_0); + _mem_save_printers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->printers, 0); +- for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) { ++ for (cntr_printers_0 = 0; cntr_printers_0 < size_printers_0; cntr_printers_0++) { + NDR_CHECK(ndr_pull_pcap_printer(ndr, NDR_SCALARS, &r->printers[cntr_printers_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printers_0, 0); +@@ -175,9 +189,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_printers_0 = ndr_get_array_size(ndr, &r->printers); + _mem_save_printers_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->printers, 0); +- for (cntr_printers_0 = 0; cntr_printers_0 < r->count; cntr_printers_0++) { ++ for (cntr_printers_0 = 0; cntr_printers_0 < size_printers_0; cntr_printers_0++) { + NDR_CHECK(ndr_pull_pcap_printer(ndr, NDR_BUFFERS, &r->printers[cntr_printers_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printers_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_rap.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_rap.c 2012-04-12 12:09:51.695287479 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_rap.c 2012-04-12 12:19:20.807301005 -0500 +@@ -31,9 +31,11 @@ + + static enum ndr_err_code ndr_pull_rap_share_info_0(struct ndr_pull *ndr, int ndr_flags, struct rap_share_info_0 *r) + { ++ uint32_t size_share_name_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->share_name, 13)); ++ size_share_name_0 = 13; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->share_name, size_share_name_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -80,11 +82,13 @@ + + static enum ndr_err_code ndr_pull_rap_share_info_1(struct ndr_pull *ndr, int ndr_flags, struct rap_share_info_1 *r) + { ++ uint32_t size_share_name_0 = 0; + uint32_t _ptr_comment; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->share_name, 13)); ++ size_share_name_0 = 13; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->share_name, size_share_name_0)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->reserved1)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->share_type)); + { +@@ -182,13 +186,16 @@ + + static enum ndr_err_code ndr_pull_rap_share_info_2(struct ndr_pull *ndr, int ndr_flags, struct rap_share_info_2 *r) + { ++ uint32_t size_share_name_0 = 0; + uint32_t _ptr_comment; + TALLOC_CTX *_mem_save_comment_0; + uint32_t _ptr_path; + TALLOC_CTX *_mem_save_path_0; ++ uint32_t size_password_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->share_name, 13)); ++ size_share_name_0 = 13; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->share_name, size_share_name_0)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->reserved1)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->share_type)); + { +@@ -216,7 +223,8 @@ + } + ndr->flags = _flags_save_string; + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->password, 9)); ++ size_password_0 = 9; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->password, size_password_0)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->reserved2)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } +@@ -398,9 +406,11 @@ + + static enum ndr_err_code ndr_pull_rap_server_info_0(struct ndr_pull *ndr, int ndr_flags, struct rap_server_info_0 *r) + { ++ uint32_t size_name_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->name, 16)); ++ size_name_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->name, size_name_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -448,11 +458,13 @@ + + static enum ndr_err_code ndr_pull_rap_server_info_1(struct ndr_pull *ndr, int ndr_flags, struct rap_server_info_1 *r) + { ++ uint32_t size_name_0 = 0; + uint32_t _ptr_comment; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->name, 16)); ++ size_name_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->name, size_name_0)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->version_major)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->version_minor)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->servertype)); +@@ -723,6 +735,9 @@ + + static enum ndr_err_code ndr_pull_rap_PrintJobInfo1(struct ndr_pull *ndr, int ndr_flags, struct rap_PrintJobInfo1 *r) + { ++ uint32_t size_UserName_0 = 0; ++ uint32_t size_NotifyName_0 = 0; ++ uint32_t size_DataType_0 = 0; + uint16_t _ptr_PrintParameterString; + TALLOC_CTX *_mem_save_PrintParameterString_0; + uint16_t _ptr_JobStatusString; +@@ -732,10 +747,13 @@ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->JobID)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->UserName, 21, sizeof(uint8_t), CH_DOS)); ++ size_UserName_0 = 21; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->UserName, size_UserName_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->Pad)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->NotifyName, 16, sizeof(uint8_t), CH_DOS)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->DataType, 10, sizeof(uint8_t), CH_DOS)); ++ size_NotifyName_0 = 16; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->NotifyName, size_NotifyName_0, sizeof(uint8_t), CH_DOS)); ++ size_DataType_0 = 10; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->DataType, size_DataType_0, sizeof(uint8_t), CH_DOS)); + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); +@@ -1964,9 +1982,11 @@ + + static enum ndr_err_code ndr_pull_rap_PrintQueue0(struct ndr_pull *ndr, int ndr_flags, struct rap_PrintQueue0 *r) + { ++ uint32_t size_PrintQName_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->PrintQName, 13, sizeof(uint8_t), CH_DOS)); ++ size_PrintQName_0 = 13; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->PrintQName, size_PrintQName_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -2083,6 +2103,7 @@ + + static enum ndr_err_code ndr_pull_rap_PrintQueue1(struct ndr_pull *ndr, int ndr_flags, struct rap_PrintQueue1 *r) + { ++ uint32_t size_PrintQName_0 = 0; + uint16_t _ptr_SeparatorPageFilename; + TALLOC_CTX *_mem_save_SeparatorPageFilename_0; + uint16_t _ptr_PrintProcessorDllName; +@@ -2095,7 +2116,8 @@ + TALLOC_CTX *_mem_save_CommentString_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->PrintQName, 13, sizeof(uint8_t), CH_DOS)); ++ size_PrintQName_0 = 13; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->PrintQName, size_PrintQName_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->Pad1)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Priority)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->StartTime)); +@@ -2316,15 +2338,17 @@ + + static enum ndr_err_code ndr_pull_rap_PrintQueue2(struct ndr_pull *ndr, int ndr_flags, struct rap_PrintQueue2 *r) + { ++ uint32_t size_job_0 = 0; + uint32_t cntr_job_0; + TALLOC_CTX *_mem_save_job_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_rap_PrintQueue1(ndr, NDR_SCALARS, &r->queue)); +- NDR_PULL_ALLOC_N(ndr, r->job, r->queue.PrintJobCount); ++ size_job_0 = r->queue.PrintJobCount; ++ NDR_PULL_ALLOC_N(ndr, r->job, size_job_0); + _mem_save_job_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->job, 0); +- for (cntr_job_0 = 0; cntr_job_0 < r->queue.PrintJobCount; cntr_job_0++) { ++ for (cntr_job_0 = 0; cntr_job_0 < size_job_0; cntr_job_0++) { + NDR_CHECK(ndr_pull_rap_PrintJobInfo1(ndr, NDR_SCALARS, &r->job[cntr_job_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_job_0, 0); +@@ -2332,9 +2356,10 @@ + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_rap_PrintQueue1(ndr, NDR_BUFFERS, &r->queue)); ++ size_job_0 = r->queue.PrintJobCount; + _mem_save_job_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->job, 0); +- for (cntr_job_0 = 0; cntr_job_0 < r->queue.PrintJobCount; cntr_job_0++) { ++ for (cntr_job_0 = 0; cntr_job_0 < size_job_0; cntr_job_0++) { + NDR_CHECK(ndr_pull_rap_PrintJobInfo1(ndr, NDR_BUFFERS, &r->job[cntr_job_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_job_0, 0); +@@ -2844,15 +2869,17 @@ + + static enum ndr_err_code ndr_pull_rap_PrintQueue4(struct ndr_pull *ndr, int ndr_flags, struct rap_PrintQueue4 *r) + { ++ uint32_t size_job_0 = 0; + uint32_t cntr_job_0; + TALLOC_CTX *_mem_save_job_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_rap_PrintQueue3(ndr, NDR_SCALARS, &r->queue)); +- NDR_PULL_ALLOC_N(ndr, r->job, r->queue.PrintJobCount); ++ size_job_0 = r->queue.PrintJobCount; ++ NDR_PULL_ALLOC_N(ndr, r->job, size_job_0); + _mem_save_job_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->job, 0); +- for (cntr_job_0 = 0; cntr_job_0 < r->queue.PrintJobCount; cntr_job_0++) { ++ for (cntr_job_0 = 0; cntr_job_0 < size_job_0; cntr_job_0++) { + NDR_CHECK(ndr_pull_rap_PrintJobInfo2(ndr, NDR_SCALARS, &r->job[cntr_job_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_job_0, 0); +@@ -2860,9 +2887,10 @@ + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_rap_PrintQueue3(ndr, NDR_BUFFERS, &r->queue)); ++ size_job_0 = r->queue.PrintJobCount; + _mem_save_job_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->job, 0); +- for (cntr_job_0 = 0; cntr_job_0 < r->queue.PrintJobCount; cntr_job_0++) { ++ for (cntr_job_0 = 0; cntr_job_0 < size_job_0; cntr_job_0++) { + NDR_CHECK(ndr_pull_rap_PrintJobInfo2(ndr, NDR_BUFFERS, &r->job[cntr_job_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_job_0, 0); +@@ -3494,9 +3522,11 @@ + + static enum ndr_err_code ndr_pull_rap_PrintDest0(struct ndr_pull *ndr, int ndr_flags, struct rap_PrintDest0 *r) + { ++ uint32_t size_PrintDestName_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->PrintDestName, 9, sizeof(uint8_t), CH_DOS)); ++ size_PrintDestName_0 = 9; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->PrintDestName, size_PrintDestName_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -3547,12 +3577,16 @@ + + static enum ndr_err_code ndr_pull_rap_PrintDest1(struct ndr_pull *ndr, int ndr_flags, struct rap_PrintDest1 *r) + { ++ uint32_t size_PrintDestName_0 = 0; ++ uint32_t size_UserName_0 = 0; + uint16_t _ptr_StatusStringName; + TALLOC_CTX *_mem_save_StatusStringName_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->PrintDestName, 9, sizeof(uint8_t), CH_DOS)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->UserName, 21, sizeof(uint8_t), CH_DOS)); ++ size_PrintDestName_0 = 9; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->PrintDestName, size_PrintDestName_0, sizeof(uint8_t), CH_DOS)); ++ size_UserName_0 = 21; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->UserName, size_UserName_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->JobId)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Status)); + { +@@ -4189,9 +4223,11 @@ + + static enum ndr_err_code ndr_pull_rap_NetUserInfo0(struct ndr_pull *ndr, int ndr_flags, struct rap_NetUserInfo0 *r) + { ++ uint32_t size_Name_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Name, 21, sizeof(uint8_t), CH_DOS)); ++ size_Name_0 = 21; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Name, size_Name_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -4301,6 +4337,8 @@ + + static enum ndr_err_code ndr_pull_rap_NetUserInfo1(struct ndr_pull *ndr, int ndr_flags, struct rap_NetUserInfo1 *r) + { ++ uint32_t size_Name_0 = 0; ++ uint32_t size_Password_0 = 0; + uint16_t _ptr_HomeDir; + TALLOC_CTX *_mem_save_HomeDir_0; + uint16_t _ptr_Comment; +@@ -4309,9 +4347,11 @@ + TALLOC_CTX *_mem_save_ScriptPath_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Name, 21, sizeof(uint8_t), CH_DOS)); ++ size_Name_0 = 21; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Name, size_Name_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->Pad)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Password, 16)); ++ size_Password_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Password, size_Password_0)); + NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->PasswordAge)); + NDR_CHECK(ndr_pull_rap_UserPriv(ndr, NDR_SCALARS, &r->Priv)); + { +@@ -4479,9 +4519,11 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_rap_LogonHours(struct ndr_pull *ndr, int ndr_flags, struct rap_LogonHours *r) + { ++ uint32_t size_LogonHours_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->LogonHours, 21)); ++ size_LogonHours_0 = 21; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->LogonHours, size_LogonHours_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -4661,6 +4703,8 @@ + + static enum ndr_err_code ndr_pull_rap_NetUserInfo2(struct ndr_pull *ndr, int ndr_flags, struct rap_NetUserInfo2 *r) + { ++ uint32_t size_Name_0 = 0; ++ uint32_t size_Password_0 = 0; + uint16_t _ptr_HomeDir; + TALLOC_CTX *_mem_save_HomeDir_0; + uint16_t _ptr_Comment; +@@ -4681,9 +4725,11 @@ + TALLOC_CTX *_mem_save_LogonServer_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Name, 21, sizeof(uint8_t), CH_DOS)); ++ size_Name_0 = 21; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Name, size_Name_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->Pad)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Password, 16)); ++ size_Password_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Password, size_Password_0)); + NDR_CHECK(ndr_pull_time_t(ndr, NDR_SCALARS, &r->PasswordAge)); + NDR_CHECK(ndr_pull_rap_UserPriv(ndr, NDR_SCALARS, &r->Priv)); + { +@@ -5087,6 +5133,7 @@ + + static enum ndr_err_code ndr_pull_rap_NetUserInfo10(struct ndr_pull *ndr, int ndr_flags, struct rap_NetUserInfo10 *r) + { ++ uint32_t size_Name_0 = 0; + uint16_t _ptr_Comment; + TALLOC_CTX *_mem_save_Comment_0; + uint16_t _ptr_UsrComment; +@@ -5095,7 +5142,8 @@ + TALLOC_CTX *_mem_save_FullName_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Name, 21, sizeof(uint8_t), CH_DOS)); ++ size_Name_0 = 21; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Name, size_Name_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->Pad)); + { + uint32_t _flags_save_string = ndr->flags; +@@ -5360,6 +5408,7 @@ + + static enum ndr_err_code ndr_pull_rap_NetUserInfo11(struct ndr_pull *ndr, int ndr_flags, struct rap_NetUserInfo11 *r) + { ++ uint32_t size_Name_0 = 0; + uint16_t _ptr_Comment; + TALLOC_CTX *_mem_save_Comment_0; + uint16_t _ptr_UsrComment; +@@ -5378,7 +5427,8 @@ + TALLOC_CTX *_mem_save_LogonHours_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Name, 21, sizeof(uint8_t), CH_DOS)); ++ size_Name_0 = 21; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->Name, size_Name_0, sizeof(uint8_t), CH_DOS)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->Pad)); + { + uint32_t _flags_save_string = ndr->flags; +@@ -6345,6 +6395,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_rap_NetServerEnum2(struct ndr_pull *ndr, int flags, struct rap_NetServerEnum2 *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -6365,14 +6416,15 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.convert)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.count)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.available)); +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->out.count); ++ size_info_0 = r->out.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->out.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_rap_server_info(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->out.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_rap_server_info(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -6507,6 +6559,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_rap_NetPrintQEnum(struct ndr_pull *ndr, int flags, struct rap_NetPrintQEnum *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -6520,14 +6573,15 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.convert)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.count)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.available)); +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->out.count); ++ size_info_0 = r->out.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->out.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_rap_printq_info(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->out.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_rap_printq_info(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -7006,6 +7060,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_rap_NetPrintJobEnum(struct ndr_pull *ndr, int flags, struct rap_NetPrintJobEnum *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -7025,14 +7080,15 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.convert)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.count)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.available)); +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->out.count); ++ size_info_0 = r->out.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->out.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_rap_printj_info(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->out.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_rap_printj_info(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -7231,6 +7287,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_rap_NetPrintDestEnum(struct ndr_pull *ndr, int flags, struct rap_NetPrintDestEnum *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -7244,14 +7301,15 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.convert)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.count)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.available)); +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->out.count); ++ size_info_0 = r->out.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->out.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_rap_printdest_info(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->out.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_rap_printdest_info(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -7392,6 +7450,8 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_rap_NetUserPasswordSet2(struct ndr_pull *ndr, int flags, struct rap_NetUserPasswordSet2 *r) + { ++ uint32_t size_OldPassword_0 = 0; ++ uint32_t size_NewPassword_0 = 0; + if (flags & NDR_IN) { + ZERO_STRUCT(r->out); + +@@ -7401,8 +7461,10 @@ + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->in.UserName)); + ndr->flags = _flags_save_string; + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.OldPassword, 16)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.NewPassword, 16)); ++ size_OldPassword_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.OldPassword, size_OldPassword_0)); ++ size_NewPassword_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.NewPassword, size_NewPassword_0)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.EncryptedPassword)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.RealPasswordLength)); + } +@@ -7462,6 +7524,8 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_rap_NetOEMChangePassword(struct ndr_pull *ndr, int flags, struct rap_NetOEMChangePassword *r) + { ++ uint32_t size_crypt_password_0 = 0; ++ uint32_t size_password_hash_0 = 0; + if (flags & NDR_IN) { + ZERO_STRUCT(r->out); + +@@ -7471,8 +7535,10 @@ + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->in.UserName)); + ndr->flags = _flags_save_string; + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.crypt_password, 516)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.password_hash, 16)); ++ size_crypt_password_0 = 516; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.crypt_password, size_crypt_password_0)); ++ size_password_hash_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.password_hash, size_password_hash_0)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_rap_status(ndr, NDR_SCALARS, &r->out.status)); +@@ -7607,6 +7673,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_rap_NetSessionEnum(struct ndr_pull *ndr, int flags, struct rap_NetSessionEnum *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -7620,14 +7687,15 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.convert)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.count)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->out.available)); +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->out.count); ++ size_info_0 = r->out.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->out.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_rap_session_info(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->out.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_rap_session_info(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_remact.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_remact.c 2012-04-12 12:09:50.687287455 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_remact.c 2012-04-12 12:19:20.815301005 -0500 +@@ -90,9 +90,15 @@ + + static enum ndr_err_code ndr_pull_RemoteActivation(struct ndr_pull *ndr, int flags, struct RemoteActivation *r) + { ++ uint32_t size_pwszObjectName_1 = 0; ++ uint32_t length_pwszObjectName_1 = 0; ++ uint32_t size_pIIDs_1 = 0; + uint32_t cntr_pIIDs_1; ++ uint32_t size_protseq_0 = 0; + uint32_t cntr_protseq_0; ++ uint32_t size_ifaces_0 = 0; + uint32_t cntr_ifaces_0; ++ uint32_t size_results_0 = 0; + uint32_t cntr_results_0; + TALLOC_CTX *_mem_save_that_0; + TALLOC_CTX *_mem_save_pObjectStorage_0; +@@ -114,11 +120,13 @@ + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->in.Clsid)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.pwszObjectName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.pwszObjectName)); +- if (ndr_get_array_length(ndr, &r->in.pwszObjectName) > ndr_get_array_size(ndr, &r->in.pwszObjectName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.pwszObjectName), ndr_get_array_length(ndr, &r->in.pwszObjectName)); ++ size_pwszObjectName_1 = ndr_get_array_size(ndr, &r->in.pwszObjectName); ++ length_pwszObjectName_1 = ndr_get_array_length(ndr, &r->in.pwszObjectName); ++ if (length_pwszObjectName_1 > size_pwszObjectName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_pwszObjectName_1, length_pwszObjectName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.pwszObjectName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.pwszObjectName, ndr_get_array_length(ndr, &r->in.pwszObjectName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_pwszObjectName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.pwszObjectName, length_pwszObjectName_1, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.pObjectStorage); + } +@@ -133,21 +141,23 @@ + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.pIIDs)); ++ size_pIIDs_1 = ndr_get_array_size(ndr, &r->in.pIIDs); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.pIIDs, ndr_get_array_size(ndr, &r->in.pIIDs)); ++ NDR_PULL_ALLOC_N(ndr, r->in.pIIDs, size_pIIDs_1); + } + _mem_save_pIIDs_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.pIIDs, 0); +- for (cntr_pIIDs_1 = 0; cntr_pIIDs_1 < r->in.Interfaces; cntr_pIIDs_1++) { ++ for (cntr_pIIDs_1 = 0; cntr_pIIDs_1 < size_pIIDs_1; cntr_pIIDs_1++) { + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->in.pIIDs[cntr_pIIDs_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pIIDs_1, 0); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.num_protseqs)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.protseq)); +- NDR_PULL_ALLOC_N(ndr, r->in.protseq, ndr_get_array_size(ndr, &r->in.protseq)); ++ size_protseq_0 = ndr_get_array_size(ndr, &r->in.protseq); ++ NDR_PULL_ALLOC_N(ndr, r->in.protseq, size_protseq_0); + _mem_save_protseq_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.protseq, 0); +- for (cntr_protseq_0 = 0; cntr_protseq_0 < r->in.num_protseqs; cntr_protseq_0++) { ++ for (cntr_protseq_0 = 0; cntr_protseq_0 < size_protseq_0; cntr_protseq_0++) { + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->in.protseq[cntr_protseq_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_protseq_0, 0); +@@ -223,15 +233,16 @@ + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, r->out.hr)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_hr_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.ifaces)); +- NDR_PULL_ALLOC_N(ndr, r->out.ifaces, ndr_get_array_size(ndr, &r->out.ifaces)); ++ size_ifaces_0 = ndr_get_array_size(ndr, &r->out.ifaces); ++ NDR_PULL_ALLOC_N(ndr, r->out.ifaces, size_ifaces_0); + _mem_save_ifaces_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.ifaces, 0); +- for (cntr_ifaces_0 = 0; cntr_ifaces_0 < r->in.Interfaces; cntr_ifaces_0++) { ++ for (cntr_ifaces_0 = 0; cntr_ifaces_0 < size_ifaces_0; cntr_ifaces_0++) { + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.ifaces[cntr_ifaces_0]); + } + } +- for (cntr_ifaces_0 = 0; cntr_ifaces_0 < r->in.Interfaces; cntr_ifaces_0++) { ++ for (cntr_ifaces_0 = 0; cntr_ifaces_0 < size_ifaces_0; cntr_ifaces_0++) { + _mem_save_ifaces_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.ifaces[cntr_ifaces_0], LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_MInterfacePointer(ndr, NDR_SCALARS|NDR_BUFFERS, r->out.ifaces[cntr_ifaces_0])); +@@ -239,10 +250,11 @@ + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ifaces_0, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.results)); +- NDR_PULL_ALLOC_N(ndr, r->out.results, ndr_get_array_size(ndr, &r->out.results)); ++ size_results_0 = ndr_get_array_size(ndr, &r->out.results); ++ NDR_PULL_ALLOC_N(ndr, r->out.results, size_results_0); + _mem_save_results_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.results, 0); +- for (cntr_results_0 = 0; cntr_results_0 < r->in.Interfaces; cntr_results_0++) { ++ for (cntr_results_0 = 0; cntr_results_0 < size_results_0; cntr_results_0++) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.results[cntr_results_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_results_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_samr.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_samr.c 2012-04-12 12:09:51.763287481 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_samr.c 2012-04-12 12:19:20.839301006 -0500 +@@ -282,6 +282,7 @@ + static enum ndr_err_code ndr_pull_samr_SamArray(struct ndr_pull *ndr, int ndr_flags, struct samr_SamArray *r) + { + uint32_t _ptr_entries; ++ uint32_t size_entries_1 = 0; + uint32_t cntr_entries_1; + TALLOC_CTX *_mem_save_entries_0; + TALLOC_CTX *_mem_save_entries_1; +@@ -301,13 +302,14 @@ + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); ++ size_entries_1 = ndr_get_array_size(ndr, &r->entries); ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); + _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_samr_SamEntry(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); + } +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_samr_SamEntry(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); +@@ -1240,6 +1242,7 @@ + static enum ndr_err_code ndr_pull_samr_Ids(struct ndr_pull *ndr, int ndr_flags, struct samr_Ids *r) + { + uint32_t _ptr_ids; ++ uint32_t size_ids_1 = 0; + uint32_t cntr_ids_1; + TALLOC_CTX *_mem_save_ids_0; + TALLOC_CTX *_mem_save_ids_1; +@@ -1262,10 +1265,11 @@ + _mem_save_ids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->ids)); +- NDR_PULL_ALLOC_N(ndr, r->ids, ndr_get_array_size(ndr, &r->ids)); ++ size_ids_1 = ndr_get_array_size(ndr, &r->ids); ++ NDR_PULL_ALLOC_N(ndr, r->ids, size_ids_1); + _mem_save_ids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ids, 0); +- for (cntr_ids_1 = 0; cntr_ids_1 < r->count; cntr_ids_1++) { ++ for (cntr_ids_1 = 0; cntr_ids_1 < size_ids_1; cntr_ids_1++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ids[cntr_ids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ids_1, 0); +@@ -1622,10 +1626,12 @@ + static enum ndr_err_code ndr_pull_samr_RidAttrArray(struct ndr_pull *ndr, int ndr_flags, struct samr_RidAttrArray *r) + { + uint32_t _ptr_rids; ++ uint32_t size_rids_1 = 0; + uint32_t cntr_rids_1; + TALLOC_CTX *_mem_save_rids_0; + TALLOC_CTX *_mem_save_rids_1; + uint32_t _ptr_attributes; ++ uint32_t size_attributes_1 = 0; + uint32_t cntr_attributes_1; + TALLOC_CTX *_mem_save_attributes_0; + TALLOC_CTX *_mem_save_attributes_1; +@@ -1651,10 +1657,11 @@ + _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); +- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); ++ size_rids_1 = ndr_get_array_size(ndr, &r->rids); ++ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); + _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); +- for (cntr_rids_1 = 0; cntr_rids_1 < r->count; cntr_rids_1++) { ++ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); +@@ -1664,10 +1671,11 @@ + _mem_save_attributes_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->attributes, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->attributes)); +- NDR_PULL_ALLOC_N(ndr, r->attributes, ndr_get_array_size(ndr, &r->attributes)); ++ size_attributes_1 = ndr_get_array_size(ndr, &r->attributes); ++ NDR_PULL_ALLOC_N(ndr, r->attributes, size_attributes_1); + _mem_save_attributes_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->attributes, 0); +- for (cntr_attributes_1 = 0; cntr_attributes_1 < r->count; cntr_attributes_1++) { ++ for (cntr_attributes_1 = 0; cntr_attributes_1 < size_attributes_1; cntr_attributes_1++) { + NDR_CHECK(ndr_pull_samr_GroupAttrs(ndr, NDR_SCALARS, &r->attributes[cntr_attributes_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_attributes_1, 0); +@@ -2076,6 +2084,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_samr_LogonHours(struct ndr_pull *ndr, int ndr_flags, struct samr_LogonHours *r) + { + uint32_t _ptr_bits; ++ uint32_t size_bits_1 = 0; ++ uint32_t length_bits_1 = 0; + TALLOC_CTX *_mem_save_bits_0; + { + uint32_t _flags_save_STRUCT = ndr->flags; +@@ -2097,11 +2107,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->bits, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->bits)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->bits)); +- if (ndr_get_array_length(ndr, &r->bits) > ndr_get_array_size(ndr, &r->bits)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->bits), ndr_get_array_length(ndr, &r->bits)); ++ size_bits_1 = ndr_get_array_size(ndr, &r->bits); ++ length_bits_1 = ndr_get_array_length(ndr, &r->bits); ++ if (length_bits_1 > size_bits_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_bits_1, length_bits_1); + } +- NDR_PULL_ALLOC_N(ndr, r->bits, ndr_get_array_size(ndr, &r->bits)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->bits, ndr_get_array_length(ndr, &r->bits))); ++ NDR_PULL_ALLOC_N(ndr, r->bits, size_bits_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->bits, length_bits_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_bits_0, 0); + } + if (r->bits) { +@@ -2781,12 +2793,14 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_samr_Password(struct ndr_pull *ndr, int ndr_flags, struct samr_Password *r) + { ++ uint32_t size_hash_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); ++ size_hash_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -3007,6 +3021,7 @@ + static enum ndr_err_code ndr_pull_samr_UserInfo21(struct ndr_pull *ndr, int ndr_flags, struct samr_UserInfo21 *r) + { + uint32_t _ptr_buffer; ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_buffer_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3069,8 +3084,9 @@ + _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->buffer)); +- NDR_PULL_ALLOC_N(ndr, r->buffer, ndr_get_array_size(ndr, &r->buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, ndr_get_array_size(ndr, &r->buffer))); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->buffer); ++ NDR_PULL_ALLOC_N(ndr, r->buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->buffer, size_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + NDR_CHECK(ndr_pull_samr_LogonHours(ndr, NDR_BUFFERS, &r->logon_hours)); +@@ -3147,12 +3163,14 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_samr_CryptPassword(struct ndr_pull *ndr, int ndr_flags, struct samr_CryptPassword *r) + { ++ uint32_t size_data_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 516)); ++ size_data_0 = 516; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -3269,12 +3287,14 @@ + + static enum ndr_err_code ndr_pull_samr_CryptPasswordEx(struct ndr_pull *ndr, int ndr_flags, struct samr_CryptPasswordEx *r) + { ++ uint32_t size_data_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 532)); ++ size_data_0 = 532; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -3938,6 +3958,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_samr_RidWithAttributeArray(struct ndr_pull *ndr, int ndr_flags, struct samr_RidWithAttributeArray *r) + { + uint32_t _ptr_rids; ++ uint32_t size_rids_1 = 0; + uint32_t cntr_rids_1; + TALLOC_CTX *_mem_save_rids_0; + TALLOC_CTX *_mem_save_rids_1; +@@ -3957,10 +3978,11 @@ + _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); +- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); ++ size_rids_1 = ndr_get_array_size(ndr, &r->rids); ++ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_1); + _mem_save_rids_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); +- for (cntr_rids_1 = 0; cntr_rids_1 < r->count; cntr_rids_1++) { ++ for (cntr_rids_1 = 0; cntr_rids_1 < size_rids_1; cntr_rids_1++) { + NDR_CHECK(ndr_pull_samr_RidWithAttribute(ndr, NDR_SCALARS, &r->rids[cntr_rids_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_1, 0); +@@ -4074,6 +4096,7 @@ + static enum ndr_err_code ndr_pull_samr_DispInfoGeneral(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoGeneral *r) + { + uint32_t _ptr_entries; ++ uint32_t size_entries_1 = 0; + uint32_t cntr_entries_1; + TALLOC_CTX *_mem_save_entries_0; + TALLOC_CTX *_mem_save_entries_1; +@@ -4093,13 +4116,14 @@ + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); ++ size_entries_1 = ndr_get_array_size(ndr, &r->entries); ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); + _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_samr_DispEntryGeneral(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); + } +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_samr_DispEntryGeneral(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); +@@ -4208,6 +4232,7 @@ + static enum ndr_err_code ndr_pull_samr_DispInfoFull(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoFull *r) + { + uint32_t _ptr_entries; ++ uint32_t size_entries_1 = 0; + uint32_t cntr_entries_1; + TALLOC_CTX *_mem_save_entries_0; + TALLOC_CTX *_mem_save_entries_1; +@@ -4227,13 +4252,14 @@ + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); ++ size_entries_1 = ndr_get_array_size(ndr, &r->entries); ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); + _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_samr_DispEntryFull(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); + } +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_samr_DispEntryFull(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); +@@ -4342,6 +4368,7 @@ + static enum ndr_err_code ndr_pull_samr_DispInfoFullGroups(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoFullGroups *r) + { + uint32_t _ptr_entries; ++ uint32_t size_entries_1 = 0; + uint32_t cntr_entries_1; + TALLOC_CTX *_mem_save_entries_0; + TALLOC_CTX *_mem_save_entries_1; +@@ -4361,13 +4388,14 @@ + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); ++ size_entries_1 = ndr_get_array_size(ndr, &r->entries); ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); + _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_samr_DispEntryFullGroup(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); + } +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_samr_DispEntryFullGroup(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); +@@ -4465,6 +4493,7 @@ + static enum ndr_err_code ndr_pull_samr_DispInfoAscii(struct ndr_pull *ndr, int ndr_flags, struct samr_DispInfoAscii *r) + { + uint32_t _ptr_entries; ++ uint32_t size_entries_1 = 0; + uint32_t cntr_entries_1; + TALLOC_CTX *_mem_save_entries_0; + TALLOC_CTX *_mem_save_entries_1; +@@ -4484,13 +4513,14 @@ + _mem_save_entries_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->entries)); +- NDR_PULL_ALLOC_N(ndr, r->entries, ndr_get_array_size(ndr, &r->entries)); ++ size_entries_1 = ndr_get_array_size(ndr, &r->entries); ++ NDR_PULL_ALLOC_N(ndr, r->entries, size_entries_1); + _mem_save_entries_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->entries, 0); +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_samr_DispEntryAscii(ndr, NDR_SCALARS, &r->entries[cntr_entries_1])); + } +- for (cntr_entries_1 = 0; cntr_entries_1 < r->count; cntr_entries_1++) { ++ for (cntr_entries_1 = 0; cntr_entries_1 < size_entries_1; cntr_entries_1++) { + NDR_CHECK(ndr_pull_samr_DispEntryAscii(ndr, NDR_BUFFERS, &r->entries[cntr_entries_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_entries_1, 0); +@@ -5035,6 +5065,7 @@ + static enum ndr_err_code ndr_pull_samr_ValidationBlob(struct ndr_pull *ndr, int ndr_flags, struct samr_ValidationBlob *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_data_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -5052,8 +5083,9 @@ + _mem_save_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_size(ndr, &r->data))); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + if (r->data) { +@@ -5109,6 +5141,7 @@ + static enum ndr_err_code ndr_pull_samr_ValidatePasswordInfo(struct ndr_pull *ndr, int ndr_flags, struct samr_ValidatePasswordInfo *r) + { + uint32_t _ptr_pwd_history; ++ uint32_t size_pwd_history_1 = 0; + uint32_t cntr_pwd_history_1; + TALLOC_CTX *_mem_save_pwd_history_0; + TALLOC_CTX *_mem_save_pwd_history_1; +@@ -5133,13 +5166,14 @@ + _mem_save_pwd_history_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->pwd_history, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->pwd_history)); +- NDR_PULL_ALLOC_N(ndr, r->pwd_history, ndr_get_array_size(ndr, &r->pwd_history)); ++ size_pwd_history_1 = ndr_get_array_size(ndr, &r->pwd_history); ++ NDR_PULL_ALLOC_N(ndr, r->pwd_history, size_pwd_history_1); + _mem_save_pwd_history_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->pwd_history, 0); +- for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < r->pwd_history_len; cntr_pwd_history_1++) { ++ for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < size_pwd_history_1; cntr_pwd_history_1++) { + NDR_CHECK(ndr_pull_samr_ValidationBlob(ndr, NDR_SCALARS, &r->pwd_history[cntr_pwd_history_1])); + } +- for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < r->pwd_history_len; cntr_pwd_history_1++) { ++ for (cntr_pwd_history_1 = 0; cntr_pwd_history_1 < size_pwd_history_1; cntr_pwd_history_1++) { + NDR_CHECK(ndr_pull_samr_ValidationBlob(ndr, NDR_BUFFERS, &r->pwd_history[cntr_pwd_history_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pwd_history_1, 0); +@@ -7490,6 +7524,8 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_samr_LookupNames(struct ndr_pull *ndr, int flags, struct samr_LookupNames *r) + { ++ uint32_t size_names_0 = 0; ++ uint32_t length_names_0 = 0; + uint32_t cntr_names_0; + TALLOC_CTX *_mem_save_domain_handle_0; + TALLOC_CTX *_mem_save_names_0; +@@ -7511,16 +7547,18 @@ + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.names)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.names)); +- if (ndr_get_array_length(ndr, &r->in.names) > ndr_get_array_size(ndr, &r->in.names)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.names), ndr_get_array_length(ndr, &r->in.names)); ++ size_names_0 = ndr_get_array_size(ndr, &r->in.names); ++ length_names_0 = ndr_get_array_length(ndr, &r->in.names); ++ if (length_names_0 > size_names_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_names_0, length_names_0); + } +- NDR_PULL_ALLOC_N(ndr, r->in.names, ndr_get_array_size(ndr, &r->in.names)); ++ NDR_PULL_ALLOC_N(ndr, r->in.names, size_names_0); + _mem_save_names_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.names, 0); +- for (cntr_names_0 = 0; cntr_names_0 < ndr_get_array_length(ndr, &r->in.names); cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < length_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->in.names[cntr_names_0])); + } +- for (cntr_names_0 = 0; cntr_names_0 < ndr_get_array_length(ndr, &r->in.names); cntr_names_0++) { ++ for (cntr_names_0 = 0; cntr_names_0 < length_names_0; cntr_names_0++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->in.names[cntr_names_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_names_0, 0); +@@ -7629,6 +7667,8 @@ + + static enum ndr_err_code ndr_pull_samr_LookupRids(struct ndr_pull *ndr, int flags, struct samr_LookupRids *r) + { ++ uint32_t size_rids_0 = 0; ++ uint32_t length_rids_0 = 0; + uint32_t cntr_rids_0; + TALLOC_CTX *_mem_save_domain_handle_0; + TALLOC_CTX *_mem_save_rids_0; +@@ -7650,13 +7690,15 @@ + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.rids)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.rids)); +- if (ndr_get_array_length(ndr, &r->in.rids) > ndr_get_array_size(ndr, &r->in.rids)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.rids), ndr_get_array_length(ndr, &r->in.rids)); ++ size_rids_0 = ndr_get_array_size(ndr, &r->in.rids); ++ length_rids_0 = ndr_get_array_length(ndr, &r->in.rids); ++ if (length_rids_0 > size_rids_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_rids_0, length_rids_0); + } +- NDR_PULL_ALLOC_N(ndr, r->in.rids, ndr_get_array_size(ndr, &r->in.rids)); ++ NDR_PULL_ALLOC_N(ndr, r->in.rids, size_rids_0); + _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.rids, 0); +- for (cntr_rids_0 = 0; cntr_rids_0 < ndr_get_array_length(ndr, &r->in.rids); cntr_rids_0++) { ++ for (cntr_rids_0 = 0; cntr_rids_0 < length_rids_0; cntr_rids_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.rids[cntr_rids_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_0, 0); +@@ -11363,6 +11405,8 @@ + static enum ndr_err_code ndr_pull_samr_Connect2(struct ndr_pull *ndr, int flags, struct samr_Connect2 *r) + { + uint32_t _ptr_system_name; ++ uint32_t size_system_name_1 = 0; ++ uint32_t length_system_name_1 = 0; + TALLOC_CTX *_mem_save_system_name_0; + TALLOC_CTX *_mem_save_connect_handle_0; + if (flags & NDR_IN) { +@@ -11379,11 +11423,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); +- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); ++ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); ++ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); ++ if (length_system_name_1 > size_system_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); + } + NDR_CHECK(ndr_pull_samr_ConnectAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); +@@ -11687,6 +11733,8 @@ + static enum ndr_err_code ndr_pull_samr_Connect3(struct ndr_pull *ndr, int flags, struct samr_Connect3 *r) + { + uint32_t _ptr_system_name; ++ uint32_t size_system_name_1 = 0; ++ uint32_t length_system_name_1 = 0; + TALLOC_CTX *_mem_save_system_name_0; + TALLOC_CTX *_mem_save_connect_handle_0; + if (flags & NDR_IN) { +@@ -11703,11 +11751,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); +- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); ++ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); ++ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); ++ if (length_system_name_1 > size_system_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown)); +@@ -11788,6 +11838,8 @@ + static enum ndr_err_code ndr_pull_samr_Connect4(struct ndr_pull *ndr, int flags, struct samr_Connect4 *r) + { + uint32_t _ptr_system_name; ++ uint32_t size_system_name_1 = 0; ++ uint32_t length_system_name_1 = 0; + TALLOC_CTX *_mem_save_system_name_0; + TALLOC_CTX *_mem_save_connect_handle_0; + if (flags & NDR_IN) { +@@ -11804,11 +11856,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); +- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); ++ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); ++ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); ++ if (length_system_name_1 > size_system_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); + } + NDR_CHECK(ndr_pull_samr_ConnectVersion(ndr, NDR_SCALARS, &r->in.client_version)); +@@ -12188,6 +12242,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_samr_Connect5(struct ndr_pull *ndr, int flags, struct samr_Connect5 *r) + { + uint32_t _ptr_system_name; ++ uint32_t size_system_name_1 = 0; ++ uint32_t length_system_name_1 = 0; + TALLOC_CTX *_mem_save_system_name_0; + TALLOC_CTX *_mem_save_info_in_0; + TALLOC_CTX *_mem_save_level_out_0; +@@ -12207,11 +12263,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.system_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.system_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.system_name)); +- if (ndr_get_array_length(ndr, &r->in.system_name) > ndr_get_array_size(ndr, &r->in.system_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.system_name), ndr_get_array_length(ndr, &r->in.system_name)); ++ size_system_name_1 = ndr_get_array_size(ndr, &r->in.system_name); ++ length_system_name_1 = ndr_get_array_length(ndr, &r->in.system_name); ++ if (length_system_name_1 > size_system_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_system_name_1, length_system_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, ndr_get_array_length(ndr, &r->in.system_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_system_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.system_name, length_system_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_system_name_0, 0); + } + NDR_CHECK(ndr_pull_samr_ConnectAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_schannel.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_schannel.c 2012-04-12 12:09:51.951287485 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_schannel.c 2012-04-12 12:19:20.847301006 -0500 +@@ -42,6 +42,11 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_netlogon_creds_CredentialState(struct ndr_pull *ndr, int ndr_flags, struct netlogon_creds_CredentialState *r) + { ++ uint32_t size_session_key_0 = 0; ++ uint32_t size_computer_name_0 = 0; ++ uint32_t length_computer_name_0 = 0; ++ uint32_t size_account_name_0 = 0; ++ uint32_t length_account_name_0 = 0; + uint32_t _ptr_sid; + TALLOC_CTX *_mem_save_sid_0; + { +@@ -50,7 +55,8 @@ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_netr_NegotiateFlags(ndr, NDR_SCALARS, &r->negotiate_flags)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->session_key, 16)); ++ size_session_key_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->session_key, size_session_key_0)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sequence)); + NDR_CHECK(ndr_pull_netr_Credential(ndr, NDR_SCALARS, &r->seed)); + NDR_CHECK(ndr_pull_netr_Credential(ndr, NDR_SCALARS, &r->client)); +@@ -58,18 +64,22 @@ + NDR_CHECK(ndr_pull_netr_SchannelType(ndr, NDR_SCALARS, &r->secure_channel_type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->computer_name)); +- if (ndr_get_array_length(ndr, &r->computer_name) > ndr_get_array_size(ndr, &r->computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->computer_name), ndr_get_array_length(ndr, &r->computer_name)); ++ size_computer_name_0 = ndr_get_array_size(ndr, &r->computer_name); ++ length_computer_name_0 = ndr_get_array_length(ndr, &r->computer_name); ++ if (length_computer_name_0 > size_computer_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->computer_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_name, ndr_get_array_length(ndr, &r->computer_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->computer_name, length_computer_name_0, sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->account_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->account_name)); +- if (ndr_get_array_length(ndr, &r->account_name) > ndr_get_array_size(ndr, &r->account_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->account_name), ndr_get_array_length(ndr, &r->account_name)); ++ size_account_name_0 = ndr_get_array_size(ndr, &r->account_name); ++ length_account_name_0 = ndr_get_array_length(ndr, &r->account_name); ++ if (length_account_name_0 > size_account_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_name_0, length_account_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->account_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, ndr_get_array_length(ndr, &r->account_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_name_0, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->account_name, length_account_name_0, sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sid)); + if (_ptr_sid) { + NDR_PULL_ALLOC(ndr, r->sid); +@@ -537,6 +547,9 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_NL_AUTH_SIGNATURE(struct ndr_pull *ndr, int ndr_flags, struct NL_AUTH_SIGNATURE *r) + { ++ uint32_t size_SequenceNumber_0 = 0; ++ uint32_t size_Checksum_0 = 0; ++ uint32_t size_Confounder_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); +@@ -546,9 +559,12 @@ + NDR_CHECK(ndr_pull_NL_SEAL_ALGORITHM(ndr, NDR_SCALARS, &r->SealAlgorithm)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Pad)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Flags)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SequenceNumber, 8)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, 8)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Confounder, 8)); ++ size_SequenceNumber_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SequenceNumber, size_SequenceNumber_0)); ++ size_Checksum_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, size_Checksum_0)); ++ size_Confounder_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Confounder, size_Confounder_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 3)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -603,6 +619,9 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_NL_AUTH_SHA2_SIGNATURE(struct ndr_pull *ndr, int ndr_flags, struct NL_AUTH_SHA2_SIGNATURE *r) + { ++ uint32_t size_SequenceNumber_0 = 0; ++ uint32_t size_Checksum_0 = 0; ++ uint32_t size_Confounder_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); +@@ -612,9 +631,12 @@ + NDR_CHECK(ndr_pull_NL_SEAL_ALGORITHM(ndr, NDR_SCALARS, &r->SealAlgorithm)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Pad)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->Flags)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SequenceNumber, 8)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, 32)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Confounder, 8)); ++ size_SequenceNumber_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->SequenceNumber, size_SequenceNumber_0)); ++ size_Checksum_0 = 32; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Checksum, size_Checksum_0)); ++ size_Confounder_0 = 8; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->Confounder, size_Confounder_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 3)); + } + if (ndr_flags & NDR_BUFFERS) { +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_secrets.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_secrets.c 2012-04-12 12:09:51.707287480 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_secrets.c 2012-04-12 12:19:20.847301006 -0500 +@@ -33,13 +33,15 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_TRUSTED_DOM_PASS(struct ndr_pull *ndr, int ndr_flags, struct TRUSTED_DOM_PASS *r) + { ++ uint32_t size_uni_name_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->uni_name_len)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->uni_name, 32, sizeof(uint16_t), CH_UTF16)); ++ size_uni_name_0 = 32; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->uni_name, size_uni_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->pass_len)); + { + uint32_t _flags_save_string = ndr->flags; +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_security.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_security.c 2012-04-12 12:09:50.635287454 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_security.c 2012-04-12 12:19:20.847301006 -0500 +@@ -583,6 +583,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_security_acl(struct ndr_pull *ndr, int ndr_flags, struct security_acl *r) + { ++ uint32_t size_aces_0 = 0; + uint32_t cntr_aces_0; + TALLOC_CTX *_mem_save_aces_0; + if (ndr_flags & NDR_SCALARS) { +@@ -593,19 +594,21 @@ + if (r->num_aces > 1000) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_PULL_ALLOC_N(ndr, r->aces, r->num_aces); ++ size_aces_0 = r->num_aces; ++ NDR_PULL_ALLOC_N(ndr, r->aces, size_aces_0); + _mem_save_aces_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->aces, 0); +- for (cntr_aces_0 = 0; cntr_aces_0 < r->num_aces; cntr_aces_0++) { ++ for (cntr_aces_0 = 0; cntr_aces_0 < size_aces_0; cntr_aces_0++) { + NDR_CHECK(ndr_pull_security_ace(ndr, NDR_SCALARS, &r->aces[cntr_aces_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_aces_0, 0); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_aces_0 = r->num_aces; + _mem_save_aces_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->aces, 0); +- for (cntr_aces_0 = 0; cntr_aces_0 < r->num_aces; cntr_aces_0++) { ++ for (cntr_aces_0 = 0; cntr_aces_0 < size_aces_0; cntr_aces_0++) { + NDR_CHECK(ndr_pull_security_ace(ndr, NDR_BUFFERS, &r->aces[cntr_aces_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_aces_0, 0); +@@ -970,16 +973,18 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_security_token(struct ndr_pull *ndr, int ndr_flags, struct security_token *r) + { ++ uint32_t size_sids_0 = 0; + uint32_t cntr_sids_0; + TALLOC_CTX *_mem_save_sids_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_sids)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); +- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); ++ size_sids_0 = ndr_get_array_size(ndr, &r->sids); ++ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_0); + _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); +- for (cntr_sids_0 = 0; cntr_sids_0 < r->num_sids; cntr_sids_0++) { ++ for (cntr_sids_0 = 0; cntr_sids_0 < size_sids_0; cntr_sids_0++) { + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->sids[cntr_sids_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_0, 0); +@@ -1034,6 +1039,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_security_unix_token(struct ndr_pull *ndr, int ndr_flags, struct security_unix_token *r) + { ++ uint32_t size_groups_0 = 0; + uint32_t cntr_groups_0; + TALLOC_CTX *_mem_save_groups_0; + if (ndr_flags & NDR_SCALARS) { +@@ -1042,10 +1048,11 @@ + NDR_CHECK(ndr_pull_uid_t(ndr, NDR_SCALARS, &r->uid)); + NDR_CHECK(ndr_pull_uid_t(ndr, NDR_SCALARS, &r->gid)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->ngroups)); +- NDR_PULL_ALLOC_N(ndr, r->groups, ndr_get_array_size(ndr, &r->groups)); ++ size_groups_0 = ndr_get_array_size(ndr, &r->groups); ++ NDR_PULL_ALLOC_N(ndr, r->groups, size_groups_0); + _mem_save_groups_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->groups, 0); +- for (cntr_groups_0 = 0; cntr_groups_0 < r->ngroups; cntr_groups_0++) { ++ for (cntr_groups_0 = 0; cntr_groups_0 < size_groups_0; cntr_groups_0++) { + NDR_CHECK(ndr_pull_gid_t(ndr, NDR_SCALARS, &r->groups[cntr_groups_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_groups_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_spoolss.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_spoolss.c 2012-04-12 12:09:50.863287460 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_spoolss.c 2012-04-12 12:19:20.875301006 -0500 +@@ -761,7 +761,9 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_UNIDRVEXTRA(struct ndr_pull *ndr, int ndr_flags, struct spoolss_UNIDRVEXTRA *r) + { ++ uint32_t size_wReserved_0 = 0; + uint32_t cntr_wReserved_0; ++ uint32_t size_aOptions_0 = 0; + uint32_t cntr_aOptions_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +@@ -775,11 +777,13 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->bReversePrint)); + NDR_CHECK(ndr_pull_spoolss_DM_Layout(ndr, NDR_SCALARS, &r->iLayout)); + NDR_CHECK(ndr_pull_spoolss_DMUNI_Quality(ndr, NDR_SCALARS, &r->iQuality)); +- for (cntr_wReserved_0 = 0; cntr_wReserved_0 < 6; cntr_wReserved_0++) { ++ size_wReserved_0 = 6; ++ for (cntr_wReserved_0 = 0; cntr_wReserved_0 < size_wReserved_0; cntr_wReserved_0++) { + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->wReserved[cntr_wReserved_0])); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->dwOptions)); +- for (cntr_aOptions_0 = 0; cntr_aOptions_0 < 128; cntr_aOptions_0++) { ++ size_aOptions_0 = 128; ++ for (cntr_aOptions_0 = 0; cntr_aOptions_0 < size_aOptions_0; cntr_aOptions_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->aOptions[cntr_aOptions_0])); + } + NDR_CHECK(ndr_pull_spoolss_DM_NupDirection(ndr, NDR_SCALARS, &r->dwNupDirection)); +@@ -1409,9 +1413,12 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_DeviceMode(struct ndr_pull *ndr, int ndr_flags, struct spoolss_DeviceMode *r) + { ++ uint32_t size_devicename_0 = 0; ++ uint32_t size_formname_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +- NDR_CHECK(ndr_pull_charset_to_null(ndr, NDR_SCALARS, &r->devicename, MAXDEVICENAME, sizeof(uint16_t), CH_UTF16)); ++ size_devicename_0 = MAXDEVICENAME; ++ NDR_CHECK(ndr_pull_charset_to_null(ndr, NDR_SCALARS, &r->devicename, size_devicename_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_spoolss_DeviceModeSpecVersion(ndr, NDR_SCALARS, &r->specversion)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->driverversion)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); +@@ -1430,7 +1437,8 @@ + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->yresolution)); + NDR_CHECK(ndr_pull_spoolss_DeviceModeTTOption(ndr, NDR_SCALARS, &r->ttoption)); + NDR_CHECK(ndr_pull_spoolss_DeviceModeCollate(ndr, NDR_SCALARS, &r->collate)); +- NDR_CHECK(ndr_pull_charset_to_null(ndr, NDR_SCALARS, &r->formname, MAXDEVICENAME, sizeof(uint16_t), CH_UTF16)); ++ size_formname_0 = MAXDEVICENAME; ++ NDR_CHECK(ndr_pull_charset_to_null(ndr, NDR_SCALARS, &r->formname, size_formname_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->logpixels)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->bitsperpel)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->pelswidth)); +@@ -5518,16 +5526,28 @@ + static enum ndr_err_code ndr_pull_spoolss_SetJobInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetJobInfo1 *r) + { + uint32_t _ptr_printer_name; ++ uint32_t size_printer_name_1 = 0; ++ uint32_t length_printer_name_1 = 0; + TALLOC_CTX *_mem_save_printer_name_0; + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + uint32_t _ptr_user_name; ++ uint32_t size_user_name_1 = 0; ++ uint32_t length_user_name_1 = 0; + TALLOC_CTX *_mem_save_user_name_0; + uint32_t _ptr_document_name; ++ uint32_t size_document_name_1 = 0; ++ uint32_t length_document_name_1 = 0; + TALLOC_CTX *_mem_save_document_name_0; + uint32_t _ptr_data_type; ++ uint32_t size_data_type_1 = 0; ++ uint32_t length_data_type_1 = 0; + TALLOC_CTX *_mem_save_data_type_0; + uint32_t _ptr_text_status; ++ uint32_t size_text_status_1 = 0; ++ uint32_t length_text_status_1 = 0; + TALLOC_CTX *_mem_save_text_status_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -5585,11 +5605,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->printer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->printer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->printer_name)); +- if (ndr_get_array_length(ndr, &r->printer_name) > ndr_get_array_size(ndr, &r->printer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printer_name), ndr_get_array_length(ndr, &r->printer_name)); ++ size_printer_name_1 = ndr_get_array_size(ndr, &r->printer_name); ++ length_printer_name_1 = ndr_get_array_length(ndr, &r->printer_name); ++ if (length_printer_name_1 > size_printer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printer_name_1, length_printer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, length_printer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printer_name_0, 0); + } + if (r->server_name) { +@@ -5597,11 +5619,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); +- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (r->user_name) { +@@ -5609,11 +5633,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); +- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); ++ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); ++ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); ++ if (length_user_name_1 > size_user_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); + } + if (r->document_name) { +@@ -5621,11 +5647,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); +- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); ++ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); ++ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); ++ if (length_document_name_1 > size_document_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); + } + if (r->data_type) { +@@ -5633,11 +5661,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data_type, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data_type)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data_type)); +- if (ndr_get_array_length(ndr, &r->data_type) > ndr_get_array_size(ndr, &r->data_type)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_type), ndr_get_array_length(ndr, &r->data_type)); ++ size_data_type_1 = ndr_get_array_size(ndr, &r->data_type); ++ length_data_type_1 = ndr_get_array_length(ndr, &r->data_type); ++ if (length_data_type_1 > size_data_type_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); + } + if (r->text_status) { +@@ -5645,11 +5675,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->text_status, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->text_status)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->text_status)); +- if (ndr_get_array_length(ndr, &r->text_status) > ndr_get_array_size(ndr, &r->text_status)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->text_status), ndr_get_array_length(ndr, &r->text_status)); ++ size_text_status_1 = ndr_get_array_size(ndr, &r->text_status); ++ length_text_status_1 = ndr_get_array_length(ndr, &r->text_status); ++ if (length_text_status_1 > size_text_status_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_text_status_1, length_text_status_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_text_status_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, length_text_status_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_text_status_0, 0); + } + } +@@ -5804,24 +5836,44 @@ + static enum ndr_err_code ndr_pull_spoolss_SetJobInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetJobInfo2 *r) + { + uint32_t _ptr_printer_name; ++ uint32_t size_printer_name_1 = 0; ++ uint32_t length_printer_name_1 = 0; + TALLOC_CTX *_mem_save_printer_name_0; + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + uint32_t _ptr_user_name; ++ uint32_t size_user_name_1 = 0; ++ uint32_t length_user_name_1 = 0; + TALLOC_CTX *_mem_save_user_name_0; + uint32_t _ptr_document_name; ++ uint32_t size_document_name_1 = 0; ++ uint32_t length_document_name_1 = 0; + TALLOC_CTX *_mem_save_document_name_0; + uint32_t _ptr_notify_name; ++ uint32_t size_notify_name_1 = 0; ++ uint32_t length_notify_name_1 = 0; + TALLOC_CTX *_mem_save_notify_name_0; + uint32_t _ptr_data_type; ++ uint32_t size_data_type_1 = 0; ++ uint32_t length_data_type_1 = 0; + TALLOC_CTX *_mem_save_data_type_0; + uint32_t _ptr_print_processor; ++ uint32_t size_print_processor_1 = 0; ++ uint32_t length_print_processor_1 = 0; + TALLOC_CTX *_mem_save_print_processor_0; + uint32_t _ptr_parameters; ++ uint32_t size_parameters_1 = 0; ++ uint32_t length_parameters_1 = 0; + TALLOC_CTX *_mem_save_parameters_0; + uint32_t _ptr_driver_name; ++ uint32_t size_driver_name_1 = 0; ++ uint32_t length_driver_name_1 = 0; + TALLOC_CTX *_mem_save_driver_name_0; + uint32_t _ptr_text_status; ++ uint32_t size_text_status_1 = 0; ++ uint32_t length_text_status_1 = 0; + TALLOC_CTX *_mem_save_text_status_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -5909,11 +5961,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->printer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->printer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->printer_name)); +- if (ndr_get_array_length(ndr, &r->printer_name) > ndr_get_array_size(ndr, &r->printer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printer_name), ndr_get_array_length(ndr, &r->printer_name)); ++ size_printer_name_1 = ndr_get_array_size(ndr, &r->printer_name); ++ length_printer_name_1 = ndr_get_array_length(ndr, &r->printer_name); ++ if (length_printer_name_1 > size_printer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printer_name_1, length_printer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, length_printer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printer_name_0, 0); + } + if (r->server_name) { +@@ -5921,11 +5975,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); +- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (r->user_name) { +@@ -5933,11 +5989,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); +- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); ++ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); ++ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); ++ if (length_user_name_1 > size_user_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); + } + if (r->document_name) { +@@ -5945,11 +6003,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); +- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); ++ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); ++ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); ++ if (length_document_name_1 > size_document_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); + } + if (r->notify_name) { +@@ -5957,11 +6017,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->notify_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->notify_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->notify_name)); +- if (ndr_get_array_length(ndr, &r->notify_name) > ndr_get_array_size(ndr, &r->notify_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->notify_name), ndr_get_array_length(ndr, &r->notify_name)); ++ size_notify_name_1 = ndr_get_array_size(ndr, &r->notify_name); ++ length_notify_name_1 = ndr_get_array_length(ndr, &r->notify_name); ++ if (length_notify_name_1 > size_notify_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_notify_name_1, length_notify_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_notify_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, length_notify_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_notify_name_0, 0); + } + if (r->data_type) { +@@ -5969,11 +6031,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data_type, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data_type)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data_type)); +- if (ndr_get_array_length(ndr, &r->data_type) > ndr_get_array_size(ndr, &r->data_type)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_type), ndr_get_array_length(ndr, &r->data_type)); ++ size_data_type_1 = ndr_get_array_size(ndr, &r->data_type); ++ length_data_type_1 = ndr_get_array_length(ndr, &r->data_type); ++ if (length_data_type_1 > size_data_type_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); + } + if (r->print_processor) { +@@ -5981,11 +6045,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->print_processor, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->print_processor)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->print_processor)); +- if (ndr_get_array_length(ndr, &r->print_processor) > ndr_get_array_size(ndr, &r->print_processor)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->print_processor), ndr_get_array_length(ndr, &r->print_processor)); ++ size_print_processor_1 = ndr_get_array_size(ndr, &r->print_processor); ++ length_print_processor_1 = ndr_get_array_length(ndr, &r->print_processor); ++ if (length_print_processor_1 > size_print_processor_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_1, length_print_processor_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, length_print_processor_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_print_processor_0, 0); + } + if (r->parameters) { +@@ -5993,11 +6059,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->parameters, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->parameters)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->parameters)); +- if (ndr_get_array_length(ndr, &r->parameters) > ndr_get_array_size(ndr, &r->parameters)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->parameters), ndr_get_array_length(ndr, &r->parameters)); ++ size_parameters_1 = ndr_get_array_size(ndr, &r->parameters); ++ length_parameters_1 = ndr_get_array_length(ndr, &r->parameters); ++ if (length_parameters_1 > size_parameters_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parameters_1, length_parameters_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_parameters_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, length_parameters_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parameters_0, 0); + } + if (r->driver_name) { +@@ -6005,11 +6073,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); +- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); ++ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); ++ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); ++ if (length_driver_name_1 > size_driver_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); + } + if (r->text_status) { +@@ -6017,11 +6087,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->text_status, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->text_status)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->text_status)); +- if (ndr_get_array_length(ndr, &r->text_status) > ndr_get_array_size(ndr, &r->text_status)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->text_status), ndr_get_array_length(ndr, &r->text_status)); ++ size_text_status_1 = ndr_get_array_size(ndr, &r->text_status); ++ length_text_status_1 = ndr_get_array_length(ndr, &r->text_status); ++ if (length_text_status_1 > size_text_status_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_text_status_1, length_text_status_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_text_status_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, length_text_status_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_text_status_0, 0); + } + } +@@ -6207,24 +6279,44 @@ + static enum ndr_err_code ndr_pull_spoolss_SetJobInfo4(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetJobInfo4 *r) + { + uint32_t _ptr_printer_name; ++ uint32_t size_printer_name_1 = 0; ++ uint32_t length_printer_name_1 = 0; + TALLOC_CTX *_mem_save_printer_name_0; + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + uint32_t _ptr_user_name; ++ uint32_t size_user_name_1 = 0; ++ uint32_t length_user_name_1 = 0; + TALLOC_CTX *_mem_save_user_name_0; + uint32_t _ptr_document_name; ++ uint32_t size_document_name_1 = 0; ++ uint32_t length_document_name_1 = 0; + TALLOC_CTX *_mem_save_document_name_0; + uint32_t _ptr_notify_name; ++ uint32_t size_notify_name_1 = 0; ++ uint32_t length_notify_name_1 = 0; + TALLOC_CTX *_mem_save_notify_name_0; + uint32_t _ptr_data_type; ++ uint32_t size_data_type_1 = 0; ++ uint32_t length_data_type_1 = 0; + TALLOC_CTX *_mem_save_data_type_0; + uint32_t _ptr_print_processor; ++ uint32_t size_print_processor_1 = 0; ++ uint32_t length_print_processor_1 = 0; + TALLOC_CTX *_mem_save_print_processor_0; + uint32_t _ptr_parameters; ++ uint32_t size_parameters_1 = 0; ++ uint32_t length_parameters_1 = 0; + TALLOC_CTX *_mem_save_parameters_0; + uint32_t _ptr_driver_name; ++ uint32_t size_driver_name_1 = 0; ++ uint32_t length_driver_name_1 = 0; + TALLOC_CTX *_mem_save_driver_name_0; + uint32_t _ptr_text_status; ++ uint32_t size_text_status_1 = 0; ++ uint32_t length_text_status_1 = 0; + TALLOC_CTX *_mem_save_text_status_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -6313,11 +6405,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->printer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->printer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->printer_name)); +- if (ndr_get_array_length(ndr, &r->printer_name) > ndr_get_array_size(ndr, &r->printer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printer_name), ndr_get_array_length(ndr, &r->printer_name)); ++ size_printer_name_1 = ndr_get_array_size(ndr, &r->printer_name); ++ length_printer_name_1 = ndr_get_array_length(ndr, &r->printer_name); ++ if (length_printer_name_1 > size_printer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printer_name_1, length_printer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, ndr_get_array_length(ndr, &r->printer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printer_name, length_printer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printer_name_0, 0); + } + if (r->server_name) { +@@ -6325,11 +6419,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); +- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (r->user_name) { +@@ -6337,11 +6433,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); +- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); ++ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); ++ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); ++ if (length_user_name_1 > size_user_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); + } + if (r->document_name) { +@@ -6349,11 +6447,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); +- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); ++ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); ++ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); ++ if (length_document_name_1 > size_document_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); + } + if (r->notify_name) { +@@ -6361,11 +6461,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->notify_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->notify_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->notify_name)); +- if (ndr_get_array_length(ndr, &r->notify_name) > ndr_get_array_size(ndr, &r->notify_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->notify_name), ndr_get_array_length(ndr, &r->notify_name)); ++ size_notify_name_1 = ndr_get_array_size(ndr, &r->notify_name); ++ length_notify_name_1 = ndr_get_array_length(ndr, &r->notify_name); ++ if (length_notify_name_1 > size_notify_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_notify_name_1, length_notify_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, ndr_get_array_length(ndr, &r->notify_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_notify_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->notify_name, length_notify_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_notify_name_0, 0); + } + if (r->data_type) { +@@ -6373,11 +6475,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data_type, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data_type)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data_type)); +- if (ndr_get_array_length(ndr, &r->data_type) > ndr_get_array_size(ndr, &r->data_type)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_type), ndr_get_array_length(ndr, &r->data_type)); ++ size_data_type_1 = ndr_get_array_size(ndr, &r->data_type); ++ length_data_type_1 = ndr_get_array_length(ndr, &r->data_type); ++ if (length_data_type_1 > size_data_type_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, ndr_get_array_length(ndr, &r->data_type), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); + } + if (r->print_processor) { +@@ -6385,11 +6489,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->print_processor, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->print_processor)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->print_processor)); +- if (ndr_get_array_length(ndr, &r->print_processor) > ndr_get_array_size(ndr, &r->print_processor)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->print_processor), ndr_get_array_length(ndr, &r->print_processor)); ++ size_print_processor_1 = ndr_get_array_size(ndr, &r->print_processor); ++ length_print_processor_1 = ndr_get_array_length(ndr, &r->print_processor); ++ if (length_print_processor_1 > size_print_processor_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_1, length_print_processor_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, length_print_processor_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_print_processor_0, 0); + } + if (r->parameters) { +@@ -6397,11 +6503,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->parameters, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->parameters)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->parameters)); +- if (ndr_get_array_length(ndr, &r->parameters) > ndr_get_array_size(ndr, &r->parameters)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->parameters), ndr_get_array_length(ndr, &r->parameters)); ++ size_parameters_1 = ndr_get_array_size(ndr, &r->parameters); ++ length_parameters_1 = ndr_get_array_length(ndr, &r->parameters); ++ if (length_parameters_1 > size_parameters_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parameters_1, length_parameters_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_parameters_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, length_parameters_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parameters_0, 0); + } + if (r->driver_name) { +@@ -6409,11 +6517,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); +- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); ++ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); ++ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); ++ if (length_driver_name_1 > size_driver_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); + } + if (r->text_status) { +@@ -6421,11 +6531,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->text_status, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->text_status)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->text_status)); +- if (ndr_get_array_length(ndr, &r->text_status) > ndr_get_array_size(ndr, &r->text_status)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->text_status), ndr_get_array_length(ndr, &r->text_status)); ++ size_text_status_1 = ndr_get_array_size(ndr, &r->text_status); ++ length_text_status_1 = ndr_get_array_length(ndr, &r->text_status); ++ if (length_text_status_1 > size_text_status_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_text_status_1, length_text_status_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, ndr_get_array_length(ndr, &r->text_status), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_text_status_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->text_status, length_text_status_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_text_status_0, 0); + } + } +@@ -6583,9 +6695,13 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + TALLOC_CTX *_mem_save_info2_0; ++ uint32_t _ptr_info2; + TALLOC_CTX *_mem_save_info3_0; ++ uint32_t _ptr_info3; + TALLOC_CTX *_mem_save_info4_0; ++ uint32_t _ptr_info4; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -6596,7 +6712,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -6606,7 +6721,6 @@ + break; } + + case 2: { +- uint32_t _ptr_info2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); + if (_ptr_info2) { + NDR_PULL_ALLOC(ndr, r->info2); +@@ -6616,7 +6730,6 @@ + break; } + + case 3: { +- uint32_t _ptr_info3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); + if (_ptr_info3) { + NDR_PULL_ALLOC(ndr, r->info3); +@@ -6626,7 +6739,6 @@ + break; } + + case 4: { +- uint32_t _ptr_info4; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); + if (_ptr_info4) { + NDR_PULL_ALLOC(ndr, r->info4); +@@ -6890,8 +7002,12 @@ + static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo0(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo0 *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + uint32_t _ptr_printername; ++ uint32_t size_printername_1 = 0; ++ uint32_t length_printername_1 = 0; + TALLOC_CTX *_mem_save_printername_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -6942,11 +7058,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->servername)); +- if (ndr_get_array_length(ndr, &r->servername) > ndr_get_array_size(ndr, &r->servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->servername), ndr_get_array_length(ndr, &r->servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + if (r->printername) { +@@ -6954,11 +7072,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); +- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); ++ size_printername_1 = ndr_get_array_size(ndr, &r->printername); ++ length_printername_1 = ndr_get_array_length(ndr, &r->printername); ++ if (length_printername_1 > size_printername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); + } + } +@@ -7048,10 +7168,16 @@ + static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo1 *r) + { + uint32_t _ptr_description; ++ uint32_t size_description_1 = 0; ++ uint32_t length_description_1 = 0; + TALLOC_CTX *_mem_save_description_0; + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7082,11 +7208,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->description, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->description)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->description)); +- if (ndr_get_array_length(ndr, &r->description) > ndr_get_array_size(ndr, &r->description)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->description), ndr_get_array_length(ndr, &r->description)); ++ size_description_1 = ndr_get_array_size(ndr, &r->description); ++ length_description_1 = ndr_get_array_length(ndr, &r->description); ++ if (length_description_1 > size_description_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_description_1, length_description_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->description), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->description, ndr_get_array_length(ndr, &r->description), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_description_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->description, length_description_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_description_0, 0); + } + if (r->name) { +@@ -7094,11 +7222,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->comment) { +@@ -7106,11 +7236,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + } +@@ -7245,26 +7377,48 @@ + static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo2 *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + uint32_t _ptr_printername; ++ uint32_t size_printername_1 = 0; ++ uint32_t length_printername_1 = 0; + TALLOC_CTX *_mem_save_printername_0; + uint32_t _ptr_sharename; ++ uint32_t size_sharename_1 = 0; ++ uint32_t length_sharename_1 = 0; + TALLOC_CTX *_mem_save_sharename_0; + uint32_t _ptr_portname; ++ uint32_t size_portname_1 = 0; ++ uint32_t length_portname_1 = 0; + TALLOC_CTX *_mem_save_portname_0; + uint32_t _ptr_drivername; ++ uint32_t size_drivername_1 = 0; ++ uint32_t length_drivername_1 = 0; + TALLOC_CTX *_mem_save_drivername_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + uint32_t _ptr_location; ++ uint32_t size_location_1 = 0; ++ uint32_t length_location_1 = 0; + TALLOC_CTX *_mem_save_location_0; + uint32_t _ptr_sepfile; ++ uint32_t size_sepfile_1 = 0; ++ uint32_t length_sepfile_1 = 0; + TALLOC_CTX *_mem_save_sepfile_0; + uint32_t _ptr_printprocessor; ++ uint32_t size_printprocessor_1 = 0; ++ uint32_t length_printprocessor_1 = 0; + TALLOC_CTX *_mem_save_printprocessor_0; + uint32_t _ptr_datatype; ++ uint32_t size_datatype_1 = 0; ++ uint32_t length_datatype_1 = 0; + TALLOC_CTX *_mem_save_datatype_0; + uint32_t _ptr_parameters; ++ uint32_t size_parameters_1 = 0; ++ uint32_t length_parameters_1 = 0; + TALLOC_CTX *_mem_save_parameters_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7355,11 +7509,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->servername)); +- if (ndr_get_array_length(ndr, &r->servername) > ndr_get_array_size(ndr, &r->servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->servername), ndr_get_array_length(ndr, &r->servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + if (r->printername) { +@@ -7367,11 +7523,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); +- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); ++ size_printername_1 = ndr_get_array_size(ndr, &r->printername); ++ length_printername_1 = ndr_get_array_length(ndr, &r->printername); ++ if (length_printername_1 > size_printername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); + } + if (r->sharename) { +@@ -7379,11 +7537,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->sharename, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sharename)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->sharename)); +- if (ndr_get_array_length(ndr, &r->sharename) > ndr_get_array_size(ndr, &r->sharename)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->sharename), ndr_get_array_length(ndr, &r->sharename)); ++ size_sharename_1 = ndr_get_array_size(ndr, &r->sharename); ++ length_sharename_1 = ndr_get_array_length(ndr, &r->sharename); ++ if (length_sharename_1 > size_sharename_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sharename_1, length_sharename_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->sharename), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sharename, ndr_get_array_length(ndr, &r->sharename), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_sharename_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sharename, length_sharename_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sharename_0, 0); + } + if (r->portname) { +@@ -7391,11 +7551,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->portname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->portname)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->portname)); +- if (ndr_get_array_length(ndr, &r->portname) > ndr_get_array_size(ndr, &r->portname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->portname), ndr_get_array_length(ndr, &r->portname)); ++ size_portname_1 = ndr_get_array_size(ndr, &r->portname); ++ length_portname_1 = ndr_get_array_length(ndr, &r->portname); ++ if (length_portname_1 > size_portname_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_portname_1, length_portname_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_portname_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, length_portname_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_portname_0, 0); + } + if (r->drivername) { +@@ -7403,11 +7565,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->drivername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->drivername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->drivername)); +- if (ndr_get_array_length(ndr, &r->drivername) > ndr_get_array_size(ndr, &r->drivername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->drivername), ndr_get_array_length(ndr, &r->drivername)); ++ size_drivername_1 = ndr_get_array_size(ndr, &r->drivername); ++ length_drivername_1 = ndr_get_array_length(ndr, &r->drivername); ++ if (length_drivername_1 > size_drivername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_drivername_1, length_drivername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->drivername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->drivername, ndr_get_array_length(ndr, &r->drivername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_drivername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->drivername, length_drivername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_drivername_0, 0); + } + if (r->comment) { +@@ -7415,11 +7579,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + if (r->location) { +@@ -7427,11 +7593,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->location, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->location)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->location)); +- if (ndr_get_array_length(ndr, &r->location) > ndr_get_array_size(ndr, &r->location)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->location), ndr_get_array_length(ndr, &r->location)); ++ size_location_1 = ndr_get_array_size(ndr, &r->location); ++ length_location_1 = ndr_get_array_length(ndr, &r->location); ++ if (length_location_1 > size_location_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_location_1, length_location_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->location), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->location, ndr_get_array_length(ndr, &r->location), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_location_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->location, length_location_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_location_0, 0); + } + if (r->sepfile) { +@@ -7439,11 +7607,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->sepfile, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->sepfile)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->sepfile)); +- if (ndr_get_array_length(ndr, &r->sepfile) > ndr_get_array_size(ndr, &r->sepfile)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->sepfile), ndr_get_array_length(ndr, &r->sepfile)); ++ size_sepfile_1 = ndr_get_array_size(ndr, &r->sepfile); ++ length_sepfile_1 = ndr_get_array_length(ndr, &r->sepfile); ++ if (length_sepfile_1 > size_sepfile_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_sepfile_1, length_sepfile_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->sepfile), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sepfile, ndr_get_array_length(ndr, &r->sepfile), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_sepfile_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->sepfile, length_sepfile_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sepfile_0, 0); + } + if (r->printprocessor) { +@@ -7451,11 +7621,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->printprocessor, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->printprocessor)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->printprocessor)); +- if (ndr_get_array_length(ndr, &r->printprocessor) > ndr_get_array_size(ndr, &r->printprocessor)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printprocessor), ndr_get_array_length(ndr, &r->printprocessor)); ++ size_printprocessor_1 = ndr_get_array_size(ndr, &r->printprocessor); ++ length_printprocessor_1 = ndr_get_array_length(ndr, &r->printprocessor); ++ if (length_printprocessor_1 > size_printprocessor_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printprocessor_1, length_printprocessor_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printprocessor), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printprocessor, ndr_get_array_length(ndr, &r->printprocessor), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printprocessor_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printprocessor, length_printprocessor_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printprocessor_0, 0); + } + if (r->datatype) { +@@ -7463,11 +7635,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->datatype, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->datatype)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->datatype)); +- if (ndr_get_array_length(ndr, &r->datatype) > ndr_get_array_size(ndr, &r->datatype)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->datatype), ndr_get_array_length(ndr, &r->datatype)); ++ size_datatype_1 = ndr_get_array_size(ndr, &r->datatype); ++ length_datatype_1 = ndr_get_array_length(ndr, &r->datatype); ++ if (length_datatype_1 > size_datatype_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_datatype_1, length_datatype_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->datatype), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->datatype, ndr_get_array_length(ndr, &r->datatype), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_datatype_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->datatype, length_datatype_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_datatype_0, 0); + } + if (r->parameters) { +@@ -7475,11 +7649,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->parameters, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->parameters)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->parameters)); +- if (ndr_get_array_length(ndr, &r->parameters) > ndr_get_array_size(ndr, &r->parameters)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->parameters), ndr_get_array_length(ndr, &r->parameters)); ++ size_parameters_1 = ndr_get_array_size(ndr, &r->parameters); ++ length_parameters_1 = ndr_get_array_length(ndr, &r->parameters); ++ if (length_parameters_1 > size_parameters_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_parameters_1, length_parameters_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, ndr_get_array_length(ndr, &r->parameters), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_parameters_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->parameters, length_parameters_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_parameters_0, 0); + } + } +@@ -7632,8 +7808,12 @@ + static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo4(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo4 *r) + { + uint32_t _ptr_printername; ++ uint32_t size_printername_1 = 0; ++ uint32_t length_printername_1 = 0; + TALLOC_CTX *_mem_save_printername_0; + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7658,11 +7838,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); +- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); ++ size_printername_1 = ndr_get_array_size(ndr, &r->printername); ++ length_printername_1 = ndr_get_array_length(ndr, &r->printername); ++ if (length_printername_1 > size_printername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); + } + if (r->servername) { +@@ -7670,11 +7852,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->servername)); +- if (ndr_get_array_length(ndr, &r->servername) > ndr_get_array_size(ndr, &r->servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->servername), ndr_get_array_length(ndr, &r->servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, ndr_get_array_length(ndr, &r->servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + } +@@ -7733,8 +7917,12 @@ + static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo5(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo5 *r) + { + uint32_t _ptr_printername; ++ uint32_t size_printername_1 = 0; ++ uint32_t length_printername_1 = 0; + TALLOC_CTX *_mem_save_printername_0; + uint32_t _ptr_portname; ++ uint32_t size_portname_1 = 0; ++ uint32_t length_portname_1 = 0; + TALLOC_CTX *_mem_save_portname_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7761,11 +7949,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->printername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->printername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->printername)); +- if (ndr_get_array_length(ndr, &r->printername) > ndr_get_array_size(ndr, &r->printername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->printername), ndr_get_array_length(ndr, &r->printername)); ++ size_printername_1 = ndr_get_array_size(ndr, &r->printername); ++ length_printername_1 = ndr_get_array_length(ndr, &r->printername); ++ if (length_printername_1 > size_printername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, ndr_get_array_length(ndr, &r->printername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); + } + if (r->portname) { +@@ -7773,11 +7963,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->portname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->portname)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->portname)); +- if (ndr_get_array_length(ndr, &r->portname) > ndr_get_array_size(ndr, &r->portname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->portname), ndr_get_array_length(ndr, &r->portname)); ++ size_portname_1 = ndr_get_array_size(ndr, &r->portname); ++ length_portname_1 = ndr_get_array_length(ndr, &r->portname); ++ if (length_portname_1 > size_portname_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_portname_1, length_portname_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, ndr_get_array_length(ndr, &r->portname), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_portname_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, length_portname_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_portname_0, 0); + } + } +@@ -7862,6 +8054,8 @@ + static enum ndr_err_code ndr_pull_spoolss_SetPrinterInfo7(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPrinterInfo7 *r) + { + uint32_t _ptr_guid; ++ uint32_t size_guid_1 = 0; ++ uint32_t length_guid_1 = 0; + TALLOC_CTX *_mem_save_guid_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7880,11 +8074,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->guid, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->guid)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->guid)); +- if (ndr_get_array_length(ndr, &r->guid) > ndr_get_array_size(ndr, &r->guid)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->guid), ndr_get_array_length(ndr, &r->guid)); ++ size_guid_1 = ndr_get_array_size(ndr, &r->guid); ++ length_guid_1 = ndr_get_array_length(ndr, &r->guid); ++ if (length_guid_1 > size_guid_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_guid_1, length_guid_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->guid), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guid, ndr_get_array_length(ndr, &r->guid), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_guid_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guid, length_guid_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_guid_0, 0); + } + } +@@ -8101,15 +8297,25 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info0_0; ++ uint32_t _ptr_info0; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + TALLOC_CTX *_mem_save_info2_0; ++ uint32_t _ptr_info2; + TALLOC_CTX *_mem_save_info3_0; ++ uint32_t _ptr_info3; + TALLOC_CTX *_mem_save_info4_0; ++ uint32_t _ptr_info4; + TALLOC_CTX *_mem_save_info5_0; ++ uint32_t _ptr_info5; + TALLOC_CTX *_mem_save_info6_0; ++ uint32_t _ptr_info6; + TALLOC_CTX *_mem_save_info7_0; ++ uint32_t _ptr_info7; + TALLOC_CTX *_mem_save_info8_0; ++ uint32_t _ptr_info8; + TALLOC_CTX *_mem_save_info9_0; ++ uint32_t _ptr_info9; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -8120,7 +8326,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_info0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); + if (_ptr_info0) { + NDR_PULL_ALLOC(ndr, r->info0); +@@ -8130,7 +8335,6 @@ + break; } + + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -8140,7 +8344,6 @@ + break; } + + case 2: { +- uint32_t _ptr_info2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); + if (_ptr_info2) { + NDR_PULL_ALLOC(ndr, r->info2); +@@ -8150,7 +8353,6 @@ + break; } + + case 3: { +- uint32_t _ptr_info3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); + if (_ptr_info3) { + NDR_PULL_ALLOC(ndr, r->info3); +@@ -8160,7 +8362,6 @@ + break; } + + case 4: { +- uint32_t _ptr_info4; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); + if (_ptr_info4) { + NDR_PULL_ALLOC(ndr, r->info4); +@@ -8170,7 +8371,6 @@ + break; } + + case 5: { +- uint32_t _ptr_info5; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info5)); + if (_ptr_info5) { + NDR_PULL_ALLOC(ndr, r->info5); +@@ -8180,7 +8380,6 @@ + break; } + + case 6: { +- uint32_t _ptr_info6; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); + if (_ptr_info6) { + NDR_PULL_ALLOC(ndr, r->info6); +@@ -8190,7 +8389,6 @@ + break; } + + case 7: { +- uint32_t _ptr_info7; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info7)); + if (_ptr_info7) { + NDR_PULL_ALLOC(ndr, r->info7); +@@ -8200,7 +8398,6 @@ + break; } + + case 8: { +- uint32_t _ptr_info8; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info8)); + if (_ptr_info8) { + NDR_PULL_ALLOC(ndr, r->info8); +@@ -8210,7 +8407,6 @@ + break; } + + case 9: { +- uint32_t _ptr_info9; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info9)); + if (_ptr_info9) { + NDR_PULL_ALLOC(ndr, r->info9); +@@ -8534,6 +8730,8 @@ + static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo1 *r) + { + uint32_t _ptr_driver_name; ++ uint32_t size_driver_name_1 = 0; ++ uint32_t length_driver_name_1 = 0; + TALLOC_CTX *_mem_save_driver_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -8551,11 +8749,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); +- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); ++ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); ++ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); ++ if (length_driver_name_1 > size_driver_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); + } + } +@@ -8653,14 +8853,24 @@ + static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo2 *r) + { + uint32_t _ptr_driver_name; ++ uint32_t size_driver_name_1 = 0; ++ uint32_t length_driver_name_1 = 0; + TALLOC_CTX *_mem_save_driver_name_0; + uint32_t _ptr_architecture; ++ uint32_t size_architecture_1 = 0; ++ uint32_t length_architecture_1 = 0; + TALLOC_CTX *_mem_save_architecture_0; + uint32_t _ptr_driver_path; ++ uint32_t size_driver_path_1 = 0; ++ uint32_t length_driver_path_1 = 0; + TALLOC_CTX *_mem_save_driver_path_0; + uint32_t _ptr_data_file; ++ uint32_t size_data_file_1 = 0; ++ uint32_t length_data_file_1 = 0; + TALLOC_CTX *_mem_save_data_file_0; + uint32_t _ptr_config_file; ++ uint32_t size_config_file_1 = 0; ++ uint32_t length_config_file_1 = 0; + TALLOC_CTX *_mem_save_config_file_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -8703,11 +8913,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); +- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); ++ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); ++ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); ++ if (length_driver_name_1 > size_driver_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); + } + if (r->architecture) { +@@ -8715,11 +8927,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); +- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); ++ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); ++ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); ++ if (length_architecture_1 > size_architecture_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); + } + if (r->driver_path) { +@@ -8727,11 +8941,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); +- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); ++ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); ++ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); ++ if (length_driver_path_1 > size_driver_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); + } + if (r->data_file) { +@@ -8739,11 +8955,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); +- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); ++ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); ++ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); ++ if (length_data_file_1 > size_data_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); + } + if (r->config_file) { +@@ -8751,11 +8969,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); +- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); ++ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); ++ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); ++ if (length_config_file_1 > size_config_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); + } + } +@@ -8877,20 +9097,36 @@ + static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo3(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo3 *r) + { + uint32_t _ptr_driver_name; ++ uint32_t size_driver_name_1 = 0; ++ uint32_t length_driver_name_1 = 0; + TALLOC_CTX *_mem_save_driver_name_0; + uint32_t _ptr_architecture; ++ uint32_t size_architecture_1 = 0; ++ uint32_t length_architecture_1 = 0; + TALLOC_CTX *_mem_save_architecture_0; + uint32_t _ptr_driver_path; ++ uint32_t size_driver_path_1 = 0; ++ uint32_t length_driver_path_1 = 0; + TALLOC_CTX *_mem_save_driver_path_0; + uint32_t _ptr_data_file; ++ uint32_t size_data_file_1 = 0; ++ uint32_t length_data_file_1 = 0; + TALLOC_CTX *_mem_save_data_file_0; + uint32_t _ptr_config_file; ++ uint32_t size_config_file_1 = 0; ++ uint32_t length_config_file_1 = 0; + TALLOC_CTX *_mem_save_config_file_0; + uint32_t _ptr_help_file; ++ uint32_t size_help_file_1 = 0; ++ uint32_t length_help_file_1 = 0; + TALLOC_CTX *_mem_save_help_file_0; + uint32_t _ptr_monitor_name; ++ uint32_t size_monitor_name_1 = 0; ++ uint32_t length_monitor_name_1 = 0; + TALLOC_CTX *_mem_save_monitor_name_0; + uint32_t _ptr_default_datatype; ++ uint32_t size_default_datatype_1 = 0; ++ uint32_t length_default_datatype_1 = 0; + TALLOC_CTX *_mem_save_default_datatype_0; + uint32_t _ptr_dependent_files; + TALLOC_CTX *_mem_save_dependent_files_0; +@@ -8960,11 +9196,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); +- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); ++ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); ++ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); ++ if (length_driver_name_1 > size_driver_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); + } + if (r->architecture) { +@@ -8972,11 +9210,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); +- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); ++ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); ++ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); ++ if (length_architecture_1 > size_architecture_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); + } + if (r->driver_path) { +@@ -8984,11 +9224,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); +- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); ++ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); ++ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); ++ if (length_driver_path_1 > size_driver_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); + } + if (r->data_file) { +@@ -8996,11 +9238,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); +- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); ++ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); ++ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); ++ if (length_data_file_1 > size_data_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); + } + if (r->config_file) { +@@ -9008,11 +9252,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); +- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); ++ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); ++ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); ++ if (length_config_file_1 > size_config_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); + } + if (r->help_file) { +@@ -9020,11 +9266,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); +- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); ++ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); ++ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); ++ if (length_help_file_1 > size_help_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); + } + if (r->monitor_name) { +@@ -9032,11 +9280,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); +- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); ++ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); ++ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); ++ if (length_monitor_name_1 > size_monitor_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); + } + if (r->default_datatype) { +@@ -9044,11 +9294,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); +- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); ++ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); ++ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); ++ if (length_default_datatype_1 > size_default_datatype_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); + } + if (r->dependent_files) { +@@ -9206,20 +9458,36 @@ + static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo4(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo4 *r) + { + uint32_t _ptr_driver_name; ++ uint32_t size_driver_name_1 = 0; ++ uint32_t length_driver_name_1 = 0; + TALLOC_CTX *_mem_save_driver_name_0; + uint32_t _ptr_architecture; ++ uint32_t size_architecture_1 = 0; ++ uint32_t length_architecture_1 = 0; + TALLOC_CTX *_mem_save_architecture_0; + uint32_t _ptr_driver_path; ++ uint32_t size_driver_path_1 = 0; ++ uint32_t length_driver_path_1 = 0; + TALLOC_CTX *_mem_save_driver_path_0; + uint32_t _ptr_data_file; ++ uint32_t size_data_file_1 = 0; ++ uint32_t length_data_file_1 = 0; + TALLOC_CTX *_mem_save_data_file_0; + uint32_t _ptr_config_file; ++ uint32_t size_config_file_1 = 0; ++ uint32_t length_config_file_1 = 0; + TALLOC_CTX *_mem_save_config_file_0; + uint32_t _ptr_help_file; ++ uint32_t size_help_file_1 = 0; ++ uint32_t length_help_file_1 = 0; + TALLOC_CTX *_mem_save_help_file_0; + uint32_t _ptr_monitor_name; ++ uint32_t size_monitor_name_1 = 0; ++ uint32_t length_monitor_name_1 = 0; + TALLOC_CTX *_mem_save_monitor_name_0; + uint32_t _ptr_default_datatype; ++ uint32_t size_default_datatype_1 = 0; ++ uint32_t length_default_datatype_1 = 0; + TALLOC_CTX *_mem_save_default_datatype_0; + uint32_t _ptr_dependent_files; + TALLOC_CTX *_mem_save_dependent_files_0; +@@ -9298,11 +9566,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); +- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); ++ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); ++ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); ++ if (length_driver_name_1 > size_driver_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); + } + if (r->architecture) { +@@ -9310,11 +9580,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); +- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); ++ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); ++ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); ++ if (length_architecture_1 > size_architecture_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); + } + if (r->driver_path) { +@@ -9322,11 +9594,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); +- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); ++ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); ++ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); ++ if (length_driver_path_1 > size_driver_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); + } + if (r->data_file) { +@@ -9334,11 +9608,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); +- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); ++ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); ++ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); ++ if (length_data_file_1 > size_data_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); + } + if (r->config_file) { +@@ -9346,11 +9622,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); +- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); ++ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); ++ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); ++ if (length_config_file_1 > size_config_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); + } + if (r->help_file) { +@@ -9358,11 +9636,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); +- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); ++ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); ++ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); ++ if (length_help_file_1 > size_help_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); + } + if (r->monitor_name) { +@@ -9370,11 +9650,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); +- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); ++ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); ++ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); ++ if (length_monitor_name_1 > size_monitor_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); + } + if (r->default_datatype) { +@@ -9382,11 +9664,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); +- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); ++ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); ++ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); ++ if (length_default_datatype_1 > size_default_datatype_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); + } + if (r->dependent_files) { +@@ -9609,32 +9893,56 @@ + static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo6(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo6 *r) + { + uint32_t _ptr_driver_name; ++ uint32_t size_driver_name_1 = 0; ++ uint32_t length_driver_name_1 = 0; + TALLOC_CTX *_mem_save_driver_name_0; + uint32_t _ptr_architecture; ++ uint32_t size_architecture_1 = 0; ++ uint32_t length_architecture_1 = 0; + TALLOC_CTX *_mem_save_architecture_0; + uint32_t _ptr_driver_path; ++ uint32_t size_driver_path_1 = 0; ++ uint32_t length_driver_path_1 = 0; + TALLOC_CTX *_mem_save_driver_path_0; + uint32_t _ptr_data_file; ++ uint32_t size_data_file_1 = 0; ++ uint32_t length_data_file_1 = 0; + TALLOC_CTX *_mem_save_data_file_0; + uint32_t _ptr_config_file; ++ uint32_t size_config_file_1 = 0; ++ uint32_t length_config_file_1 = 0; + TALLOC_CTX *_mem_save_config_file_0; + uint32_t _ptr_help_file; ++ uint32_t size_help_file_1 = 0; ++ uint32_t length_help_file_1 = 0; + TALLOC_CTX *_mem_save_help_file_0; + uint32_t _ptr_monitor_name; ++ uint32_t size_monitor_name_1 = 0; ++ uint32_t length_monitor_name_1 = 0; + TALLOC_CTX *_mem_save_monitor_name_0; + uint32_t _ptr_default_datatype; ++ uint32_t size_default_datatype_1 = 0; ++ uint32_t length_default_datatype_1 = 0; + TALLOC_CTX *_mem_save_default_datatype_0; + uint32_t _ptr_dependent_files; + TALLOC_CTX *_mem_save_dependent_files_0; + uint32_t _ptr_previous_names; + TALLOC_CTX *_mem_save_previous_names_0; + uint32_t _ptr_manufacturer_name; ++ uint32_t size_manufacturer_name_1 = 0; ++ uint32_t length_manufacturer_name_1 = 0; + TALLOC_CTX *_mem_save_manufacturer_name_0; + uint32_t _ptr_manufacturer_url; ++ uint32_t size_manufacturer_url_1 = 0; ++ uint32_t length_manufacturer_url_1 = 0; + TALLOC_CTX *_mem_save_manufacturer_url_0; + uint32_t _ptr_hardware_id; ++ uint32_t size_hardware_id_1 = 0; ++ uint32_t length_hardware_id_1 = 0; + TALLOC_CTX *_mem_save_hardware_id_0; + uint32_t _ptr_provider; ++ uint32_t size_provider_1 = 0; ++ uint32_t length_provider_1 = 0; + TALLOC_CTX *_mem_save_provider_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); +@@ -9735,11 +10043,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); +- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); ++ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); ++ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); ++ if (length_driver_name_1 > size_driver_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); + } + if (r->architecture) { +@@ -9747,11 +10057,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); +- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); ++ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); ++ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); ++ if (length_architecture_1 > size_architecture_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); + } + if (r->driver_path) { +@@ -9759,11 +10071,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); +- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); ++ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); ++ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); ++ if (length_driver_path_1 > size_driver_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); + } + if (r->data_file) { +@@ -9771,11 +10085,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); +- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); ++ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); ++ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); ++ if (length_data_file_1 > size_data_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); + } + if (r->config_file) { +@@ -9783,11 +10099,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); +- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); ++ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); ++ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); ++ if (length_config_file_1 > size_config_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); + } + if (r->help_file) { +@@ -9795,11 +10113,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); +- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); ++ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); ++ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); ++ if (length_help_file_1 > size_help_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); + } + if (r->monitor_name) { +@@ -9807,11 +10127,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); +- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); ++ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); ++ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); ++ if (length_monitor_name_1 > size_monitor_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); + } + if (r->default_datatype) { +@@ -9819,11 +10141,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); +- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); ++ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); ++ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); ++ if (length_default_datatype_1 > size_default_datatype_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); + } + if (r->dependent_files) { +@@ -9843,11 +10167,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_name)); +- if (ndr_get_array_length(ndr, &r->manufacturer_name) > ndr_get_array_size(ndr, &r->manufacturer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_name), ndr_get_array_length(ndr, &r->manufacturer_name)); ++ size_manufacturer_name_1 = ndr_get_array_size(ndr, &r->manufacturer_name); ++ length_manufacturer_name_1 = ndr_get_array_length(ndr, &r->manufacturer_name); ++ if (length_manufacturer_name_1 > size_manufacturer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_name_1, length_manufacturer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, length_manufacturer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_name_0, 0); + } + if (r->manufacturer_url) { +@@ -9855,11 +10181,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_url, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_url)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_url)); +- if (ndr_get_array_length(ndr, &r->manufacturer_url) > ndr_get_array_size(ndr, &r->manufacturer_url)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_url), ndr_get_array_length(ndr, &r->manufacturer_url)); ++ size_manufacturer_url_1 = ndr_get_array_size(ndr, &r->manufacturer_url); ++ length_manufacturer_url_1 = ndr_get_array_length(ndr, &r->manufacturer_url); ++ if (length_manufacturer_url_1 > size_manufacturer_url_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_url_1, length_manufacturer_url_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_url_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, length_manufacturer_url_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_url_0, 0); + } + if (r->hardware_id) { +@@ -9867,11 +10195,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->hardware_id, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->hardware_id)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->hardware_id)); +- if (ndr_get_array_length(ndr, &r->hardware_id) > ndr_get_array_size(ndr, &r->hardware_id)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->hardware_id), ndr_get_array_length(ndr, &r->hardware_id)); ++ size_hardware_id_1 = ndr_get_array_size(ndr, &r->hardware_id); ++ length_hardware_id_1 = ndr_get_array_length(ndr, &r->hardware_id); ++ if (length_hardware_id_1 > size_hardware_id_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_hardware_id_1, length_hardware_id_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->hardware_id), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_id, ndr_get_array_length(ndr, &r->hardware_id), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_hardware_id_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_id, length_hardware_id_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_hardware_id_0, 0); + } + if (r->provider) { +@@ -9879,11 +10209,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->provider, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->provider)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->provider)); +- if (ndr_get_array_length(ndr, &r->provider) > ndr_get_array_size(ndr, &r->provider)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->provider), ndr_get_array_length(ndr, &r->provider)); ++ size_provider_1 = ndr_get_array_size(ndr, &r->provider); ++ length_provider_1 = ndr_get_array_length(ndr, &r->provider); ++ if (length_provider_1 > size_provider_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_provider_1, length_provider_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->provider), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->provider, ndr_get_array_length(ndr, &r->provider), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_provider_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->provider, length_provider_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_provider_0, 0); + } + } +@@ -10132,40 +10464,70 @@ + static enum ndr_err_code ndr_pull_spoolss_AddDriverInfo8(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddDriverInfo8 *r) + { + uint32_t _ptr_driver_name; ++ uint32_t size_driver_name_1 = 0; ++ uint32_t length_driver_name_1 = 0; + TALLOC_CTX *_mem_save_driver_name_0; + uint32_t _ptr_architecture; ++ uint32_t size_architecture_1 = 0; ++ uint32_t length_architecture_1 = 0; + TALLOC_CTX *_mem_save_architecture_0; + uint32_t _ptr_driver_path; ++ uint32_t size_driver_path_1 = 0; ++ uint32_t length_driver_path_1 = 0; + TALLOC_CTX *_mem_save_driver_path_0; + uint32_t _ptr_data_file; ++ uint32_t size_data_file_1 = 0; ++ uint32_t length_data_file_1 = 0; + TALLOC_CTX *_mem_save_data_file_0; + uint32_t _ptr_config_file; ++ uint32_t size_config_file_1 = 0; ++ uint32_t length_config_file_1 = 0; + TALLOC_CTX *_mem_save_config_file_0; + uint32_t _ptr_help_file; ++ uint32_t size_help_file_1 = 0; ++ uint32_t length_help_file_1 = 0; + TALLOC_CTX *_mem_save_help_file_0; + uint32_t _ptr_monitor_name; ++ uint32_t size_monitor_name_1 = 0; ++ uint32_t length_monitor_name_1 = 0; + TALLOC_CTX *_mem_save_monitor_name_0; + uint32_t _ptr_default_datatype; ++ uint32_t size_default_datatype_1 = 0; ++ uint32_t length_default_datatype_1 = 0; + TALLOC_CTX *_mem_save_default_datatype_0; + uint32_t _ptr_dependent_files; + TALLOC_CTX *_mem_save_dependent_files_0; + uint32_t _ptr_previous_names; + TALLOC_CTX *_mem_save_previous_names_0; + uint32_t _ptr_manufacturer_name; ++ uint32_t size_manufacturer_name_1 = 0; ++ uint32_t length_manufacturer_name_1 = 0; + TALLOC_CTX *_mem_save_manufacturer_name_0; + uint32_t _ptr_manufacturer_url; ++ uint32_t size_manufacturer_url_1 = 0; ++ uint32_t length_manufacturer_url_1 = 0; + TALLOC_CTX *_mem_save_manufacturer_url_0; + uint32_t _ptr_hardware_id; ++ uint32_t size_hardware_id_1 = 0; ++ uint32_t length_hardware_id_1 = 0; + TALLOC_CTX *_mem_save_hardware_id_0; + uint32_t _ptr_provider; ++ uint32_t size_provider_1 = 0; ++ uint32_t length_provider_1 = 0; + TALLOC_CTX *_mem_save_provider_0; + uint32_t _ptr_print_processor; ++ uint32_t size_print_processor_1 = 0; ++ uint32_t length_print_processor_1 = 0; + TALLOC_CTX *_mem_save_print_processor_0; + uint32_t _ptr_vendor_setup; ++ uint32_t size_vendor_setup_1 = 0; ++ uint32_t length_vendor_setup_1 = 0; + TALLOC_CTX *_mem_save_vendor_setup_0; + uint32_t _ptr_color_profiles; + TALLOC_CTX *_mem_save_color_profiles_0; + uint32_t _ptr_inf_path; ++ uint32_t size_inf_path_1 = 0; ++ uint32_t length_inf_path_1 = 0; + TALLOC_CTX *_mem_save_inf_path_0; + uint32_t _ptr_core_driver_dependencies; + TALLOC_CTX *_mem_save_core_driver_dependencies_0; +@@ -10303,11 +10665,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_name)); +- if (ndr_get_array_length(ndr, &r->driver_name) > ndr_get_array_size(ndr, &r->driver_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_name), ndr_get_array_length(ndr, &r->driver_name)); ++ size_driver_name_1 = ndr_get_array_size(ndr, &r->driver_name); ++ length_driver_name_1 = ndr_get_array_length(ndr, &r->driver_name); ++ if (length_driver_name_1 > size_driver_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_name_1, length_driver_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, ndr_get_array_length(ndr, &r->driver_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_name, length_driver_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_name_0, 0); + } + if (r->architecture) { +@@ -10315,11 +10679,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->architecture, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->architecture)); +- if (ndr_get_array_length(ndr, &r->architecture) > ndr_get_array_size(ndr, &r->architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->architecture), ndr_get_array_length(ndr, &r->architecture)); ++ size_architecture_1 = ndr_get_array_size(ndr, &r->architecture); ++ length_architecture_1 = ndr_get_array_length(ndr, &r->architecture); ++ if (length_architecture_1 > size_architecture_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, ndr_get_array_length(ndr, &r->architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); + } + if (r->driver_path) { +@@ -10327,11 +10693,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->driver_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->driver_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->driver_path)); +- if (ndr_get_array_length(ndr, &r->driver_path) > ndr_get_array_size(ndr, &r->driver_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->driver_path), ndr_get_array_length(ndr, &r->driver_path)); ++ size_driver_path_1 = ndr_get_array_size(ndr, &r->driver_path); ++ length_driver_path_1 = ndr_get_array_length(ndr, &r->driver_path); ++ if (length_driver_path_1 > size_driver_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_path_1, length_driver_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, ndr_get_array_length(ndr, &r->driver_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->driver_path, length_driver_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_path_0, 0); + } + if (r->data_file) { +@@ -10339,11 +10707,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data_file)); +- if (ndr_get_array_length(ndr, &r->data_file) > ndr_get_array_size(ndr, &r->data_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data_file), ndr_get_array_length(ndr, &r->data_file)); ++ size_data_file_1 = ndr_get_array_size(ndr, &r->data_file); ++ length_data_file_1 = ndr_get_array_length(ndr, &r->data_file); ++ if (length_data_file_1 > size_data_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_file_1, length_data_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, ndr_get_array_length(ndr, &r->data_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data_file, length_data_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_file_0, 0); + } + if (r->config_file) { +@@ -10351,11 +10721,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->config_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->config_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->config_file)); +- if (ndr_get_array_length(ndr, &r->config_file) > ndr_get_array_size(ndr, &r->config_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->config_file), ndr_get_array_length(ndr, &r->config_file)); ++ size_config_file_1 = ndr_get_array_size(ndr, &r->config_file); ++ length_config_file_1 = ndr_get_array_length(ndr, &r->config_file); ++ if (length_config_file_1 > size_config_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_config_file_1, length_config_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, ndr_get_array_length(ndr, &r->config_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_config_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->config_file, length_config_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_config_file_0, 0); + } + if (r->help_file) { +@@ -10363,11 +10735,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->help_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->help_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->help_file)); +- if (ndr_get_array_length(ndr, &r->help_file) > ndr_get_array_size(ndr, &r->help_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->help_file), ndr_get_array_length(ndr, &r->help_file)); ++ size_help_file_1 = ndr_get_array_size(ndr, &r->help_file); ++ length_help_file_1 = ndr_get_array_length(ndr, &r->help_file); ++ if (length_help_file_1 > size_help_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_help_file_1, length_help_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, ndr_get_array_length(ndr, &r->help_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_help_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->help_file, length_help_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_help_file_0, 0); + } + if (r->monitor_name) { +@@ -10375,11 +10749,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); +- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); ++ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); ++ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); ++ if (length_monitor_name_1 > size_monitor_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); + } + if (r->default_datatype) { +@@ -10387,11 +10763,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->default_datatype, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->default_datatype)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->default_datatype)); +- if (ndr_get_array_length(ndr, &r->default_datatype) > ndr_get_array_size(ndr, &r->default_datatype)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->default_datatype), ndr_get_array_length(ndr, &r->default_datatype)); ++ size_default_datatype_1 = ndr_get_array_size(ndr, &r->default_datatype); ++ length_default_datatype_1 = ndr_get_array_length(ndr, &r->default_datatype); ++ if (length_default_datatype_1 > size_default_datatype_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_default_datatype_1, length_default_datatype_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, ndr_get_array_length(ndr, &r->default_datatype), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_default_datatype_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->default_datatype, length_default_datatype_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_default_datatype_0, 0); + } + if (r->dependent_files) { +@@ -10411,11 +10789,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_name)); +- if (ndr_get_array_length(ndr, &r->manufacturer_name) > ndr_get_array_size(ndr, &r->manufacturer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_name), ndr_get_array_length(ndr, &r->manufacturer_name)); ++ size_manufacturer_name_1 = ndr_get_array_size(ndr, &r->manufacturer_name); ++ length_manufacturer_name_1 = ndr_get_array_length(ndr, &r->manufacturer_name); ++ if (length_manufacturer_name_1 > size_manufacturer_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_name_1, length_manufacturer_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, ndr_get_array_length(ndr, &r->manufacturer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_name, length_manufacturer_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_name_0, 0); + } + if (r->manufacturer_url) { +@@ -10423,11 +10803,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->manufacturer_url, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->manufacturer_url)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->manufacturer_url)); +- if (ndr_get_array_length(ndr, &r->manufacturer_url) > ndr_get_array_size(ndr, &r->manufacturer_url)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->manufacturer_url), ndr_get_array_length(ndr, &r->manufacturer_url)); ++ size_manufacturer_url_1 = ndr_get_array_size(ndr, &r->manufacturer_url); ++ length_manufacturer_url_1 = ndr_get_array_length(ndr, &r->manufacturer_url); ++ if (length_manufacturer_url_1 > size_manufacturer_url_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_manufacturer_url_1, length_manufacturer_url_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, ndr_get_array_length(ndr, &r->manufacturer_url), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_manufacturer_url_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->manufacturer_url, length_manufacturer_url_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_manufacturer_url_0, 0); + } + if (r->hardware_id) { +@@ -10435,11 +10817,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->hardware_id, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->hardware_id)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->hardware_id)); +- if (ndr_get_array_length(ndr, &r->hardware_id) > ndr_get_array_size(ndr, &r->hardware_id)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->hardware_id), ndr_get_array_length(ndr, &r->hardware_id)); ++ size_hardware_id_1 = ndr_get_array_size(ndr, &r->hardware_id); ++ length_hardware_id_1 = ndr_get_array_length(ndr, &r->hardware_id); ++ if (length_hardware_id_1 > size_hardware_id_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_hardware_id_1, length_hardware_id_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->hardware_id), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_id, ndr_get_array_length(ndr, &r->hardware_id), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_hardware_id_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_id, length_hardware_id_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_hardware_id_0, 0); + } + if (r->provider) { +@@ -10447,11 +10831,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->provider, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->provider)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->provider)); +- if (ndr_get_array_length(ndr, &r->provider) > ndr_get_array_size(ndr, &r->provider)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->provider), ndr_get_array_length(ndr, &r->provider)); ++ size_provider_1 = ndr_get_array_size(ndr, &r->provider); ++ length_provider_1 = ndr_get_array_length(ndr, &r->provider); ++ if (length_provider_1 > size_provider_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_provider_1, length_provider_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->provider), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->provider, ndr_get_array_length(ndr, &r->provider), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_provider_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->provider, length_provider_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_provider_0, 0); + } + if (r->print_processor) { +@@ -10459,11 +10845,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->print_processor, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->print_processor)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->print_processor)); +- if (ndr_get_array_length(ndr, &r->print_processor) > ndr_get_array_size(ndr, &r->print_processor)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->print_processor), ndr_get_array_length(ndr, &r->print_processor)); ++ size_print_processor_1 = ndr_get_array_size(ndr, &r->print_processor); ++ length_print_processor_1 = ndr_get_array_length(ndr, &r->print_processor); ++ if (length_print_processor_1 > size_print_processor_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_1, length_print_processor_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, ndr_get_array_length(ndr, &r->print_processor), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->print_processor, length_print_processor_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_print_processor_0, 0); + } + if (r->vendor_setup) { +@@ -10471,11 +10859,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->vendor_setup, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->vendor_setup)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->vendor_setup)); +- if (ndr_get_array_length(ndr, &r->vendor_setup) > ndr_get_array_size(ndr, &r->vendor_setup)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->vendor_setup), ndr_get_array_length(ndr, &r->vendor_setup)); ++ size_vendor_setup_1 = ndr_get_array_size(ndr, &r->vendor_setup); ++ length_vendor_setup_1 = ndr_get_array_length(ndr, &r->vendor_setup); ++ if (length_vendor_setup_1 > size_vendor_setup_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_vendor_setup_1, length_vendor_setup_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->vendor_setup), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->vendor_setup, ndr_get_array_length(ndr, &r->vendor_setup), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_vendor_setup_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->vendor_setup, length_vendor_setup_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_vendor_setup_0, 0); + } + if (r->color_profiles) { +@@ -10489,11 +10879,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->inf_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->inf_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->inf_path)); +- if (ndr_get_array_length(ndr, &r->inf_path) > ndr_get_array_size(ndr, &r->inf_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->inf_path), ndr_get_array_length(ndr, &r->inf_path)); ++ size_inf_path_1 = ndr_get_array_size(ndr, &r->inf_path); ++ length_inf_path_1 = ndr_get_array_length(ndr, &r->inf_path); ++ if (length_inf_path_1 > size_inf_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_inf_path_1, length_inf_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->inf_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->inf_path, ndr_get_array_length(ndr, &r->inf_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_inf_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->inf_path, length_inf_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_inf_path_0, 0); + } + if (r->core_driver_dependencies) { +@@ -10725,11 +11117,17 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + TALLOC_CTX *_mem_save_info2_0; ++ uint32_t _ptr_info2; + TALLOC_CTX *_mem_save_info3_0; ++ uint32_t _ptr_info3; + TALLOC_CTX *_mem_save_info4_0; ++ uint32_t _ptr_info4; + TALLOC_CTX *_mem_save_info6_0; ++ uint32_t _ptr_info6; + TALLOC_CTX *_mem_save_info8_0; ++ uint32_t _ptr_info8; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -10740,7 +11138,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -10750,7 +11147,6 @@ + break; } + + case 2: { +- uint32_t _ptr_info2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); + if (_ptr_info2) { + NDR_PULL_ALLOC(ndr, r->info2); +@@ -10760,7 +11156,6 @@ + break; } + + case 3: { +- uint32_t _ptr_info3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); + if (_ptr_info3) { + NDR_PULL_ALLOC(ndr, r->info3); +@@ -10770,7 +11165,6 @@ + break; } + + case 4: { +- uint32_t _ptr_info4; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info4)); + if (_ptr_info4) { + NDR_PULL_ALLOC(ndr, r->info4); +@@ -10780,7 +11174,6 @@ + break; } + + case 6: { +- uint32_t _ptr_info6; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info6)); + if (_ptr_info6) { + NDR_PULL_ALLOC(ndr, r->info6); +@@ -10790,7 +11183,6 @@ + break; } + + case 8: { +- uint32_t _ptr_info8; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info8)); + if (_ptr_info8) { + NDR_PULL_ALLOC(ndr, r->info8); +@@ -15915,10 +16307,16 @@ + static enum ndr_err_code ndr_pull_spoolss_DocumentInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_DocumentInfo1 *r) + { + uint32_t _ptr_document_name; ++ uint32_t size_document_name_1 = 0; ++ uint32_t length_document_name_1 = 0; + TALLOC_CTX *_mem_save_document_name_0; + uint32_t _ptr_output_file; ++ uint32_t size_output_file_1 = 0; ++ uint32_t length_output_file_1 = 0; + TALLOC_CTX *_mem_save_output_file_0; + uint32_t _ptr_datatype; ++ uint32_t size_datatype_1 = 0; ++ uint32_t length_datatype_1 = 0; + TALLOC_CTX *_mem_save_datatype_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -15948,11 +16346,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->document_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->document_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->document_name)); +- if (ndr_get_array_length(ndr, &r->document_name) > ndr_get_array_size(ndr, &r->document_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->document_name), ndr_get_array_length(ndr, &r->document_name)); ++ size_document_name_1 = ndr_get_array_size(ndr, &r->document_name); ++ length_document_name_1 = ndr_get_array_length(ndr, &r->document_name); ++ if (length_document_name_1 > size_document_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_document_name_1, length_document_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, ndr_get_array_length(ndr, &r->document_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_document_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->document_name, length_document_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_document_name_0, 0); + } + if (r->output_file) { +@@ -15960,11 +16360,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->output_file, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->output_file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->output_file)); +- if (ndr_get_array_length(ndr, &r->output_file) > ndr_get_array_size(ndr, &r->output_file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->output_file), ndr_get_array_length(ndr, &r->output_file)); ++ size_output_file_1 = ndr_get_array_size(ndr, &r->output_file); ++ length_output_file_1 = ndr_get_array_length(ndr, &r->output_file); ++ if (length_output_file_1 > size_output_file_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_output_file_1, length_output_file_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->output_file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->output_file, ndr_get_array_length(ndr, &r->output_file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_output_file_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->output_file, length_output_file_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_output_file_0, 0); + } + if (r->datatype) { +@@ -15972,11 +16374,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->datatype, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->datatype)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->datatype)); +- if (ndr_get_array_length(ndr, &r->datatype) > ndr_get_array_size(ndr, &r->datatype)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->datatype), ndr_get_array_length(ndr, &r->datatype)); ++ size_datatype_1 = ndr_get_array_size(ndr, &r->datatype); ++ length_datatype_1 = ndr_get_array_length(ndr, &r->datatype); ++ if (length_datatype_1 > size_datatype_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_datatype_1, length_datatype_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->datatype), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->datatype, ndr_get_array_length(ndr, &r->datatype), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_datatype_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->datatype, length_datatype_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_datatype_0, 0); + } + } +@@ -16060,6 +16464,7 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -16070,7 +16475,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -17142,6 +17546,8 @@ + static enum ndr_err_code ndr_pull_spoolss_AddFormInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddFormInfo1 *r) + { + uint32_t _ptr_form_name; ++ uint32_t size_form_name_1 = 0; ++ uint32_t length_form_name_1 = 0; + TALLOC_CTX *_mem_save_form_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -17162,11 +17568,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->form_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->form_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->form_name)); +- if (ndr_get_array_length(ndr, &r->form_name) > ndr_get_array_size(ndr, &r->form_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->form_name), ndr_get_array_length(ndr, &r->form_name)); ++ size_form_name_1 = ndr_get_array_size(ndr, &r->form_name); ++ length_form_name_1 = ndr_get_array_length(ndr, &r->form_name); ++ if (length_form_name_1 > size_form_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_form_name_1, length_form_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->form_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->form_name, ndr_get_array_length(ndr, &r->form_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_form_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->form_name, length_form_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_form_name_0, 0); + } + } +@@ -17238,12 +17646,20 @@ + static enum ndr_err_code ndr_pull_spoolss_AddFormInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_AddFormInfo2 *r) + { + uint32_t _ptr_form_name; ++ uint32_t size_form_name_1 = 0; ++ uint32_t length_form_name_1 = 0; + TALLOC_CTX *_mem_save_form_name_0; + uint32_t _ptr_keyword; ++ uint32_t size_keyword_1 = 0; ++ uint32_t length_keyword_1 = 0; + TALLOC_CTX *_mem_save_keyword_0; + uint32_t _ptr_mui_dll; ++ uint32_t size_mui_dll_1 = 0; ++ uint32_t length_mui_dll_1 = 0; + TALLOC_CTX *_mem_save_mui_dll_0; + uint32_t _ptr_display_name; ++ uint32_t size_display_name_1 = 0; ++ uint32_t length_display_name_1 = 0; + TALLOC_CTX *_mem_save_display_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -17285,11 +17701,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->form_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->form_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->form_name)); +- if (ndr_get_array_length(ndr, &r->form_name) > ndr_get_array_size(ndr, &r->form_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->form_name), ndr_get_array_length(ndr, &r->form_name)); ++ size_form_name_1 = ndr_get_array_size(ndr, &r->form_name); ++ length_form_name_1 = ndr_get_array_length(ndr, &r->form_name); ++ if (length_form_name_1 > size_form_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_form_name_1, length_form_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->form_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->form_name, ndr_get_array_length(ndr, &r->form_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_form_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->form_name, length_form_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_form_name_0, 0); + } + if (r->keyword) { +@@ -17297,11 +17715,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->keyword, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->keyword)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->keyword)); +- if (ndr_get_array_length(ndr, &r->keyword) > ndr_get_array_size(ndr, &r->keyword)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->keyword), ndr_get_array_length(ndr, &r->keyword)); ++ size_keyword_1 = ndr_get_array_size(ndr, &r->keyword); ++ length_keyword_1 = ndr_get_array_length(ndr, &r->keyword); ++ if (length_keyword_1 > size_keyword_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_keyword_1, length_keyword_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->keyword), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->keyword, ndr_get_array_length(ndr, &r->keyword), sizeof(uint8_t), CH_DOS)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_keyword_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->keyword, length_keyword_1, sizeof(uint8_t), CH_DOS)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_keyword_0, 0); + } + if (r->mui_dll) { +@@ -17309,11 +17729,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->mui_dll, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->mui_dll)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->mui_dll)); +- if (ndr_get_array_length(ndr, &r->mui_dll) > ndr_get_array_size(ndr, &r->mui_dll)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->mui_dll), ndr_get_array_length(ndr, &r->mui_dll)); ++ size_mui_dll_1 = ndr_get_array_size(ndr, &r->mui_dll); ++ length_mui_dll_1 = ndr_get_array_length(ndr, &r->mui_dll); ++ if (length_mui_dll_1 > size_mui_dll_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_mui_dll_1, length_mui_dll_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->mui_dll), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->mui_dll, ndr_get_array_length(ndr, &r->mui_dll), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_mui_dll_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->mui_dll, length_mui_dll_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_mui_dll_0, 0); + } + if (r->display_name) { +@@ -17321,11 +17743,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->display_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->display_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->display_name)); +- if (ndr_get_array_length(ndr, &r->display_name) > ndr_get_array_size(ndr, &r->display_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->display_name), ndr_get_array_length(ndr, &r->display_name)); ++ size_display_name_1 = ndr_get_array_size(ndr, &r->display_name); ++ length_display_name_1 = ndr_get_array_length(ndr, &r->display_name); ++ if (length_display_name_1 > size_display_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_1, length_display_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->display_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->display_name, ndr_get_array_length(ndr, &r->display_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->display_name, length_display_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, 0); + } + } +@@ -17417,7 +17841,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + TALLOC_CTX *_mem_save_info2_0; ++ uint32_t _ptr_info2; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -17428,7 +17854,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -17438,7 +17863,6 @@ + break; } + + case 2: { +- uint32_t _ptr_info2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); + if (_ptr_info2) { + NDR_PULL_ALLOC(ndr, r->info2); +@@ -18678,6 +19102,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetPortInfo1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPortInfo1 *r) + { + uint32_t _ptr_port_name; ++ uint32_t size_port_name_1 = 0; ++ uint32_t length_port_name_1 = 0; + TALLOC_CTX *_mem_save_port_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -18695,11 +19121,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->port_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->port_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->port_name)); +- if (ndr_get_array_length(ndr, &r->port_name) > ndr_get_array_size(ndr, &r->port_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->port_name), ndr_get_array_length(ndr, &r->port_name)); ++ size_port_name_1 = ndr_get_array_size(ndr, &r->port_name); ++ length_port_name_1 = ndr_get_array_length(ndr, &r->port_name); ++ if (length_port_name_1 > size_port_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_port_name_1, length_port_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->port_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->port_name, ndr_get_array_length(ndr, &r->port_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_port_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->port_name, length_port_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_port_name_0, 0); + } + } +@@ -18762,10 +19190,16 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetPortInfo2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPortInfo2 *r) + { + uint32_t _ptr_port_name; ++ uint32_t size_port_name_1 = 0; ++ uint32_t length_port_name_1 = 0; + TALLOC_CTX *_mem_save_port_name_0; + uint32_t _ptr_monitor_name; ++ uint32_t size_monitor_name_1 = 0; ++ uint32_t length_monitor_name_1 = 0; + TALLOC_CTX *_mem_save_monitor_name_0; + uint32_t _ptr_description; ++ uint32_t size_description_1 = 0; ++ uint32_t length_description_1 = 0; + TALLOC_CTX *_mem_save_description_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -18797,11 +19231,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->port_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->port_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->port_name)); +- if (ndr_get_array_length(ndr, &r->port_name) > ndr_get_array_size(ndr, &r->port_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->port_name), ndr_get_array_length(ndr, &r->port_name)); ++ size_port_name_1 = ndr_get_array_size(ndr, &r->port_name); ++ length_port_name_1 = ndr_get_array_length(ndr, &r->port_name); ++ if (length_port_name_1 > size_port_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_port_name_1, length_port_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->port_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->port_name, ndr_get_array_length(ndr, &r->port_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_port_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->port_name, length_port_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_port_name_0, 0); + } + if (r->monitor_name) { +@@ -18809,11 +19245,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->monitor_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->monitor_name)); +- if (ndr_get_array_length(ndr, &r->monitor_name) > ndr_get_array_size(ndr, &r->monitor_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->monitor_name), ndr_get_array_length(ndr, &r->monitor_name)); ++ size_monitor_name_1 = ndr_get_array_size(ndr, &r->monitor_name); ++ length_monitor_name_1 = ndr_get_array_length(ndr, &r->monitor_name); ++ if (length_monitor_name_1 > size_monitor_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, ndr_get_array_length(ndr, &r->monitor_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); + } + if (r->description) { +@@ -18821,11 +19259,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->description, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->description)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->description)); +- if (ndr_get_array_length(ndr, &r->description) > ndr_get_array_size(ndr, &r->description)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->description), ndr_get_array_length(ndr, &r->description)); ++ size_description_1 = ndr_get_array_size(ndr, &r->description); ++ length_description_1 = ndr_get_array_length(ndr, &r->description); ++ if (length_description_1 > size_description_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_description_1, length_description_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->description), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->description, ndr_get_array_length(ndr, &r->description), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_description_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->description, length_description_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_description_0, 0); + } + } +@@ -18888,6 +19328,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetPortInfo3(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPortInfo3 *r) + { + uint32_t _ptr_status_string; ++ uint32_t size_status_string_1 = 0; ++ uint32_t length_status_string_1 = 0; + TALLOC_CTX *_mem_save_status_string_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -18907,11 +19349,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->status_string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->status_string)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->status_string)); +- if (ndr_get_array_length(ndr, &r->status_string) > ndr_get_array_size(ndr, &r->status_string)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->status_string), ndr_get_array_length(ndr, &r->status_string)); ++ size_status_string_1 = ndr_get_array_size(ndr, &r->status_string); ++ length_status_string_1 = ndr_get_array_length(ndr, &r->status_string); ++ if (length_status_string_1 > size_status_string_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_status_string_1, length_status_string_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->status_string), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->status_string, ndr_get_array_length(ndr, &r->status_string), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_status_string_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->status_string, length_status_string_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_status_string_0, 0); + } + } +@@ -18961,6 +19405,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_SetPortInfoFF(struct ndr_pull *ndr, int ndr_flags, struct spoolss_SetPortInfoFF *r) + { + uint32_t _ptr_port_name; ++ uint32_t size_port_name_1 = 0; ++ uint32_t length_port_name_1 = 0; + TALLOC_CTX *_mem_save_port_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -18979,11 +19425,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->port_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->port_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->port_name)); +- if (ndr_get_array_length(ndr, &r->port_name) > ndr_get_array_size(ndr, &r->port_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->port_name), ndr_get_array_length(ndr, &r->port_name)); ++ size_port_name_1 = ndr_get_array_size(ndr, &r->port_name); ++ length_port_name_1 = ndr_get_array_length(ndr, &r->port_name); ++ if (length_port_name_1 > size_port_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_port_name_1, length_port_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->port_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->port_name, ndr_get_array_length(ndr, &r->port_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_port_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->port_name, length_port_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_port_name_0, 0); + } + } +@@ -19303,6 +19751,7 @@ + static enum ndr_err_code ndr_pull_spoolss_PortVarContainer(struct ndr_pull *ndr, int ndr_flags, struct spoolss_PortVarContainer *r) + { + uint32_t _ptr_monitor_data; ++ uint32_t size_monitor_data_1 = 0; + TALLOC_CTX *_mem_save_monitor_data_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -19320,8 +19769,9 @@ + _mem_save_monitor_data_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->monitor_data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->monitor_data)); +- NDR_PULL_ALLOC_N(ndr, r->monitor_data, ndr_get_array_size(ndr, &r->monitor_data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->monitor_data, ndr_get_array_size(ndr, &r->monitor_data))); ++ size_monitor_data_1 = ndr_get_array_size(ndr, &r->monitor_data); ++ NDR_PULL_ALLOC_N(ndr, r->monitor_data, size_monitor_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->monitor_data, size_monitor_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_data_0, 0); + } + if (r->monitor_data) { +@@ -19571,6 +20021,7 @@ + static enum ndr_err_code ndr_pull_spoolss_NotifyOptionType(struct ndr_pull *ndr, int ndr_flags, struct spoolss_NotifyOptionType *r) + { + uint32_t _ptr_fields; ++ uint32_t size_fields_1 = 0; + uint32_t cntr_fields_1; + TALLOC_CTX *_mem_save_fields_0; + TALLOC_CTX *_mem_save_fields_1; +@@ -19594,10 +20045,11 @@ + _mem_save_fields_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->fields, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->fields)); +- NDR_PULL_ALLOC_N(ndr, r->fields, ndr_get_array_size(ndr, &r->fields)); ++ size_fields_1 = ndr_get_array_size(ndr, &r->fields); ++ NDR_PULL_ALLOC_N(ndr, r->fields, size_fields_1); + _mem_save_fields_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->fields, 0); +- for (cntr_fields_1 = 0; cntr_fields_1 < r->count; cntr_fields_1++) { ++ for (cntr_fields_1 = 0; cntr_fields_1 < size_fields_1; cntr_fields_1++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->fields[cntr_fields_1], r->type)); + NDR_CHECK(ndr_pull_spoolss_Field(ndr, NDR_SCALARS, &r->fields[cntr_fields_1])); + } +@@ -19687,6 +20139,7 @@ + static enum ndr_err_code ndr_pull_spoolss_NotifyOption(struct ndr_pull *ndr, int ndr_flags, struct spoolss_NotifyOption *r) + { + uint32_t _ptr_types; ++ uint32_t size_types_1 = 0; + uint32_t cntr_types_1; + TALLOC_CTX *_mem_save_types_0; + TALLOC_CTX *_mem_save_types_1; +@@ -19708,13 +20161,14 @@ + _mem_save_types_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->types, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->types)); +- NDR_PULL_ALLOC_N(ndr, r->types, ndr_get_array_size(ndr, &r->types)); ++ size_types_1 = ndr_get_array_size(ndr, &r->types); ++ NDR_PULL_ALLOC_N(ndr, r->types, size_types_1); + _mem_save_types_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->types, 0); +- for (cntr_types_1 = 0; cntr_types_1 < r->count; cntr_types_1++) { ++ for (cntr_types_1 = 0; cntr_types_1 < size_types_1; cntr_types_1++) { + NDR_CHECK(ndr_pull_spoolss_NotifyOptionType(ndr, NDR_SCALARS, &r->types[cntr_types_1])); + } +- for (cntr_types_1 = 0; cntr_types_1 < r->count; cntr_types_1++) { ++ for (cntr_types_1 = 0; cntr_types_1 < size_types_1; cntr_types_1++) { + NDR_CHECK(ndr_pull_spoolss_NotifyOptionType(ndr, NDR_BUFFERS, &r->types[cntr_types_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_types_1, 0); +@@ -19770,6 +20224,7 @@ + static enum ndr_err_code ndr_pull_spoolss_NotifyString(struct ndr_pull *ndr, int ndr_flags, struct spoolss_NotifyString *r) + { + uint32_t _ptr_string; ++ uint32_t size_string_1 = 0; + TALLOC_CTX *_mem_save_string_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -19787,7 +20242,8 @@ + _mem_save_string_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_size(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); ++ size_string_1 = ndr_get_array_size(ndr, &r->string); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, size_string_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); + } + if (r->string) { +@@ -19908,6 +20364,8 @@ + { + uint32_t level; + uint32_t _level; ++ uint32_t size_integer_0 = 0; ++ uint32_t cntr_integer_0; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -19918,8 +20376,8 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t cntr_integer_0; +- for (cntr_integer_0 = 0; cntr_integer_0 < 2; cntr_integer_0++) { ++ size_integer_0 = 2; ++ for (cntr_integer_0 = 0; cntr_integer_0 < size_integer_0; cntr_integer_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->integer[cntr_integer_0])); + } + break; } +@@ -20086,6 +20544,7 @@ + + static enum ndr_err_code ndr_pull_spoolss_NotifyInfo(struct ndr_pull *ndr, int ndr_flags, struct spoolss_NotifyInfo *r) + { ++ uint32_t size_notifies_0 = 0; + uint32_t cntr_notifies_0; + TALLOC_CTX *_mem_save_notifies_0; + if (ndr_flags & NDR_SCALARS) { +@@ -20094,10 +20553,11 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->flags)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count)); +- NDR_PULL_ALLOC_N(ndr, r->notifies, ndr_get_array_size(ndr, &r->notifies)); ++ size_notifies_0 = ndr_get_array_size(ndr, &r->notifies); ++ NDR_PULL_ALLOC_N(ndr, r->notifies, size_notifies_0); + _mem_save_notifies_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->notifies, 0); +- for (cntr_notifies_0 = 0; cntr_notifies_0 < r->count; cntr_notifies_0++) { ++ for (cntr_notifies_0 = 0; cntr_notifies_0 < size_notifies_0; cntr_notifies_0++) { + NDR_CHECK(ndr_pull_spoolss_Notify(ndr, NDR_SCALARS, &r->notifies[cntr_notifies_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_notifies_0, 0); +@@ -20107,9 +20567,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_notifies_0 = ndr_get_array_size(ndr, &r->notifies); + _mem_save_notifies_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->notifies, 0); +- for (cntr_notifies_0 = 0; cntr_notifies_0 < r->count; cntr_notifies_0++) { ++ for (cntr_notifies_0 = 0; cntr_notifies_0 < size_notifies_0; cntr_notifies_0++) { + NDR_CHECK(ndr_pull_spoolss_Notify(ndr, NDR_BUFFERS, &r->notifies[cntr_notifies_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_notifies_0, 0); +@@ -20172,6 +20633,7 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info0_0; ++ uint32_t _ptr_info0; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -20182,7 +20644,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_info0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); + if (_ptr_info0) { + NDR_PULL_ALLOC(ndr, r->info0); +@@ -20290,8 +20751,12 @@ + static enum ndr_err_code ndr_pull_spoolss_UserLevel1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_UserLevel1 *r) + { + uint32_t _ptr_client; ++ uint32_t size_client_1 = 0; ++ uint32_t length_client_1 = 0; + TALLOC_CTX *_mem_save_client_0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + TALLOC_CTX *_mem_save_user_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -20320,11 +20785,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); +- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); ++ size_client_1 = ndr_get_array_size(ndr, &r->client); ++ length_client_1 = ndr_get_array_length(ndr, &r->client); ++ if (length_client_1 > size_client_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); + } + if (r->user) { +@@ -20332,11 +20799,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); +- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->user); ++ length_user_1 = ndr_get_array_length(ndr, &r->user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + } +@@ -20437,8 +20906,12 @@ + static enum ndr_err_code ndr_pull_spoolss_UserLevel3(struct ndr_pull *ndr, int ndr_flags, struct spoolss_UserLevel3 *r) + { + uint32_t _ptr_client; ++ uint32_t size_client_1 = 0; ++ uint32_t length_client_1 = 0; + TALLOC_CTX *_mem_save_client_0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + TALLOC_CTX *_mem_save_user_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -20470,11 +20943,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); +- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); ++ size_client_1 = ndr_get_array_size(ndr, &r->client); ++ length_client_1 = ndr_get_array_length(ndr, &r->client); ++ if (length_client_1 > size_client_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); + } + if (r->user) { +@@ -20482,11 +20957,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); +- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->user); ++ length_user_1 = ndr_get_array_length(ndr, &r->user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + } +@@ -20578,8 +21055,11 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_level1_0; ++ uint32_t _ptr_level1; + TALLOC_CTX *_mem_save_level2_0; ++ uint32_t _ptr_level2; + TALLOC_CTX *_mem_save_level3_0; ++ uint32_t _ptr_level3; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -20590,7 +21070,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_level1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_level1)); + if (_ptr_level1) { + NDR_PULL_ALLOC(ndr, r->level1); +@@ -20600,7 +21079,6 @@ + break; } + + case 2: { +- uint32_t _ptr_level2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_level2)); + if (_ptr_level2) { + NDR_PULL_ALLOC(ndr, r->level2); +@@ -20610,7 +21088,6 @@ + break; } + + case 3: { +- uint32_t _ptr_level3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_level3)); + if (_ptr_level3) { + NDR_PULL_ALLOC(ndr, r->level3); +@@ -21111,20 +21588,34 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_PortData1(struct ndr_pull *ndr, int ndr_flags, struct spoolss_PortData1 *r) + { ++ uint32_t size_portname_0 = 0; ++ uint32_t size_hostaddress_0 = 0; ++ uint32_t size_snmpcommunity_0 = 0; ++ uint32_t size_queue_0 = 0; ++ uint32_t size_ip_address_0 = 0; ++ uint32_t size_hardware_address_0 = 0; ++ uint32_t size_device_type_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, 64, sizeof(uint16_t), CH_UTF16)); ++ size_portname_0 = 64; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, size_portname_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); + NDR_CHECK(ndr_pull_spoolss_PortProtocol(ndr, NDR_SCALARS, &r->protocol)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hostaddress, 49, sizeof(uint16_t), CH_UTF16)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->snmpcommunity, 33, sizeof(uint16_t), CH_UTF16)); ++ size_hostaddress_0 = 49; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hostaddress, size_hostaddress_0, sizeof(uint16_t), CH_UTF16)); ++ size_snmpcommunity_0 = 33; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->snmpcommunity, size_snmpcommunity_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->dblspool)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->queue, 33, sizeof(uint16_t), CH_UTF16)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ip_address, 16, sizeof(uint16_t), CH_UTF16)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_address, 13, sizeof(uint16_t), CH_UTF16)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device_type, 257, sizeof(uint16_t), CH_UTF16)); ++ size_queue_0 = 33; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->queue, size_queue_0, sizeof(uint16_t), CH_UTF16)); ++ size_ip_address_0 = 16; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->ip_address, size_ip_address_0, sizeof(uint16_t), CH_UTF16)); ++ size_hardware_address_0 = 13; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hardware_address, size_hardware_address_0, sizeof(uint16_t), CH_UTF16)); ++ size_device_type_0 = 257; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device_type, size_device_type_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->port_number)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->snmp_enabled)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->snmp_dev_index)); +@@ -21185,18 +21676,28 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_PortData2(struct ndr_pull *ndr, int ndr_flags, struct spoolss_PortData2 *r) + { ++ uint32_t size_portname_0 = 0; ++ uint32_t size_hostaddress_0 = 0; ++ uint32_t size_snmpcommunity_0 = 0; ++ uint32_t size_queue_0 = 0; ++ uint32_t size_device_type_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, 64, sizeof(uint16_t), CH_UTF16)); ++ size_portname_0 = 64; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->portname, size_portname_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->version)); + NDR_CHECK(ndr_pull_spoolss_PortProtocol(ndr, NDR_SCALARS, &r->protocol)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->size)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->reserved)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hostaddress, 128, sizeof(uint16_t), CH_UTF16)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->snmpcommunity, 33, sizeof(uint16_t), CH_UTF16)); ++ size_hostaddress_0 = 128; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->hostaddress, size_hostaddress_0, sizeof(uint16_t), CH_UTF16)); ++ size_snmpcommunity_0 = 33; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->snmpcommunity, size_snmpcommunity_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->dblspool)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->queue, 33, sizeof(uint16_t), CH_UTF16)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device_type, 257, sizeof(uint16_t), CH_UTF16)); ++ size_queue_0 = 33; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->queue, size_queue_0, sizeof(uint16_t), CH_UTF16)); ++ size_device_type_0 = 257; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device_type, size_device_type_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->port_number)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->snmp_enabled)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->snmp_dev_index)); +@@ -21319,12 +21820,14 @@ + + static enum ndr_err_code ndr_pull_spoolss_CorePrinterDriver(struct ndr_pull *ndr, int ndr_flags, struct spoolss_CorePrinterDriver *r) + { ++ uint32_t size_formname_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->core_driver_guid)); + NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->driver_date)); + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->driver_version)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->formname, 520, sizeof(uint8_t), CH_UTF8)); ++ size_formname_0 = 520; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->formname, size_formname_0, sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -21383,6 +21886,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrinters(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPrinters *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_server_0; +@@ -21405,11 +21910,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -21484,6 +21991,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrinters(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPrinters *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -21493,14 +22001,15 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); ++ size_info_0 = r->in.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_spoolss_PrinterInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_spoolss_PrinterInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -21602,7 +22111,11 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_OpenPrinter(struct ndr_pull *ndr, int flags, struct spoolss_OpenPrinter *r) + { + uint32_t _ptr_printername; ++ uint32_t size_printername_1 = 0; ++ uint32_t length_printername_1 = 0; + uint32_t _ptr_datatype; ++ uint32_t size_datatype_1 = 0; ++ uint32_t length_datatype_1 = 0; + TALLOC_CTX *_mem_save_printername_0; + TALLOC_CTX *_mem_save_datatype_0; + TALLOC_CTX *_mem_save_handle_0; +@@ -21620,11 +22133,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.printername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.printername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.printername)); +- if (ndr_get_array_length(ndr, &r->in.printername) > ndr_get_array_size(ndr, &r->in.printername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.printername), ndr_get_array_length(ndr, &r->in.printername)); ++ size_printername_1 = ndr_get_array_size(ndr, &r->in.printername); ++ length_printername_1 = ndr_get_array_length(ndr, &r->in.printername); ++ if (length_printername_1 > size_printername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_datatype)); +@@ -21638,11 +22153,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.datatype, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.datatype)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.datatype)); +- if (ndr_get_array_length(ndr, &r->in.datatype) > ndr_get_array_size(ndr, &r->in.datatype)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.datatype), ndr_get_array_length(ndr, &r->in.datatype)); ++ size_datatype_1 = ndr_get_array_size(ndr, &r->in.datatype); ++ length_datatype_1 = ndr_get_array_length(ndr, &r->in.datatype); ++ if (length_datatype_1 > size_datatype_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_datatype_1, length_datatype_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.datatype), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.datatype, ndr_get_array_length(ndr, &r->in.datatype), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_datatype_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.datatype, length_datatype_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_datatype_0, 0); + } + NDR_CHECK(ndr_pull_spoolss_DevmodeContainer(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.devmode_ctr)); +@@ -22066,6 +22583,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumJobs(struct ndr_pull *ndr, int flags, struct __spoolss_EnumJobs *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -22075,14 +22593,15 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); ++ size_info_0 = r->in.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_spoolss_JobInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_spoolss_JobInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -22186,6 +22705,8 @@ + static enum ndr_err_code ndr_pull_spoolss_AddPrinter(struct ndr_pull *ndr, int flags, struct spoolss_AddPrinter *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; + TALLOC_CTX *_mem_save_server_0; + TALLOC_CTX *_mem_save_info_ctr_0; + TALLOC_CTX *_mem_save_devmode_ctr_0; +@@ -22205,11 +22726,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -22629,6 +23152,8 @@ + static enum ndr_err_code ndr_pull_spoolss_AddPrinterDriver(struct ndr_pull *ndr, int flags, struct spoolss_AddPrinterDriver *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_info_ctr_0; + if (flags & NDR_IN) { +@@ -22643,11 +23168,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -22741,7 +23268,11 @@ + _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrinterDrivers(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPrinterDrivers *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; + uint32_t _ptr_environment; ++ uint32_t size_environment_1 = 0; ++ uint32_t length_environment_1 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_server_0; +@@ -22764,11 +23295,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_environment)); +@@ -22782,11 +23315,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.environment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.environment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.environment)); +- if (ndr_get_array_length(ndr, &r->in.environment) > ndr_get_array_size(ndr, &r->in.environment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.environment), ndr_get_array_length(ndr, &r->in.environment)); ++ size_environment_1 = ndr_get_array_size(ndr, &r->in.environment); ++ length_environment_1 = ndr_get_array_length(ndr, &r->in.environment); ++ if (length_environment_1 > size_environment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_environment_1, length_environment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_environment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, length_environment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_environment_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -22861,6 +23396,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrinterDrivers(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPrinterDrivers *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -22870,14 +23406,15 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); ++ size_info_0 = r->in.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_spoolss_DriverInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_spoolss_DriverInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -22995,6 +23532,8 @@ + static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriver(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterDriver *r) + { + uint32_t _ptr_architecture; ++ uint32_t size_architecture_1 = 0; ++ uint32_t length_architecture_1 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_handle_0; +@@ -23023,11 +23562,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.architecture, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); +- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); ++ size_architecture_1 = ndr_get_array_size(ndr, &r->in.architecture); ++ length_architecture_1 = ndr_get_array_length(ndr, &r->in.architecture); ++ if (length_architecture_1 > size_architecture_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -23176,7 +23717,11 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_GetPrinterDriverDirectory(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterDriverDirectory *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; + uint32_t _ptr_environment; ++ uint32_t size_environment_1 = 0; ++ uint32_t length_environment_1 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_server_0; +@@ -23198,11 +23743,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_environment)); +@@ -23216,11 +23763,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.environment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.environment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.environment)); +- if (ndr_get_array_length(ndr, &r->in.environment) > ndr_get_array_size(ndr, &r->in.environment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.environment), ndr_get_array_length(ndr, &r->in.environment)); ++ size_environment_1 = ndr_get_array_size(ndr, &r->in.environment); ++ length_environment_1 = ndr_get_array_length(ndr, &r->in.environment); ++ if (length_environment_1 > size_environment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_environment_1, length_environment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_environment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, length_environment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_environment_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -23352,6 +23901,12 @@ + static enum ndr_err_code ndr_pull_spoolss_DeletePrinterDriver(struct ndr_pull *ndr, int flags, struct spoolss_DeletePrinterDriver *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; ++ uint32_t size_architecture_0 = 0; ++ uint32_t length_architecture_0 = 0; ++ uint32_t size_driver_0 = 0; ++ uint32_t length_driver_0 = 0; + TALLOC_CTX *_mem_save_server_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server)); +@@ -23365,27 +23920,33 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); +- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); ++ size_architecture_0 = ndr_get_array_size(ndr, &r->in.architecture); ++ length_architecture_0 = ndr_get_array_length(ndr, &r->in.architecture); ++ if (length_architecture_0 > size_architecture_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_0, length_architecture_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.driver)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.driver)); +- if (ndr_get_array_length(ndr, &r->in.driver) > ndr_get_array_size(ndr, &r->in.driver)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.driver), ndr_get_array_length(ndr, &r->in.driver)); ++ size_driver_0 = ndr_get_array_size(ndr, &r->in.driver); ++ length_driver_0 = ndr_get_array_length(ndr, &r->in.driver); ++ if (length_driver_0 > size_driver_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_0, length_driver_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.driver), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver, ndr_get_array_length(ndr, &r->in.driver), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver, length_driver_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -23455,6 +24016,14 @@ + static enum ndr_err_code ndr_pull_spoolss_AddPrintProcessor(struct ndr_pull *ndr, int flags, struct spoolss_AddPrintProcessor *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; ++ uint32_t size_architecture_0 = 0; ++ uint32_t length_architecture_0 = 0; ++ uint32_t size_path_name_0 = 0; ++ uint32_t length_path_name_0 = 0; ++ uint32_t size_print_processor_name_0 = 0; ++ uint32_t length_print_processor_name_0 = 0; + TALLOC_CTX *_mem_save_server_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server)); +@@ -23468,34 +24037,42 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); +- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); ++ size_architecture_0 = ndr_get_array_size(ndr, &r->in.architecture); ++ length_architecture_0 = ndr_get_array_length(ndr, &r->in.architecture); ++ if (length_architecture_0 > size_architecture_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_0, length_architecture_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path_name)); +- if (ndr_get_array_length(ndr, &r->in.path_name) > ndr_get_array_size(ndr, &r->in.path_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path_name), ndr_get_array_length(ndr, &r->in.path_name)); ++ size_path_name_0 = ndr_get_array_size(ndr, &r->in.path_name); ++ length_path_name_0 = ndr_get_array_length(ndr, &r->in.path_name); ++ if (length_path_name_0 > size_path_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_name_0, length_path_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path_name, ndr_get_array_length(ndr, &r->in.path_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path_name, length_path_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.print_processor_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.print_processor_name)); +- if (ndr_get_array_length(ndr, &r->in.print_processor_name) > ndr_get_array_size(ndr, &r->in.print_processor_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.print_processor_name), ndr_get_array_length(ndr, &r->in.print_processor_name)); ++ size_print_processor_name_0 = ndr_get_array_size(ndr, &r->in.print_processor_name); ++ length_print_processor_name_0 = ndr_get_array_length(ndr, &r->in.print_processor_name); ++ if (length_print_processor_name_0 > size_print_processor_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_name_0, length_print_processor_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.print_processor_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.print_processor_name, ndr_get_array_length(ndr, &r->in.print_processor_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.print_processor_name, length_print_processor_name_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -23579,7 +24156,11 @@ + _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrintProcessors(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPrintProcessors *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_environment; ++ uint32_t size_environment_1 = 0; ++ uint32_t length_environment_1 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_servername_0; +@@ -23602,11 +24183,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_environment)); +@@ -23620,11 +24203,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.environment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.environment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.environment)); +- if (ndr_get_array_length(ndr, &r->in.environment) > ndr_get_array_size(ndr, &r->in.environment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.environment), ndr_get_array_length(ndr, &r->in.environment)); ++ size_environment_1 = ndr_get_array_size(ndr, &r->in.environment); ++ length_environment_1 = ndr_get_array_length(ndr, &r->in.environment); ++ if (length_environment_1 > size_environment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_environment_1, length_environment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_environment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, length_environment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_environment_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -23699,6 +24284,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrintProcessors(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPrintProcessors *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -23708,14 +24294,15 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); ++ size_info_0 = r->in.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_spoolss_PrintProcessorInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_spoolss_PrintProcessorInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -23836,7 +24423,11 @@ + static enum ndr_err_code ndr_pull_spoolss_GetPrintProcessorDirectory(struct ndr_pull *ndr, int flags, struct spoolss_GetPrintProcessorDirectory *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; + uint32_t _ptr_environment; ++ uint32_t size_environment_1 = 0; ++ uint32_t length_environment_1 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_server_0; +@@ -23858,11 +24449,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_environment)); +@@ -23876,11 +24469,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.environment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.environment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.environment)); +- if (ndr_get_array_length(ndr, &r->in.environment) > ndr_get_array_size(ndr, &r->in.environment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.environment), ndr_get_array_length(ndr, &r->in.environment)); ++ size_environment_1 = ndr_get_array_size(ndr, &r->in.environment); ++ length_environment_1 = ndr_get_array_length(ndr, &r->in.environment); ++ if (length_environment_1 > size_environment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_environment_1, length_environment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, ndr_get_array_length(ndr, &r->in.environment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_environment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.environment, length_environment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_environment_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -24355,6 +24950,7 @@ + + static enum ndr_err_code ndr_pull_spoolss_ReadPrinter(struct ndr_pull *ndr, int flags, struct spoolss_ReadPrinter *r) + { ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save__data_size_0; + if (flags & NDR_IN) { +@@ -24375,10 +24971,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->out.data); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); ++ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out._data_size); + } +@@ -24520,6 +25117,7 @@ + static enum ndr_err_code ndr_pull_spoolss_AddJob(struct ndr_pull *ndr, int flags, struct spoolss_AddJob *r) + { + uint32_t _ptr_buffer; ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_buffer_0; + TALLOC_CTX *_mem_save_needed_0; +@@ -24544,8 +25142,9 @@ + _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); +- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer))); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); ++ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, size_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); +@@ -24566,8 +25165,9 @@ + _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); +- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); ++ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -24724,6 +25324,9 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_GetPrinterData(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterData *r) + { ++ uint32_t size_value_name_0 = 0; ++ uint32_t length_value_name_0 = 0; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_type_0; + TALLOC_CTX *_mem_save_needed_0; +@@ -24739,11 +25342,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); +- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); ++ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); ++ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); ++ if (length_value_name_0 > size_value_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); + NDR_PULL_ALLOC(ndr, r->out.type); + ZERO_STRUCTP(r->out.type); +@@ -24761,10 +25366,11 @@ + NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, r->out.type)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_type_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->out.data); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); ++ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -24847,6 +25453,9 @@ + + static enum ndr_err_code ndr_pull_spoolss_SetPrinterData(struct ndr_pull *ndr, int flags, struct spoolss_SetPrinterData *r) + { ++ uint32_t size_value_name_0 = 0; ++ uint32_t length_value_name_0 = 0; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -24858,17 +25467,20 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); +- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); ++ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); ++ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); ++ if (length_value_name_0 > size_value_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, &r->in.type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->in.data); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); ++ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); + if (r->in.data) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.data, r->in.offered)); +@@ -25119,6 +25731,8 @@ + + static enum ndr_err_code ndr_pull_spoolss_DeleteForm(struct ndr_pull *ndr, int flags, struct spoolss_DeleteForm *r) + { ++ uint32_t size_form_name_0 = 0; ++ uint32_t length_form_name_0 = 0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -25130,11 +25744,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.form_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.form_name)); +- if (ndr_get_array_length(ndr, &r->in.form_name) > ndr_get_array_size(ndr, &r->in.form_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.form_name), ndr_get_array_length(ndr, &r->in.form_name)); ++ size_form_name_0 = ndr_get_array_size(ndr, &r->in.form_name); ++ length_form_name_0 = ndr_get_array_length(ndr, &r->in.form_name); ++ if (length_form_name_0 > size_form_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_form_name_0, length_form_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_form_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, length_form_name_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -25209,6 +25825,8 @@ + + static enum ndr_err_code ndr_pull_spoolss_GetForm(struct ndr_pull *ndr, int flags, struct spoolss_GetForm *r) + { ++ uint32_t size_form_name_0 = 0; ++ uint32_t length_form_name_0 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_handle_0; +@@ -25227,11 +25845,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.form_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.form_name)); +- if (ndr_get_array_length(ndr, &r->in.form_name) > ndr_get_array_size(ndr, &r->in.form_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.form_name), ndr_get_array_length(ndr, &r->in.form_name)); ++ size_form_name_0 = ndr_get_array_size(ndr, &r->in.form_name); ++ length_form_name_0 = ndr_get_array_length(ndr, &r->in.form_name); ++ if (length_form_name_0 > size_form_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_form_name_0, length_form_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_form_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, length_form_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_buffer)); + if (_ptr_buffer) { +@@ -25349,6 +25969,8 @@ + + static enum ndr_err_code ndr_pull_spoolss_SetForm(struct ndr_pull *ndr, int flags, struct spoolss_SetForm *r) + { ++ uint32_t size_form_name_0 = 0; ++ uint32_t length_form_name_0 = 0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -25360,11 +25982,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.form_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.form_name)); +- if (ndr_get_array_length(ndr, &r->in.form_name) > ndr_get_array_size(ndr, &r->in.form_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.form_name), ndr_get_array_length(ndr, &r->in.form_name)); ++ size_form_name_0 = ndr_get_array_size(ndr, &r->in.form_name); ++ length_form_name_0 = ndr_get_array_length(ndr, &r->in.form_name); ++ if (length_form_name_0 > size_form_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_form_name_0, length_form_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, ndr_get_array_length(ndr, &r->in.form_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_form_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.form_name, length_form_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->in.info, r->in.level)); + NDR_CHECK(ndr_pull_spoolss_AddFormInfo(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.info)); +@@ -25528,6 +26152,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumForms(struct ndr_pull *ndr, int flags, struct __spoolss_EnumForms *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -25537,14 +26162,15 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); ++ size_info_0 = r->in.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_spoolss_FormInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_spoolss_FormInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -25648,6 +26274,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPorts(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPorts *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_servername_0; +@@ -25669,11 +26297,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -25748,6 +26378,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPorts(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPorts *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -25757,14 +26388,15 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); ++ size_info_0 = r->in.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_spoolss_PortInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_spoolss_PortInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -25870,6 +26502,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumMonitors(struct ndr_pull *ndr, int flags, struct _spoolss_EnumMonitors *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_servername_0; +@@ -25891,11 +26525,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -25970,6 +26606,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumMonitors(struct ndr_pull *ndr, int flags, struct __spoolss_EnumMonitors *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -25979,14 +26616,15 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); ++ size_info_0 = r->in.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_spoolss_MonitorInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_spoolss_MonitorInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -26079,6 +26717,10 @@ + static enum ndr_err_code ndr_pull_spoolss_AddPort(struct ndr_pull *ndr, int flags, struct spoolss_AddPort *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_monitor_name_0 = 0; ++ uint32_t length_monitor_name_0 = 0; + TALLOC_CTX *_mem_save_server_name_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_name)); +@@ -26092,21 +26734,25 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.monitor_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.monitor_name)); +- if (ndr_get_array_length(ndr, &r->in.monitor_name) > ndr_get_array_size(ndr, &r->in.monitor_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.monitor_name), ndr_get_array_length(ndr, &r->in.monitor_name)); ++ size_monitor_name_0 = ndr_get_array_size(ndr, &r->in.monitor_name); ++ length_monitor_name_0 = ndr_get_array_length(ndr, &r->in.monitor_name); ++ if (length_monitor_name_0 > size_monitor_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_0, length_monitor_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.monitor_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.monitor_name, ndr_get_array_length(ndr, &r->in.monitor_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.monitor_name, length_monitor_name_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -26214,6 +26860,10 @@ + static enum ndr_err_code ndr_pull_spoolss_DeletePort(struct ndr_pull *ndr, int flags, struct spoolss_DeletePort *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_port_name_1 = 0; ++ uint32_t length_port_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_name)); +@@ -26227,21 +26877,25 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.ptr)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.port_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.port_name)); +- if (ndr_get_array_length(ndr, &r->in.port_name) > ndr_get_array_size(ndr, &r->in.port_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.port_name), ndr_get_array_length(ndr, &r->in.port_name)); ++ size_port_name_1 = ndr_get_array_size(ndr, &r->in.port_name); ++ length_port_name_1 = ndr_get_array_length(ndr, &r->in.port_name); ++ if (length_port_name_1 > size_port_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_port_name_1, length_port_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.port_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.port_name, ndr_get_array_length(ndr, &r->in.port_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_port_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.port_name, length_port_name_1, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -26876,7 +27530,11 @@ + _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrintProcDataTypes(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPrintProcDataTypes *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_print_processor_name; ++ uint32_t size_print_processor_name_1 = 0; ++ uint32_t length_print_processor_name_1 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_servername_0; +@@ -26899,11 +27557,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_print_processor_name)); +@@ -26917,11 +27577,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.print_processor_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.print_processor_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.print_processor_name)); +- if (ndr_get_array_length(ndr, &r->in.print_processor_name) > ndr_get_array_size(ndr, &r->in.print_processor_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.print_processor_name), ndr_get_array_length(ndr, &r->in.print_processor_name)); ++ size_print_processor_name_1 = ndr_get_array_size(ndr, &r->in.print_processor_name); ++ length_print_processor_name_1 = ndr_get_array_length(ndr, &r->in.print_processor_name); ++ if (length_print_processor_name_1 > size_print_processor_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_print_processor_name_1, length_print_processor_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.print_processor_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.print_processor_name, ndr_get_array_length(ndr, &r->in.print_processor_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_print_processor_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.print_processor_name, length_print_processor_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_print_processor_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -26996,6 +27658,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrintProcDataTypes(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPrintProcDataTypes *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -27005,14 +27668,15 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); ++ size_info_0 = r->in.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->out.info[cntr_info_0], r->in.level)); + NDR_CHECK(ndr_pull_spoolss_PrintProcDataTypesInfo(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_spoolss_PrintProcDataTypesInfo(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -27114,6 +27778,8 @@ + static enum ndr_err_code ndr_pull_spoolss_ResetPrinter(struct ndr_pull *ndr, int flags, struct spoolss_ResetPrinter *r) + { + uint32_t _ptr_data_type; ++ uint32_t size_data_type_1 = 0; ++ uint32_t length_data_type_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_data_type_0; + TALLOC_CTX *_mem_save_devmode_ctr_0; +@@ -27136,11 +27802,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.data_type, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data_type)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.data_type)); +- if (ndr_get_array_length(ndr, &r->in.data_type) > ndr_get_array_size(ndr, &r->in.data_type)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.data_type), ndr_get_array_length(ndr, &r->in.data_type)); ++ size_data_type_1 = ndr_get_array_size(ndr, &r->in.data_type); ++ length_data_type_1 = ndr_get_array_length(ndr, &r->in.data_type); ++ if (length_data_type_1 > size_data_type_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_type_1, length_data_type_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.data_type), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.data_type, ndr_get_array_length(ndr, &r->in.data_type), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_type_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.data_type, length_data_type_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_type_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -27247,6 +27915,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_GetPrinterDriver2(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterDriver2 *r) + { + uint32_t _ptr_architecture; ++ uint32_t size_architecture_1 = 0; ++ uint32_t length_architecture_1 = 0; + uint32_t _ptr_buffer; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_handle_0; +@@ -27277,11 +27947,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.architecture, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); +- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); ++ size_architecture_1 = ndr_get_array_size(ndr, &r->in.architecture); ++ length_architecture_1 = ndr_get_array_length(ndr, &r->in.architecture); ++ if (length_architecture_1 > size_architecture_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_architecture_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -27625,7 +28297,10 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_ReplyOpenPrinter(struct ndr_pull *ndr, int flags, struct spoolss_ReplyOpenPrinter *r) + { ++ uint32_t size_server_name_0 = 0; ++ uint32_t length_server_name_0 = 0; + uint32_t _ptr_buffer; ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_buffer_0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { +@@ -27633,11 +28308,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_0 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_0 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_0 > size_server_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_0, length_server_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.printer_local)); + NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, &r->in.type)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.bufsize)); +@@ -27654,8 +28331,9 @@ + _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); +- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer))); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); ++ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, size_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.handle); +@@ -27737,6 +28415,7 @@ + static enum ndr_err_code ndr_pull_spoolss_RouterReplyPrinter(struct ndr_pull *ndr, int flags, struct spoolss_RouterReplyPrinter *r) + { + uint32_t _ptr_buffer; ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_buffer_0; + if (flags & NDR_IN) { +@@ -27762,8 +28441,9 @@ + _mem_save_buffer_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); +- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer))); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); ++ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, size_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + if (r->in.buffer) { +@@ -27922,7 +28602,11 @@ + static enum ndr_err_code ndr_pull_spoolss_AddPortEx(struct ndr_pull *ndr, int flags, struct spoolss_AddPortEx *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_monitor_name; ++ uint32_t size_monitor_name_1 = 0; ++ uint32_t length_monitor_name_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_port_ctr_0; + TALLOC_CTX *_mem_save_port_var_ctr_0; +@@ -27939,11 +28623,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -27971,11 +28657,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.monitor_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.monitor_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.monitor_name)); +- if (ndr_get_array_length(ndr, &r->in.monitor_name) > ndr_get_array_size(ndr, &r->in.monitor_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.monitor_name), ndr_get_array_length(ndr, &r->in.monitor_name)); ++ size_monitor_name_1 = ndr_get_array_size(ndr, &r->in.monitor_name); ++ length_monitor_name_1 = ndr_get_array_length(ndr, &r->in.monitor_name); ++ if (length_monitor_name_1 > size_monitor_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_monitor_name_1, length_monitor_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.monitor_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.monitor_name, ndr_get_array_length(ndr, &r->in.monitor_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_monitor_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.monitor_name, length_monitor_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_monitor_name_0, 0); + } + } +@@ -28184,6 +28872,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_RemoteFindFirstPrinterChangeNotifyEx(struct ndr_pull *ndr, int flags, struct spoolss_RemoteFindFirstPrinterChangeNotifyEx *r) + { + uint32_t _ptr_local_machine; ++ uint32_t size_local_machine_1 = 0; ++ uint32_t length_local_machine_1 = 0; + uint32_t _ptr_notify_options; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_local_machine_0; +@@ -28209,11 +28899,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.local_machine, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.local_machine)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.local_machine)); +- if (ndr_get_array_length(ndr, &r->in.local_machine) > ndr_get_array_size(ndr, &r->in.local_machine)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.local_machine), ndr_get_array_length(ndr, &r->in.local_machine)); ++ size_local_machine_1 = ndr_get_array_size(ndr, &r->in.local_machine); ++ length_local_machine_1 = ndr_get_array_length(ndr, &r->in.local_machine); ++ if (length_local_machine_1 > size_local_machine_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_local_machine_1, length_local_machine_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.local_machine), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.local_machine, ndr_get_array_length(ndr, &r->in.local_machine), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_local_machine_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.local_machine, length_local_machine_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_local_machine_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.printer_local)); +@@ -28574,7 +29266,11 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_OpenPrinterEx(struct ndr_pull *ndr, int flags, struct spoolss_OpenPrinterEx *r) + { + uint32_t _ptr_printername; ++ uint32_t size_printername_1 = 0; ++ uint32_t length_printername_1 = 0; + uint32_t _ptr_datatype; ++ uint32_t size_datatype_1 = 0; ++ uint32_t length_datatype_1 = 0; + TALLOC_CTX *_mem_save_printername_0; + TALLOC_CTX *_mem_save_datatype_0; + TALLOC_CTX *_mem_save_handle_0; +@@ -28592,11 +29288,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.printername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.printername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.printername)); +- if (ndr_get_array_length(ndr, &r->in.printername) > ndr_get_array_size(ndr, &r->in.printername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.printername), ndr_get_array_length(ndr, &r->in.printername)); ++ size_printername_1 = ndr_get_array_size(ndr, &r->in.printername); ++ length_printername_1 = ndr_get_array_length(ndr, &r->in.printername); ++ if (length_printername_1 > size_printername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_printername_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_datatype)); +@@ -28610,11 +29308,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.datatype, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.datatype)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.datatype)); +- if (ndr_get_array_length(ndr, &r->in.datatype) > ndr_get_array_size(ndr, &r->in.datatype)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.datatype), ndr_get_array_length(ndr, &r->in.datatype)); ++ size_datatype_1 = ndr_get_array_size(ndr, &r->in.datatype); ++ length_datatype_1 = ndr_get_array_length(ndr, &r->in.datatype); ++ if (length_datatype_1 > size_datatype_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_datatype_1, length_datatype_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.datatype), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.datatype, ndr_get_array_length(ndr, &r->in.datatype), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_datatype_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.datatype, length_datatype_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_datatype_0, 0); + } + NDR_CHECK(ndr_pull_spoolss_DevmodeContainer(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.devmode_ctr)); +@@ -28721,6 +29421,8 @@ + static enum ndr_err_code ndr_pull_spoolss_AddPrinterEx(struct ndr_pull *ndr, int flags, struct spoolss_AddPrinterEx *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; + TALLOC_CTX *_mem_save_server_0; + TALLOC_CTX *_mem_save_info_ctr_0; + TALLOC_CTX *_mem_save_devmode_ctr_0; +@@ -28741,11 +29443,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -28871,7 +29575,11 @@ + static enum ndr_err_code ndr_pull_spoolss_SetPort(struct ndr_pull *ndr, int flags, struct spoolss_SetPort *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + uint32_t _ptr_port_name; ++ uint32_t size_port_name_1 = 0; ++ uint32_t length_port_name_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_port_name_0; + TALLOC_CTX *_mem_save_port_ctr_0; +@@ -28887,11 +29595,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_port_name)); +@@ -28905,11 +29615,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.port_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.port_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.port_name)); +- if (ndr_get_array_length(ndr, &r->in.port_name) > ndr_get_array_size(ndr, &r->in.port_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.port_name), ndr_get_array_length(ndr, &r->in.port_name)); ++ size_port_name_1 = ndr_get_array_size(ndr, &r->in.port_name); ++ length_port_name_1 = ndr_get_array_length(ndr, &r->in.port_name); ++ if (length_port_name_1 > size_port_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_port_name_1, length_port_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.port_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.port_name, ndr_get_array_length(ndr, &r->in.port_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_port_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.port_name, length_port_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_port_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -29007,6 +29719,8 @@ + + static enum ndr_err_code ndr_pull_spoolss_EnumPrinterData(struct ndr_pull *ndr, int flags, struct spoolss_EnumPrinterData *r) + { ++ uint32_t size_value_name_0 = 0; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_value_needed_0; + TALLOC_CTX *_mem_save_type_0; +@@ -29035,7 +29749,8 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.value_name)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->out.value_name, ndr_get_array_size(ndr, &r->out.value_name), sizeof(uint16_t), CH_UTF16)); ++ size_value_name_0 = ndr_get_array_size(ndr, &r->out.value_name); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->out.value_name, size_value_name_0, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.value_needed); + } +@@ -29054,10 +29769,11 @@ + uint32_t _flags_save_uint8 = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->out.data); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); ++ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); + ndr->flags = _flags_save_uint8; + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -29144,6 +29860,8 @@ + + static enum ndr_err_code ndr_pull_spoolss_DeletePrinterData(struct ndr_pull *ndr, int flags, struct spoolss_DeletePrinterData *r) + { ++ uint32_t size_value_name_0 = 0; ++ uint32_t length_value_name_0 = 0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -29155,11 +29873,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); +- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); ++ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); ++ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); ++ if (length_value_name_0 > size_value_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -29351,6 +30071,11 @@ + + static enum ndr_err_code ndr_pull_spoolss_SetPrinterDataEx(struct ndr_pull *ndr, int flags, struct spoolss_SetPrinterDataEx *r) + { ++ uint32_t size_key_name_0 = 0; ++ uint32_t length_key_name_0 = 0; ++ uint32_t size_value_name_0 = 0; ++ uint32_t length_value_name_0 = 0; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -29362,24 +30087,29 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); +- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); ++ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); ++ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); ++ if (length_key_name_0 > size_key_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); +- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); ++ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); ++ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); ++ if (length_value_name_0 > size_value_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, &r->in.type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->in.data); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); ++ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); + if (r->in.data) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.data, r->in.offered)); +@@ -29463,6 +30193,11 @@ + + static enum ndr_err_code ndr_pull_spoolss_GetPrinterDataEx(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterDataEx *r) + { ++ uint32_t size_key_name_0 = 0; ++ uint32_t length_key_name_0 = 0; ++ uint32_t size_value_name_0 = 0; ++ uint32_t length_value_name_0 = 0; ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_type_0; + TALLOC_CTX *_mem_save_needed_0; +@@ -29478,18 +30213,22 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); +- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); ++ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); ++ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); ++ if (length_key_name_0 > size_key_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); +- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); ++ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); ++ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); ++ if (length_value_name_0 > size_value_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); + NDR_PULL_ALLOC(ndr, r->out.type); + ZERO_STRUCTP(r->out.type); +@@ -29507,10 +30246,11 @@ + NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, r->out.type)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_type_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->out.data); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); ++ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_size(ndr, &r->out.data))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, size_data_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -29597,6 +30337,8 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull__spoolss_EnumPrinterDataEx(struct ndr_pull *ndr, int flags, struct _spoolss_EnumPrinterDataEx *r) + { ++ uint32_t size_key_name_0 = 0; ++ uint32_t length_key_name_0 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_needed_0; + TALLOC_CTX *_mem_save_count_0; +@@ -29612,11 +30354,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); +- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); ++ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); ++ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); ++ if (length_key_name_0 > size_key_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); + NDR_PULL_ALLOC(ndr, r->out.needed); + ZERO_STRUCTP(r->out.needed); +@@ -29663,6 +30407,7 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull___spoolss_EnumPrinterDataEx(struct ndr_pull *ndr, int flags, struct __spoolss_EnumPrinterDataEx *r) + { ++ uint32_t size_info_0 = 0; + uint32_t cntr_info_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -29671,13 +30416,14 @@ + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.count)); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.info, r->in.count); ++ size_info_0 = r->in.count; ++ NDR_PULL_ALLOC_N(ndr, r->out.info, size_info_0); + _mem_save_info_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.info, 0); +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_spoolss_PrinterEnumValues(ndr, NDR_SCALARS, &r->out.info[cntr_info_0])); + } +- for (cntr_info_0 = 0; cntr_info_0 < r->in.count; cntr_info_0++) { ++ for (cntr_info_0 = 0; cntr_info_0 < size_info_0; cntr_info_0++) { + NDR_CHECK(ndr_pull_spoolss_PrinterEnumValues(ndr, NDR_BUFFERS, &r->out.info[cntr_info_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_info_0, 0); +@@ -29775,6 +30521,8 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_EnumPrinterKey(struct ndr_pull *ndr, int flags, struct spoolss_EnumPrinterKey *r) + { ++ uint32_t size_key_name_0 = 0; ++ uint32_t length_key_name_0 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save__ndr_size_0; + TALLOC_CTX *_mem_save_key_buffer_0; +@@ -29791,11 +30539,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); +- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); ++ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); ++ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); ++ if (length_key_name_0 > size_key_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); + NDR_PULL_ALLOC(ndr, r->out._ndr_size); + ZERO_STRUCTP(r->out._ndr_size); +@@ -29902,6 +30652,10 @@ + + static enum ndr_err_code ndr_pull_spoolss_DeletePrinterDataEx(struct ndr_pull *ndr, int flags, struct spoolss_DeletePrinterDataEx *r) + { ++ uint32_t size_key_name_0 = 0; ++ uint32_t length_key_name_0 = 0; ++ uint32_t size_value_name_0 = 0; ++ uint32_t length_value_name_0 = 0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -29913,18 +30667,22 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); +- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); ++ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); ++ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); ++ if (length_key_name_0 > size_key_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value_name)); +- if (ndr_get_array_length(ndr, &r->in.value_name) > ndr_get_array_size(ndr, &r->in.value_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value_name), ndr_get_array_length(ndr, &r->in.value_name)); ++ size_value_name_0 = ndr_get_array_size(ndr, &r->in.value_name); ++ length_value_name_0 = ndr_get_array_length(ndr, &r->in.value_name); ++ if (length_value_name_0 > size_value_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_name_0, length_value_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, ndr_get_array_length(ndr, &r->in.value_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_value_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.value_name, length_value_name_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -29980,6 +30738,8 @@ + + static enum ndr_err_code ndr_pull_spoolss_DeletePrinterKey(struct ndr_pull *ndr, int flags, struct spoolss_DeletePrinterKey *r) + { ++ uint32_t size_key_name_0 = 0; ++ uint32_t length_key_name_0 = 0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -29991,11 +30751,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.key_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.key_name)); +- if (ndr_get_array_length(ndr, &r->in.key_name) > ndr_get_array_size(ndr, &r->in.key_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.key_name), ndr_get_array_length(ndr, &r->in.key_name)); ++ size_key_name_0 = ndr_get_array_size(ndr, &r->in.key_name); ++ length_key_name_0 = ndr_get_array_length(ndr, &r->in.key_name); ++ if (length_key_name_0 > size_key_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_0, length_key_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, ndr_get_array_length(ndr, &r->in.key_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.key_name, length_key_name_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -30102,6 +30864,12 @@ + static enum ndr_err_code ndr_pull_spoolss_DeletePrinterDriverEx(struct ndr_pull *ndr, int flags, struct spoolss_DeletePrinterDriverEx *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; ++ uint32_t size_architecture_0 = 0; ++ uint32_t length_architecture_0 = 0; ++ uint32_t size_driver_0 = 0; ++ uint32_t length_driver_0 = 0; + TALLOC_CTX *_mem_save_server_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server)); +@@ -30115,27 +30883,33 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); +- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); ++ size_architecture_0 = ndr_get_array_size(ndr, &r->in.architecture); ++ length_architecture_0 = ndr_get_array_length(ndr, &r->in.architecture); ++ if (length_architecture_0 > size_architecture_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_0, length_architecture_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.driver)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.driver)); +- if (ndr_get_array_length(ndr, &r->in.driver) > ndr_get_array_size(ndr, &r->in.driver)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.driver), ndr_get_array_length(ndr, &r->in.driver)); ++ size_driver_0 = ndr_get_array_size(ndr, &r->in.driver); ++ length_driver_0 = ndr_get_array_length(ndr, &r->in.driver); ++ if (length_driver_0 > size_driver_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_driver_0, length_driver_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.driver), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver, ndr_get_array_length(ndr, &r->in.driver), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_driver_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver, length_driver_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_spoolss_DeleteDriverFlags(ndr, NDR_SCALARS, &r->in.delete_flags)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.version)); + } +@@ -30218,6 +30992,14 @@ + static enum ndr_err_code ndr_pull_spoolss_AddPerMachineConnection(struct ndr_pull *ndr, int flags, struct spoolss_AddPerMachineConnection *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; ++ uint32_t size_printername_1 = 0; ++ uint32_t length_printername_1 = 0; ++ uint32_t size_printserver_1 = 0; ++ uint32_t length_printserver_1 = 0; ++ uint32_t size_provider_1 = 0; ++ uint32_t length_provider_1 = 0; + TALLOC_CTX *_mem_save_server_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server)); +@@ -30231,34 +31013,42 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.printername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.printername)); +- if (ndr_get_array_length(ndr, &r->in.printername) > ndr_get_array_size(ndr, &r->in.printername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.printername), ndr_get_array_length(ndr, &r->in.printername)); ++ size_printername_1 = ndr_get_array_size(ndr, &r->in.printername); ++ length_printername_1 = ndr_get_array_length(ndr, &r->in.printername); ++ if (length_printername_1 > size_printername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.printserver)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.printserver)); +- if (ndr_get_array_length(ndr, &r->in.printserver) > ndr_get_array_size(ndr, &r->in.printserver)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.printserver), ndr_get_array_length(ndr, &r->in.printserver)); ++ size_printserver_1 = ndr_get_array_size(ndr, &r->in.printserver); ++ length_printserver_1 = ndr_get_array_length(ndr, &r->in.printserver); ++ if (length_printserver_1 > size_printserver_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printserver_1, length_printserver_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.printserver), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printserver, ndr_get_array_length(ndr, &r->in.printserver), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printserver_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printserver, length_printserver_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.provider)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.provider)); +- if (ndr_get_array_length(ndr, &r->in.provider) > ndr_get_array_size(ndr, &r->in.provider)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.provider), ndr_get_array_length(ndr, &r->in.provider)); ++ size_provider_1 = ndr_get_array_size(ndr, &r->in.provider); ++ length_provider_1 = ndr_get_array_length(ndr, &r->in.provider); ++ if (length_provider_1 > size_provider_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_provider_1, length_provider_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.provider), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.provider, ndr_get_array_length(ndr, &r->in.provider), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_provider_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.provider, length_provider_1, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -30333,6 +31123,10 @@ + static enum ndr_err_code ndr_pull_spoolss_DeletePerMachineConnection(struct ndr_pull *ndr, int flags, struct spoolss_DeletePerMachineConnection *r) + { + uint32_t _ptr_server; ++ uint32_t size_server_1 = 0; ++ uint32_t length_server_1 = 0; ++ uint32_t size_printername_1 = 0; ++ uint32_t length_printername_1 = 0; + TALLOC_CTX *_mem_save_server_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server)); +@@ -30346,20 +31140,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server)); +- if (ndr_get_array_length(ndr, &r->in.server) > ndr_get_array_size(ndr, &r->in.server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server), ndr_get_array_length(ndr, &r->in.server)); ++ size_server_1 = ndr_get_array_size(ndr, &r->in.server); ++ length_server_1 = ndr_get_array_length(ndr, &r->in.server); ++ if (length_server_1 > size_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_1, length_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, ndr_get_array_length(ndr, &r->in.server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server, length_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.printername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.printername)); +- if (ndr_get_array_length(ndr, &r->in.printername) > ndr_get_array_size(ndr, &r->in.printername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.printername), ndr_get_array_length(ndr, &r->in.printername)); ++ size_printername_1 = ndr_get_array_size(ndr, &r->in.printername); ++ length_printername_1 = ndr_get_array_length(ndr, &r->in.printername); ++ if (length_printername_1 > size_printername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_printername_1, length_printername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, ndr_get_array_length(ndr, &r->in.printername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_printername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.printername, length_printername_1, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -30481,6 +31279,9 @@ + + static enum ndr_err_code ndr_pull_spoolss_XcvData(struct ndr_pull *ndr, int flags, struct spoolss_XcvData *r) + { ++ uint32_t size_function_name_0 = 0; ++ uint32_t length_function_name_0 = 0; ++ uint32_t size_out_data_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_needed_0; + TALLOC_CTX *_mem_save_status_code_0; +@@ -30496,11 +31297,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.function_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.function_name)); +- if (ndr_get_array_length(ndr, &r->in.function_name) > ndr_get_array_size(ndr, &r->in.function_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.function_name), ndr_get_array_length(ndr, &r->in.function_name)); ++ size_function_name_0 = ndr_get_array_size(ndr, &r->in.function_name); ++ length_function_name_0 = ndr_get_array_length(ndr, &r->in.function_name); ++ if (length_function_name_0 > size_function_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_function_name_0, length_function_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.function_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.function_name, ndr_get_array_length(ndr, &r->in.function_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_function_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.function_name, length_function_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->in.in_data)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in._in_data_length)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.out_data_size)); +@@ -30520,10 +31323,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.out_data)); ++ size_out_data_1 = ndr_get_array_size(ndr, &r->out.out_data); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data)); ++ NDR_PULL_ALLOC_N(ndr, r->out.out_data, size_out_data_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, ndr_get_array_size(ndr, &r->out.out_data))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.out_data, size_out_data_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -30617,6 +31421,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_spoolss_AddPrinterDriverEx(struct ndr_pull *ndr, int flags, struct spoolss_AddPrinterDriverEx *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_info_ctr_0; + if (flags & NDR_IN) { +@@ -30631,11 +31437,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -31232,6 +32040,12 @@ + static enum ndr_err_code ndr_pull_spoolss_GetCorePrinterDrivers(struct ndr_pull *ndr, int flags, struct spoolss_GetCorePrinterDrivers *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; ++ uint32_t size_architecture_1 = 0; ++ uint32_t length_architecture_1 = 0; ++ uint32_t size_core_driver_dependencies_1 = 0; ++ uint32_t size_core_printer_drivers_1 = 0; + uint32_t cntr_core_printer_drivers_1; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_core_printer_drivers_1; +@@ -31249,23 +32063,28 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); +- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); ++ size_architecture_1 = ndr_get_array_size(ndr, &r->in.architecture); ++ length_architecture_1 = ndr_get_array_length(ndr, &r->in.architecture); ++ if (length_architecture_1 > size_architecture_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.core_driver_size)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.core_driver_dependencies)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.core_driver_dependencies, ndr_get_array_size(ndr, &r->in.core_driver_dependencies), sizeof(uint16_t), CH_UTF16)); ++ size_core_driver_dependencies_1 = ndr_get_array_size(ndr, &r->in.core_driver_dependencies); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.core_driver_dependencies, size_core_driver_dependencies_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.core_printer_driver_count)); + NDR_PULL_ALLOC_N(ndr, r->out.core_printer_drivers, r->in.core_printer_driver_count); + memset(r->out.core_printer_drivers, 0, (r->in.core_printer_driver_count) * sizeof(*r->out.core_printer_drivers)); +@@ -31275,12 +32094,13 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.core_printer_drivers)); ++ size_core_printer_drivers_1 = ndr_get_array_size(ndr, &r->out.core_printer_drivers); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.core_printer_drivers, ndr_get_array_size(ndr, &r->out.core_printer_drivers)); ++ NDR_PULL_ALLOC_N(ndr, r->out.core_printer_drivers, size_core_printer_drivers_1); + } + _mem_save_core_printer_drivers_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.core_printer_drivers, 0); +- for (cntr_core_printer_drivers_1 = 0; cntr_core_printer_drivers_1 < r->in.core_printer_driver_count; cntr_core_printer_drivers_1++) { ++ for (cntr_core_printer_drivers_1 = 0; cntr_core_printer_drivers_1 < size_core_printer_drivers_1; cntr_core_printer_drivers_1++) { + NDR_CHECK(ndr_pull_spoolss_CorePrinterDriver(ndr, NDR_SCALARS, &r->out.core_printer_drivers[cntr_core_printer_drivers_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_core_printer_drivers_1, 0); +@@ -31438,8 +32258,17 @@ + static enum ndr_err_code ndr_pull_spoolss_GetPrinterDriverPackagePath(struct ndr_pull *ndr, int flags, struct spoolss_GetPrinterDriverPackagePath *r) + { + uint32_t _ptr_servername; ++ uint32_t size_servername_1 = 0; ++ uint32_t length_servername_1 = 0; ++ uint32_t size_architecture_1 = 0; ++ uint32_t length_architecture_1 = 0; + uint32_t _ptr_language; ++ uint32_t size_language_1 = 0; ++ uint32_t length_language_1 = 0; ++ uint32_t size_package_id_1 = 0; ++ uint32_t length_package_id_1 = 0; + uint32_t _ptr_driver_package_cab; ++ uint32_t size_driver_package_cab_1 = 0; + TALLOC_CTX *_mem_save_servername_0; + TALLOC_CTX *_mem_save_language_0; + TALLOC_CTX *_mem_save_driver_package_cab_0; +@@ -31458,20 +32287,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.servername, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.servername)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.servername)); +- if (ndr_get_array_length(ndr, &r->in.servername) > ndr_get_array_size(ndr, &r->in.servername)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.servername), ndr_get_array_length(ndr, &r->in.servername)); ++ size_servername_1 = ndr_get_array_size(ndr, &r->in.servername); ++ length_servername_1 = ndr_get_array_length(ndr, &r->in.servername); ++ if (length_servername_1 > size_servername_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_servername_1, length_servername_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, ndr_get_array_length(ndr, &r->in.servername), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_servername_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.servername, length_servername_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_servername_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.architecture)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.architecture)); +- if (ndr_get_array_length(ndr, &r->in.architecture) > ndr_get_array_size(ndr, &r->in.architecture)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.architecture), ndr_get_array_length(ndr, &r->in.architecture)); ++ size_architecture_1 = ndr_get_array_size(ndr, &r->in.architecture); ++ length_architecture_1 = ndr_get_array_length(ndr, &r->in.architecture); ++ if (length_architecture_1 > size_architecture_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_architecture_1, length_architecture_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, ndr_get_array_length(ndr, &r->in.architecture), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_architecture_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.architecture, length_architecture_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_language)); + if (_ptr_language) { + NDR_PULL_ALLOC(ndr, r->in.language); +@@ -31483,20 +32316,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.language, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.language)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.language)); +- if (ndr_get_array_length(ndr, &r->in.language) > ndr_get_array_size(ndr, &r->in.language)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.language), ndr_get_array_length(ndr, &r->in.language)); ++ size_language_1 = ndr_get_array_size(ndr, &r->in.language); ++ length_language_1 = ndr_get_array_length(ndr, &r->in.language); ++ if (length_language_1 > size_language_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_language_1, length_language_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.language), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.language, ndr_get_array_length(ndr, &r->in.language), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_language_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.language, length_language_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_language_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.package_id)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.package_id)); +- if (ndr_get_array_length(ndr, &r->in.package_id) > ndr_get_array_size(ndr, &r->in.package_id)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.package_id), ndr_get_array_length(ndr, &r->in.package_id)); ++ size_package_id_1 = ndr_get_array_size(ndr, &r->in.package_id); ++ length_package_id_1 = ndr_get_array_length(ndr, &r->in.package_id); ++ if (length_package_id_1 > size_package_id_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_package_id_1, length_package_id_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.package_id), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.package_id, ndr_get_array_length(ndr, &r->in.package_id), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_package_id_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.package_id, length_package_id_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_driver_package_cab)); + if (_ptr_driver_package_cab) { + NDR_PULL_ALLOC(ndr, r->in.driver_package_cab); +@@ -31507,7 +32344,8 @@ + _mem_save_driver_package_cab_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.driver_package_cab, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.driver_package_cab)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver_package_cab, ndr_get_array_size(ndr, &r->in.driver_package_cab), sizeof(uint16_t), CH_UTF16)); ++ size_driver_package_cab_1 = ndr_get_array_size(ndr, &r->in.driver_package_cab); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.driver_package_cab, size_driver_package_cab_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_package_cab_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.driver_package_cab_size)); +@@ -31528,7 +32366,8 @@ + _mem_save_driver_package_cab_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.driver_package_cab, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.driver_package_cab)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->out.driver_package_cab, ndr_get_array_size(ndr, &r->out.driver_package_cab), sizeof(uint16_t), CH_UTF16)); ++ size_driver_package_cab_1 = ndr_get_array_size(ndr, &r->out.driver_package_cab); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->out.driver_package_cab, size_driver_package_cab_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_driver_package_cab_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_srvsvc.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_srvsvc.c 2012-04-12 12:09:50.547287452 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_srvsvc.c 2012-04-12 12:19:20.915301008 -0500 +@@ -27,6 +27,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevInfo0 *r) + { + uint32_t _ptr_device; ++ uint32_t size_device_1 = 0; ++ uint32_t length_device_1 = 0; + TALLOC_CTX *_mem_save_device_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -44,11 +46,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); +- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); ++ size_device_1 = ndr_get_array_size(ndr, &r->device); ++ length_device_1 = ndr_get_array_length(ndr, &r->device); ++ if (length_device_1 > size_device_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); + } + } +@@ -95,6 +99,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevCtr0 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -114,13 +119,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -184,8 +190,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevInfo1 *r) + { + uint32_t _ptr_device; ++ uint32_t size_device_1 = 0; ++ uint32_t length_device_1 = 0; + TALLOC_CTX *_mem_save_device_0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + TALLOC_CTX *_mem_save_user_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -211,11 +221,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); +- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); ++ size_device_1 = ndr_get_array_size(ndr, &r->device); ++ length_device_1 = ndr_get_array_length(ndr, &r->device); ++ if (length_device_1 > size_device_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); + } + if (r->user) { +@@ -223,11 +235,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); +- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->user); ++ length_user_1 = ndr_get_array_length(ndr, &r->user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + } +@@ -282,6 +296,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevCtr1 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -301,13 +316,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetCharDevInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -390,7 +406,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info0_0; ++ uint32_t _ptr_info0; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -401,7 +419,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_info0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); + if (_ptr_info0) { + NDR_PULL_ALLOC(ndr, r->info0); +@@ -411,7 +428,6 @@ + break; } + + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -532,7 +548,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_ctr0_0; ++ uint32_t _ptr_ctr0; + TALLOC_CTX *_mem_save_ctr1_0; ++ uint32_t _ptr_ctr1; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -543,7 +561,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_ctr0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); + if (_ptr_ctr0) { + NDR_PULL_ALLOC(ndr, r->ctr0); +@@ -553,7 +570,6 @@ + break; } + + case 1: { +- uint32_t _ptr_ctr1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); + if (_ptr_ctr1) { + NDR_PULL_ALLOC(ndr, r->ctr1); +@@ -687,6 +703,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQInfo0 *r) + { + uint32_t _ptr_device; ++ uint32_t size_device_1 = 0; ++ uint32_t length_device_1 = 0; + TALLOC_CTX *_mem_save_device_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -704,11 +722,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); +- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); ++ size_device_1 = ndr_get_array_size(ndr, &r->device); ++ length_device_1 = ndr_get_array_length(ndr, &r->device); ++ if (length_device_1 > size_device_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); + } + } +@@ -755,6 +775,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQCtr0 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -774,13 +795,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -845,8 +867,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQInfo1 *r) + { + uint32_t _ptr_device; ++ uint32_t size_device_1 = 0; ++ uint32_t length_device_1 = 0; + TALLOC_CTX *_mem_save_device_0; + uint32_t _ptr_devices; ++ uint32_t size_devices_1 = 0; ++ uint32_t length_devices_1 = 0; + TALLOC_CTX *_mem_save_devices_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -873,11 +899,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->device, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->device)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->device)); +- if (ndr_get_array_length(ndr, &r->device) > ndr_get_array_size(ndr, &r->device)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->device), ndr_get_array_length(ndr, &r->device)); ++ size_device_1 = ndr_get_array_size(ndr, &r->device); ++ length_device_1 = ndr_get_array_length(ndr, &r->device); ++ if (length_device_1 > size_device_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_1, length_device_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, ndr_get_array_length(ndr, &r->device), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->device, length_device_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_device_0, 0); + } + if (r->devices) { +@@ -885,11 +913,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->devices, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->devices)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->devices)); +- if (ndr_get_array_length(ndr, &r->devices) > ndr_get_array_size(ndr, &r->devices)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->devices), ndr_get_array_length(ndr, &r->devices)); ++ size_devices_1 = ndr_get_array_size(ndr, &r->devices); ++ length_devices_1 = ndr_get_array_length(ndr, &r->devices); ++ if (length_devices_1 > size_devices_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_devices_1, length_devices_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->devices), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->devices, ndr_get_array_length(ndr, &r->devices), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_devices_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->devices, length_devices_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_devices_0, 0); + } + } +@@ -945,6 +975,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetCharDevQCtr1 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -964,13 +995,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -1053,7 +1085,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info0_0; ++ uint32_t _ptr_info0; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -1064,7 +1098,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_info0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); + if (_ptr_info0) { + NDR_PULL_ALLOC(ndr, r->info0); +@@ -1074,7 +1107,6 @@ + break; } + + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -1195,7 +1227,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_ctr0_0; ++ uint32_t _ptr_ctr0; + TALLOC_CTX *_mem_save_ctr1_0; ++ uint32_t _ptr_ctr1; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -1206,7 +1240,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_ctr0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); + if (_ptr_ctr0) { + NDR_PULL_ALLOC(ndr, r->ctr0); +@@ -1216,7 +1249,6 @@ + break; } + + case 1: { +- uint32_t _ptr_ctr1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); + if (_ptr_ctr1) { + NDR_PULL_ALLOC(ndr, r->ctr1); +@@ -1385,6 +1417,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetConnCtr0 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -1404,10 +1437,11 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetConnInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -1474,8 +1508,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetConnInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetConnInfo1 *r) + { + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + TALLOC_CTX *_mem_save_user_0; + uint32_t _ptr_share; ++ uint32_t size_share_1 = 0; ++ uint32_t length_share_1 = 0; + TALLOC_CTX *_mem_save_share_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -1504,11 +1542,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); +- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->user); ++ length_user_1 = ndr_get_array_length(ndr, &r->user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + if (r->share) { +@@ -1516,11 +1556,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->share, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->share)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->share)); +- if (ndr_get_array_length(ndr, &r->share) > ndr_get_array_size(ndr, &r->share)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->share), ndr_get_array_length(ndr, &r->share)); ++ size_share_1 = ndr_get_array_size(ndr, &r->share); ++ length_share_1 = ndr_get_array_length(ndr, &r->share); ++ if (length_share_1 > size_share_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, ndr_get_array_length(ndr, &r->share), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->share, length_share_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); + } + } +@@ -1578,6 +1620,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetConnCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetConnCtr1 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -1597,13 +1640,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetConnInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetConnInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -1686,7 +1730,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_ctr0_0; ++ uint32_t _ptr_ctr0; + TALLOC_CTX *_mem_save_ctr1_0; ++ uint32_t _ptr_ctr1; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -1697,7 +1743,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_ctr0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); + if (_ptr_ctr0) { + NDR_PULL_ALLOC(ndr, r->ctr0); +@@ -1707,7 +1752,6 @@ + break; } + + case 1: { +- uint32_t _ptr_ctr1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); + if (_ptr_ctr1) { + NDR_PULL_ALLOC(ndr, r->ctr1); +@@ -1876,6 +1920,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetFileCtr2 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -1895,10 +1940,11 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetFileInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -1963,8 +2009,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetFileInfo3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetFileInfo3 *r) + { + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + TALLOC_CTX *_mem_save_path_0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + TALLOC_CTX *_mem_save_user_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -1991,11 +2041,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); +- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->path); ++ length_path_1 = ndr_get_array_length(ndr, &r->path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + if (r->user) { +@@ -2003,11 +2055,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); +- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->user); ++ length_user_1 = ndr_get_array_length(ndr, &r->user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + } +@@ -2063,6 +2117,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetFileCtr3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetFileCtr3 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -2082,13 +2137,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetFileInfo3(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetFileInfo3(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -2171,7 +2227,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info2_0; ++ uint32_t _ptr_info2; + TALLOC_CTX *_mem_save_info3_0; ++ uint32_t _ptr_info3; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -2182,7 +2240,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 2: { +- uint32_t _ptr_info2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); + if (_ptr_info2) { + NDR_PULL_ALLOC(ndr, r->info2); +@@ -2192,7 +2249,6 @@ + break; } + + case 3: { +- uint32_t _ptr_info3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); + if (_ptr_info3) { + NDR_PULL_ALLOC(ndr, r->info3); +@@ -2313,7 +2369,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_ctr2_0; ++ uint32_t _ptr_ctr2; + TALLOC_CTX *_mem_save_ctr3_0; ++ uint32_t _ptr_ctr3; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -2324,7 +2382,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 2: { +- uint32_t _ptr_ctr2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); + if (_ptr_ctr2) { + NDR_PULL_ALLOC(ndr, r->ctr2); +@@ -2334,7 +2391,6 @@ + break; } + + case 3: { +- uint32_t _ptr_ctr3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr3)); + if (_ptr_ctr3) { + NDR_PULL_ALLOC(ndr, r->ctr3); +@@ -2468,6 +2524,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo0 *r) + { + uint32_t _ptr_client; ++ uint32_t size_client_1 = 0; ++ uint32_t length_client_1 = 0; + TALLOC_CTX *_mem_save_client_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -2485,11 +2543,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); +- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); ++ size_client_1 = ndr_get_array_size(ndr, &r->client); ++ length_client_1 = ndr_get_array_length(ndr, &r->client); ++ if (length_client_1 > size_client_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); + } + } +@@ -2536,6 +2596,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr0 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -2555,13 +2616,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSessInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSessInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -2627,8 +2689,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo1 *r) + { + uint32_t _ptr_client; ++ uint32_t size_client_1 = 0; ++ uint32_t length_client_1 = 0; + TALLOC_CTX *_mem_save_client_0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + TALLOC_CTX *_mem_save_user_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -2656,11 +2722,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); +- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); ++ size_client_1 = ndr_get_array_size(ndr, &r->client); ++ length_client_1 = ndr_get_array_length(ndr, &r->client); ++ if (length_client_1 > size_client_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); + } + if (r->user) { +@@ -2668,11 +2736,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); +- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->user); ++ length_user_1 = ndr_get_array_length(ndr, &r->user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + } +@@ -2729,6 +2799,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr1 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -2748,13 +2819,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSessInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSessInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -2827,10 +2899,16 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo2 *r) + { + uint32_t _ptr_client; ++ uint32_t size_client_1 = 0; ++ uint32_t length_client_1 = 0; + TALLOC_CTX *_mem_save_client_0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + TALLOC_CTX *_mem_save_user_0; + uint32_t _ptr_client_type; ++ uint32_t size_client_type_1 = 0; ++ uint32_t length_client_type_1 = 0; + TALLOC_CTX *_mem_save_client_type_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -2864,11 +2942,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); +- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); ++ size_client_1 = ndr_get_array_size(ndr, &r->client); ++ length_client_1 = ndr_get_array_length(ndr, &r->client); ++ if (length_client_1 > size_client_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); + } + if (r->user) { +@@ -2876,11 +2956,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); +- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->user); ++ length_user_1 = ndr_get_array_length(ndr, &r->user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + if (r->client_type) { +@@ -2888,11 +2970,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client_type, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client_type)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client_type)); +- if (ndr_get_array_length(ndr, &r->client_type) > ndr_get_array_size(ndr, &r->client_type)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_type), ndr_get_array_length(ndr, &r->client_type)); ++ size_client_type_1 = ndr_get_array_size(ndr, &r->client_type); ++ length_client_type_1 = ndr_get_array_length(ndr, &r->client_type); ++ if (length_client_type_1 > size_client_type_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_type_1, length_client_type_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_type_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, length_client_type_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_type_0, 0); + } + } +@@ -2955,6 +3039,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr2 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -2974,13 +3059,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSessInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSessInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -3044,8 +3130,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo10(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo10 *r) + { + uint32_t _ptr_client; ++ uint32_t size_client_1 = 0; ++ uint32_t length_client_1 = 0; + TALLOC_CTX *_mem_save_client_0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + TALLOC_CTX *_mem_save_user_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3071,11 +3161,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); +- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); ++ size_client_1 = ndr_get_array_size(ndr, &r->client); ++ length_client_1 = ndr_get_array_length(ndr, &r->client); ++ if (length_client_1 > size_client_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); + } + if (r->user) { +@@ -3083,11 +3175,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); +- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->user); ++ length_user_1 = ndr_get_array_length(ndr, &r->user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + } +@@ -3142,6 +3236,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr10(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr10 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -3161,13 +3256,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSessInfo10(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSessInfo10(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -3247,12 +3343,20 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessInfo502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessInfo502 *r) + { + uint32_t _ptr_client; ++ uint32_t size_client_1 = 0; ++ uint32_t length_client_1 = 0; + TALLOC_CTX *_mem_save_client_0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + TALLOC_CTX *_mem_save_user_0; + uint32_t _ptr_client_type; ++ uint32_t size_client_type_1 = 0; ++ uint32_t length_client_type_1 = 0; + TALLOC_CTX *_mem_save_client_type_0; + uint32_t _ptr_transport; ++ uint32_t size_transport_1 = 0; ++ uint32_t length_transport_1 = 0; + TALLOC_CTX *_mem_save_transport_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3292,11 +3396,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client)); +- if (ndr_get_array_length(ndr, &r->client) > ndr_get_array_size(ndr, &r->client)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client), ndr_get_array_length(ndr, &r->client)); ++ size_client_1 = ndr_get_array_size(ndr, &r->client); ++ length_client_1 = ndr_get_array_length(ndr, &r->client); ++ if (length_client_1 > size_client_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, ndr_get_array_length(ndr, &r->client), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client, length_client_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); + } + if (r->user) { +@@ -3304,11 +3410,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user)); +- if (ndr_get_array_length(ndr, &r->user) > ndr_get_array_size(ndr, &r->user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user), ndr_get_array_length(ndr, &r->user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->user); ++ length_user_1 = ndr_get_array_length(ndr, &r->user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, ndr_get_array_length(ndr, &r->user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + if (r->client_type) { +@@ -3316,11 +3424,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->client_type, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->client_type)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->client_type)); +- if (ndr_get_array_length(ndr, &r->client_type) > ndr_get_array_size(ndr, &r->client_type)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_type), ndr_get_array_length(ndr, &r->client_type)); ++ size_client_type_1 = ndr_get_array_size(ndr, &r->client_type); ++ length_client_type_1 = ndr_get_array_length(ndr, &r->client_type); ++ if (length_client_type_1 > size_client_type_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_type_1, length_client_type_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, ndr_get_array_length(ndr, &r->client_type), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_type_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_type, length_client_type_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_type_0, 0); + } + if (r->transport) { +@@ -3328,11 +3438,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->transport, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->transport)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->transport)); +- if (ndr_get_array_length(ndr, &r->transport) > ndr_get_array_size(ndr, &r->transport)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->transport), ndr_get_array_length(ndr, &r->transport)); ++ size_transport_1 = ndr_get_array_size(ndr, &r->transport); ++ length_transport_1 = ndr_get_array_length(ndr, &r->transport); ++ if (length_transport_1 > size_transport_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_1, length_transport_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->transport), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport, ndr_get_array_length(ndr, &r->transport), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->transport, length_transport_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_0, 0); + } + } +@@ -3401,6 +3513,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessCtr502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSessCtr502 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -3420,13 +3533,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSessInfo502(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetSessInfo502(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -3539,10 +3653,15 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_ctr0_0; ++ uint32_t _ptr_ctr0; + TALLOC_CTX *_mem_save_ctr1_0; ++ uint32_t _ptr_ctr1; + TALLOC_CTX *_mem_save_ctr2_0; ++ uint32_t _ptr_ctr2; + TALLOC_CTX *_mem_save_ctr10_0; ++ uint32_t _ptr_ctr10; + TALLOC_CTX *_mem_save_ctr502_0; ++ uint32_t _ptr_ctr502; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -3553,7 +3672,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_ctr0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); + if (_ptr_ctr0) { + NDR_PULL_ALLOC(ndr, r->ctr0); +@@ -3563,7 +3681,6 @@ + break; } + + case 1: { +- uint32_t _ptr_ctr1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); + if (_ptr_ctr1) { + NDR_PULL_ALLOC(ndr, r->ctr1); +@@ -3573,7 +3690,6 @@ + break; } + + case 2: { +- uint32_t _ptr_ctr2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); + if (_ptr_ctr2) { + NDR_PULL_ALLOC(ndr, r->ctr2); +@@ -3583,7 +3699,6 @@ + break; } + + case 10: { +- uint32_t _ptr_ctr10; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr10)); + if (_ptr_ctr10) { + NDR_PULL_ALLOC(ndr, r->ctr10); +@@ -3593,7 +3708,6 @@ + break; } + + case 502: { +- uint32_t _ptr_ctr502; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr502)); + if (_ptr_ctr502) { + NDR_PULL_ALLOC(ndr, r->ctr502); +@@ -3831,6 +3945,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo0 *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3848,11 +3964,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + } +@@ -3899,6 +4017,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr0 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -3918,13 +4037,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -3987,8 +4107,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo1 *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4013,11 +4137,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->comment) { +@@ -4025,11 +4151,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + } +@@ -4083,6 +4211,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -4102,13 +4231,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -4188,12 +4318,20 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo2 *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + TALLOC_CTX *_mem_save_path_0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; ++ uint32_t length_password_1 = 0; + TALLOC_CTX *_mem_save_password_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4233,11 +4371,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->comment) { +@@ -4245,11 +4385,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + if (r->path) { +@@ -4257,11 +4399,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); +- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->path); ++ length_path_1 = ndr_get_array_length(ndr, &r->path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + if (r->password) { +@@ -4269,11 +4413,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->password)); +- if (ndr_get_array_length(ndr, &r->password) > ndr_get_array_size(ndr, &r->password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->password), ndr_get_array_length(ndr, &r->password)); ++ size_password_1 = ndr_get_array_size(ndr, &r->password); ++ length_password_1 = ndr_get_array_length(ndr, &r->password); ++ if (length_password_1 > size_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, length_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + } +@@ -4342,6 +4488,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr2 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -4361,13 +4508,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -4431,8 +4579,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo501(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo501 *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4458,11 +4610,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->comment) { +@@ -4470,11 +4624,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + } +@@ -4529,6 +4685,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr501(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr501 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -4548,13 +4705,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo501(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo501(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -4636,12 +4794,20 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo502 *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + TALLOC_CTX *_mem_save_path_0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; ++ uint32_t length_password_1 = 0; + TALLOC_CTX *_mem_save_password_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4682,11 +4848,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->comment) { +@@ -4694,11 +4862,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + if (r->path) { +@@ -4706,11 +4876,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->path)); +- if (ndr_get_array_length(ndr, &r->path) > ndr_get_array_size(ndr, &r->path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->path), ndr_get_array_length(ndr, &r->path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->path); ++ length_path_1 = ndr_get_array_length(ndr, &r->path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, ndr_get_array_length(ndr, &r->path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + if (r->password) { +@@ -4718,11 +4890,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->password)); +- if (ndr_get_array_length(ndr, &r->password) > ndr_get_array_size(ndr, &r->password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->password), ndr_get_array_length(ndr, &r->password)); ++ size_password_1 = ndr_get_array_size(ndr, &r->password); ++ length_password_1 = ndr_get_array_length(ndr, &r->password); ++ if (length_password_1 > size_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, length_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_BUFFERS, &r->sd_buf)); +@@ -4793,6 +4967,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr502(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr502 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -4812,13 +4987,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo502(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo502(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -4873,6 +5049,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1004(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo1004 *r) + { + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4890,11 +5068,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + } +@@ -4941,6 +5121,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1004(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1004 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -4960,13 +5141,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1004(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1004(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -5079,6 +5261,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1005(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1005 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -5098,10 +5281,11 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1005(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -5191,6 +5375,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1006(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1006 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -5210,10 +5395,11 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1006(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -5269,6 +5455,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareInfo1007(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareInfo1007 *r) + { + uint32_t _ptr_alternate_directory_name; ++ uint32_t size_alternate_directory_name_1 = 0; ++ uint32_t length_alternate_directory_name_1 = 0; + TALLOC_CTX *_mem_save_alternate_directory_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -5287,11 +5475,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->alternate_directory_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->alternate_directory_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->alternate_directory_name)); +- if (ndr_get_array_length(ndr, &r->alternate_directory_name) > ndr_get_array_size(ndr, &r->alternate_directory_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->alternate_directory_name), ndr_get_array_length(ndr, &r->alternate_directory_name)); ++ size_alternate_directory_name_1 = ndr_get_array_size(ndr, &r->alternate_directory_name); ++ length_alternate_directory_name_1 = ndr_get_array_length(ndr, &r->alternate_directory_name); ++ if (length_alternate_directory_name_1 > size_alternate_directory_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_alternate_directory_name_1, length_alternate_directory_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->alternate_directory_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alternate_directory_name, ndr_get_array_length(ndr, &r->alternate_directory_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_alternate_directory_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alternate_directory_name, length_alternate_directory_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_alternate_directory_name_0, 0); + } + } +@@ -5339,6 +5529,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1007(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1007 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -5358,13 +5549,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1007(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetShareInfo1007(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -5424,6 +5616,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCtr1501(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetShareCtr1501 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -5443,13 +5636,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_sec_desc_buf(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -5612,15 +5806,25 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info0_0; ++ uint32_t _ptr_info0; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + TALLOC_CTX *_mem_save_info2_0; ++ uint32_t _ptr_info2; + TALLOC_CTX *_mem_save_info501_0; ++ uint32_t _ptr_info501; + TALLOC_CTX *_mem_save_info502_0; ++ uint32_t _ptr_info502; + TALLOC_CTX *_mem_save_info1004_0; ++ uint32_t _ptr_info1004; + TALLOC_CTX *_mem_save_info1005_0; ++ uint32_t _ptr_info1005; + TALLOC_CTX *_mem_save_info1006_0; ++ uint32_t _ptr_info1006; + TALLOC_CTX *_mem_save_info1007_0; ++ uint32_t _ptr_info1007; + TALLOC_CTX *_mem_save_info1501_0; ++ uint32_t _ptr_info1501; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -5631,7 +5835,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_info0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); + if (_ptr_info0) { + NDR_PULL_ALLOC(ndr, r->info0); +@@ -5641,7 +5844,6 @@ + break; } + + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -5651,7 +5853,6 @@ + break; } + + case 2: { +- uint32_t _ptr_info2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); + if (_ptr_info2) { + NDR_PULL_ALLOC(ndr, r->info2); +@@ -5661,7 +5862,6 @@ + break; } + + case 501: { +- uint32_t _ptr_info501; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info501)); + if (_ptr_info501) { + NDR_PULL_ALLOC(ndr, r->info501); +@@ -5671,7 +5871,6 @@ + break; } + + case 502: { +- uint32_t _ptr_info502; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info502)); + if (_ptr_info502) { + NDR_PULL_ALLOC(ndr, r->info502); +@@ -5681,7 +5880,6 @@ + break; } + + case 1004: { +- uint32_t _ptr_info1004; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1004)); + if (_ptr_info1004) { + NDR_PULL_ALLOC(ndr, r->info1004); +@@ -5691,7 +5889,6 @@ + break; } + + case 1005: { +- uint32_t _ptr_info1005; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1005)); + if (_ptr_info1005) { + NDR_PULL_ALLOC(ndr, r->info1005); +@@ -5701,7 +5898,6 @@ + break; } + + case 1006: { +- uint32_t _ptr_info1006; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1006)); + if (_ptr_info1006) { + NDR_PULL_ALLOC(ndr, r->info1006); +@@ -5711,7 +5907,6 @@ + break; } + + case 1007: { +- uint32_t _ptr_info1007; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1007)); + if (_ptr_info1007) { + NDR_PULL_ALLOC(ndr, r->info1007); +@@ -5721,7 +5916,6 @@ + break; } + + case 1501: { +- uint32_t _ptr_info1501; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1501)); + if (_ptr_info1501) { + NDR_PULL_ALLOC(ndr, r->info1501); +@@ -6066,15 +6260,25 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_ctr0_0; ++ uint32_t _ptr_ctr0; + TALLOC_CTX *_mem_save_ctr1_0; ++ uint32_t _ptr_ctr1; + TALLOC_CTX *_mem_save_ctr2_0; ++ uint32_t _ptr_ctr2; + TALLOC_CTX *_mem_save_ctr501_0; ++ uint32_t _ptr_ctr501; + TALLOC_CTX *_mem_save_ctr502_0; ++ uint32_t _ptr_ctr502; + TALLOC_CTX *_mem_save_ctr1004_0; ++ uint32_t _ptr_ctr1004; + TALLOC_CTX *_mem_save_ctr1005_0; ++ uint32_t _ptr_ctr1005; + TALLOC_CTX *_mem_save_ctr1006_0; ++ uint32_t _ptr_ctr1006; + TALLOC_CTX *_mem_save_ctr1007_0; ++ uint32_t _ptr_ctr1007; + TALLOC_CTX *_mem_save_ctr1501_0; ++ uint32_t _ptr_ctr1501; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -6085,7 +6289,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_ctr0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); + if (_ptr_ctr0) { + NDR_PULL_ALLOC(ndr, r->ctr0); +@@ -6095,7 +6298,6 @@ + break; } + + case 1: { +- uint32_t _ptr_ctr1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); + if (_ptr_ctr1) { + NDR_PULL_ALLOC(ndr, r->ctr1); +@@ -6105,7 +6307,6 @@ + break; } + + case 2: { +- uint32_t _ptr_ctr2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); + if (_ptr_ctr2) { + NDR_PULL_ALLOC(ndr, r->ctr2); +@@ -6115,7 +6316,6 @@ + break; } + + case 501: { +- uint32_t _ptr_ctr501; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr501)); + if (_ptr_ctr501) { + NDR_PULL_ALLOC(ndr, r->ctr501); +@@ -6125,7 +6325,6 @@ + break; } + + case 502: { +- uint32_t _ptr_ctr502; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr502)); + if (_ptr_ctr502) { + NDR_PULL_ALLOC(ndr, r->ctr502); +@@ -6135,7 +6334,6 @@ + break; } + + case 1004: { +- uint32_t _ptr_ctr1004; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1004)); + if (_ptr_ctr1004) { + NDR_PULL_ALLOC(ndr, r->ctr1004); +@@ -6145,7 +6343,6 @@ + break; } + + case 1005: { +- uint32_t _ptr_ctr1005; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1005)); + if (_ptr_ctr1005) { + NDR_PULL_ALLOC(ndr, r->ctr1005); +@@ -6155,7 +6352,6 @@ + break; } + + case 1006: { +- uint32_t _ptr_ctr1006; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1006)); + if (_ptr_ctr1006) { + NDR_PULL_ALLOC(ndr, r->ctr1006); +@@ -6165,7 +6361,6 @@ + break; } + + case 1007: { +- uint32_t _ptr_ctr1007; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1007)); + if (_ptr_ctr1007) { + NDR_PULL_ALLOC(ndr, r->ctr1007); +@@ -6175,7 +6370,6 @@ + break; } + + case 1501: { +- uint32_t _ptr_ctr1501; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1501)); + if (_ptr_ctr1501) { + NDR_PULL_ALLOC(ndr, r->ctr1501); +@@ -6482,6 +6676,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo100(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo100 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -6500,11 +6696,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); +- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + } +@@ -6558,8 +6756,12 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo101(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo101 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -6587,11 +6789,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); +- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (r->comment) { +@@ -6599,11 +6803,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + } +@@ -6679,10 +6885,16 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo102(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo102 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + uint32_t _ptr_userpath; ++ uint32_t size_userpath_1 = 0; ++ uint32_t length_userpath_1 = 0; + TALLOC_CTX *_mem_save_userpath_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -6722,11 +6934,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); +- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (r->comment) { +@@ -6734,11 +6948,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + if (r->userpath) { +@@ -6746,11 +6962,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->userpath, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->userpath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->userpath)); +- if (ndr_get_array_length(ndr, &r->userpath) > ndr_get_array_size(ndr, &r->userpath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->userpath), ndr_get_array_length(ndr, &r->userpath)); ++ size_userpath_1 = ndr_get_array_size(ndr, &r->userpath); ++ length_userpath_1 = ndr_get_array_length(ndr, &r->userpath); ++ if (length_userpath_1 > size_userpath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_userpath_1, length_userpath_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->userpath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->userpath, ndr_get_array_length(ndr, &r->userpath), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_userpath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->userpath, length_userpath_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_userpath_0, 0); + } + } +@@ -6856,10 +7074,16 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo402(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo402 *r) + { + uint32_t _ptr_alerts; ++ uint32_t size_alerts_1 = 0; ++ uint32_t length_alerts_1 = 0; + TALLOC_CTX *_mem_save_alerts_0; + uint32_t _ptr_guestaccount; ++ uint32_t size_guestaccount_1 = 0; ++ uint32_t length_guestaccount_1 = 0; + TALLOC_CTX *_mem_save_guestaccount_0; + uint32_t _ptr_srvheuristics; ++ uint32_t size_srvheuristics_1 = 0; ++ uint32_t length_srvheuristics_1 = 0; + TALLOC_CTX *_mem_save_srvheuristics_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -6917,11 +7141,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->alerts, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->alerts)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->alerts)); +- if (ndr_get_array_length(ndr, &r->alerts) > ndr_get_array_size(ndr, &r->alerts)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->alerts), ndr_get_array_length(ndr, &r->alerts)); ++ size_alerts_1 = ndr_get_array_size(ndr, &r->alerts); ++ length_alerts_1 = ndr_get_array_length(ndr, &r->alerts); ++ if (length_alerts_1 > size_alerts_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_alerts_1, length_alerts_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_alerts_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, length_alerts_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_alerts_0, 0); + } + if (r->guestaccount) { +@@ -6929,11 +7155,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->guestaccount, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->guestaccount)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->guestaccount)); +- if (ndr_get_array_length(ndr, &r->guestaccount) > ndr_get_array_size(ndr, &r->guestaccount)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->guestaccount), ndr_get_array_length(ndr, &r->guestaccount)); ++ size_guestaccount_1 = ndr_get_array_size(ndr, &r->guestaccount); ++ length_guestaccount_1 = ndr_get_array_length(ndr, &r->guestaccount); ++ if (length_guestaccount_1 > size_guestaccount_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_guestaccount_1, length_guestaccount_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_guestaccount_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, length_guestaccount_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_guestaccount_0, 0); + } + if (r->srvheuristics) { +@@ -6941,11 +7169,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->srvheuristics, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->srvheuristics)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->srvheuristics)); +- if (ndr_get_array_length(ndr, &r->srvheuristics) > ndr_get_array_size(ndr, &r->srvheuristics)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->srvheuristics), ndr_get_array_length(ndr, &r->srvheuristics)); ++ size_srvheuristics_1 = ndr_get_array_size(ndr, &r->srvheuristics); ++ length_srvheuristics_1 = ndr_get_array_length(ndr, &r->srvheuristics); ++ if (length_srvheuristics_1 > size_srvheuristics_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_srvheuristics_1, length_srvheuristics_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_srvheuristics_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, length_srvheuristics_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_srvheuristics_0, 0); + } + } +@@ -7078,12 +7308,20 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo403(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo403 *r) + { + uint32_t _ptr_alerts; ++ uint32_t size_alerts_1 = 0; ++ uint32_t length_alerts_1 = 0; + TALLOC_CTX *_mem_save_alerts_0; + uint32_t _ptr_guestaccount; ++ uint32_t size_guestaccount_1 = 0; ++ uint32_t length_guestaccount_1 = 0; + TALLOC_CTX *_mem_save_guestaccount_0; + uint32_t _ptr_srvheuristics; ++ uint32_t size_srvheuristics_1 = 0; ++ uint32_t length_srvheuristics_1 = 0; + TALLOC_CTX *_mem_save_srvheuristics_0; + uint32_t _ptr_autopath; ++ uint32_t size_autopath_1 = 0; ++ uint32_t length_autopath_1 = 0; + TALLOC_CTX *_mem_save_autopath_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7149,11 +7387,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->alerts, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->alerts)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->alerts)); +- if (ndr_get_array_length(ndr, &r->alerts) > ndr_get_array_size(ndr, &r->alerts)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->alerts), ndr_get_array_length(ndr, &r->alerts)); ++ size_alerts_1 = ndr_get_array_size(ndr, &r->alerts); ++ length_alerts_1 = ndr_get_array_length(ndr, &r->alerts); ++ if (length_alerts_1 > size_alerts_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_alerts_1, length_alerts_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, ndr_get_array_length(ndr, &r->alerts), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_alerts_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->alerts, length_alerts_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_alerts_0, 0); + } + if (r->guestaccount) { +@@ -7161,11 +7401,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->guestaccount, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->guestaccount)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->guestaccount)); +- if (ndr_get_array_length(ndr, &r->guestaccount) > ndr_get_array_size(ndr, &r->guestaccount)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->guestaccount), ndr_get_array_length(ndr, &r->guestaccount)); ++ size_guestaccount_1 = ndr_get_array_size(ndr, &r->guestaccount); ++ length_guestaccount_1 = ndr_get_array_length(ndr, &r->guestaccount); ++ if (length_guestaccount_1 > size_guestaccount_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_guestaccount_1, length_guestaccount_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, ndr_get_array_length(ndr, &r->guestaccount), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_guestaccount_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->guestaccount, length_guestaccount_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_guestaccount_0, 0); + } + if (r->srvheuristics) { +@@ -7173,11 +7415,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->srvheuristics, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->srvheuristics)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->srvheuristics)); +- if (ndr_get_array_length(ndr, &r->srvheuristics) > ndr_get_array_size(ndr, &r->srvheuristics)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->srvheuristics), ndr_get_array_length(ndr, &r->srvheuristics)); ++ size_srvheuristics_1 = ndr_get_array_size(ndr, &r->srvheuristics); ++ length_srvheuristics_1 = ndr_get_array_length(ndr, &r->srvheuristics); ++ if (length_srvheuristics_1 > size_srvheuristics_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_srvheuristics_1, length_srvheuristics_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, ndr_get_array_length(ndr, &r->srvheuristics), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_srvheuristics_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->srvheuristics, length_srvheuristics_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_srvheuristics_0, 0); + } + if (r->autopath) { +@@ -7185,11 +7429,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->autopath, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->autopath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->autopath)); +- if (ndr_get_array_length(ndr, &r->autopath) > ndr_get_array_size(ndr, &r->autopath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->autopath), ndr_get_array_length(ndr, &r->autopath)); ++ size_autopath_1 = ndr_get_array_size(ndr, &r->autopath); ++ length_autopath_1 = ndr_get_array_length(ndr, &r->autopath); ++ if (length_autopath_1 > size_autopath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_autopath_1, length_autopath_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->autopath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->autopath, ndr_get_array_length(ndr, &r->autopath), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_autopath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->autopath, length_autopath_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_autopath_0, 0); + } + } +@@ -7404,6 +7650,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo503(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo503 *r) + { + uint32_t _ptr_domain; ++ uint32_t size_domain_1 = 0; ++ uint32_t length_domain_1 = 0; + TALLOC_CTX *_mem_save_domain_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7462,11 +7710,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + } +@@ -7603,6 +7853,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo599(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo599 *r) + { + uint32_t _ptr_domain; ++ uint32_t size_domain_1 = 0; ++ uint32_t length_domain_1 = 0; + TALLOC_CTX *_mem_save_domain_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7674,11 +7926,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + } +@@ -7774,6 +8028,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSrvInfo1005(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetSrvInfo1005 *r) + { + uint32_t _ptr_comment; ++ uint32_t size_comment_1 = 0; ++ uint32_t length_comment_1 = 0; + TALLOC_CTX *_mem_save_comment_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -7791,11 +8047,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->comment, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->comment)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->comment)); +- if (ndr_get_array_length(ndr, &r->comment) > ndr_get_array_size(ndr, &r->comment)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->comment), ndr_get_array_length(ndr, &r->comment)); ++ size_comment_1 = ndr_get_array_size(ndr, &r->comment); ++ length_comment_1 = ndr_get_array_length(ndr, &r->comment); ++ if (length_comment_1 > size_comment_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_comment_1, length_comment_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, ndr_get_array_length(ndr, &r->comment), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_comment_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->comment, length_comment_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_comment_0, 0); + } + } +@@ -10085,64 +10343,123 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info100_0; ++ uint32_t _ptr_info100; + TALLOC_CTX *_mem_save_info101_0; ++ uint32_t _ptr_info101; + TALLOC_CTX *_mem_save_info102_0; ++ uint32_t _ptr_info102; + TALLOC_CTX *_mem_save_info402_0; ++ uint32_t _ptr_info402; + TALLOC_CTX *_mem_save_info403_0; ++ uint32_t _ptr_info403; + TALLOC_CTX *_mem_save_info502_0; ++ uint32_t _ptr_info502; + TALLOC_CTX *_mem_save_info503_0; ++ uint32_t _ptr_info503; + TALLOC_CTX *_mem_save_info599_0; ++ uint32_t _ptr_info599; + TALLOC_CTX *_mem_save_info1005_0; ++ uint32_t _ptr_info1005; + TALLOC_CTX *_mem_save_info1010_0; ++ uint32_t _ptr_info1010; + TALLOC_CTX *_mem_save_info1016_0; ++ uint32_t _ptr_info1016; + TALLOC_CTX *_mem_save_info1017_0; ++ uint32_t _ptr_info1017; + TALLOC_CTX *_mem_save_info1018_0; ++ uint32_t _ptr_info1018; + TALLOC_CTX *_mem_save_info1107_0; ++ uint32_t _ptr_info1107; + TALLOC_CTX *_mem_save_info1501_0; ++ uint32_t _ptr_info1501; + TALLOC_CTX *_mem_save_info1502_0; ++ uint32_t _ptr_info1502; + TALLOC_CTX *_mem_save_info1503_0; ++ uint32_t _ptr_info1503; + TALLOC_CTX *_mem_save_info1506_0; ++ uint32_t _ptr_info1506; + TALLOC_CTX *_mem_save_info1509_0; ++ uint32_t _ptr_info1509; + TALLOC_CTX *_mem_save_info1510_0; ++ uint32_t _ptr_info1510; + TALLOC_CTX *_mem_save_info1511_0; ++ uint32_t _ptr_info1511; + TALLOC_CTX *_mem_save_info1512_0; ++ uint32_t _ptr_info1512; + TALLOC_CTX *_mem_save_info1513_0; ++ uint32_t _ptr_info1513; + TALLOC_CTX *_mem_save_info1514_0; ++ uint32_t _ptr_info1514; + TALLOC_CTX *_mem_save_info1515_0; ++ uint32_t _ptr_info1515; + TALLOC_CTX *_mem_save_info1516_0; ++ uint32_t _ptr_info1516; + TALLOC_CTX *_mem_save_info1518_0; ++ uint32_t _ptr_info1518; + TALLOC_CTX *_mem_save_info1520_0; ++ uint32_t _ptr_info1520; + TALLOC_CTX *_mem_save_info1521_0; ++ uint32_t _ptr_info1521; + TALLOC_CTX *_mem_save_info1522_0; ++ uint32_t _ptr_info1522; + TALLOC_CTX *_mem_save_info1523_0; ++ uint32_t _ptr_info1523; + TALLOC_CTX *_mem_save_info1524_0; ++ uint32_t _ptr_info1524; + TALLOC_CTX *_mem_save_info1525_0; ++ uint32_t _ptr_info1525; + TALLOC_CTX *_mem_save_info1528_0; ++ uint32_t _ptr_info1528; + TALLOC_CTX *_mem_save_info1529_0; ++ uint32_t _ptr_info1529; + TALLOC_CTX *_mem_save_info1530_0; ++ uint32_t _ptr_info1530; + TALLOC_CTX *_mem_save_info1533_0; ++ uint32_t _ptr_info1533; + TALLOC_CTX *_mem_save_info1534_0; ++ uint32_t _ptr_info1534; + TALLOC_CTX *_mem_save_info1535_0; ++ uint32_t _ptr_info1535; + TALLOC_CTX *_mem_save_info1536_0; ++ uint32_t _ptr_info1536; + TALLOC_CTX *_mem_save_info1537_0; ++ uint32_t _ptr_info1537; + TALLOC_CTX *_mem_save_info1538_0; ++ uint32_t _ptr_info1538; + TALLOC_CTX *_mem_save_info1539_0; ++ uint32_t _ptr_info1539; + TALLOC_CTX *_mem_save_info1540_0; ++ uint32_t _ptr_info1540; + TALLOC_CTX *_mem_save_info1541_0; ++ uint32_t _ptr_info1541; + TALLOC_CTX *_mem_save_info1542_0; ++ uint32_t _ptr_info1542; + TALLOC_CTX *_mem_save_info1543_0; ++ uint32_t _ptr_info1543; + TALLOC_CTX *_mem_save_info1544_0; ++ uint32_t _ptr_info1544; + TALLOC_CTX *_mem_save_info1545_0; ++ uint32_t _ptr_info1545; + TALLOC_CTX *_mem_save_info1546_0; ++ uint32_t _ptr_info1546; + TALLOC_CTX *_mem_save_info1547_0; ++ uint32_t _ptr_info1547; + TALLOC_CTX *_mem_save_info1548_0; ++ uint32_t _ptr_info1548; + TALLOC_CTX *_mem_save_info1549_0; ++ uint32_t _ptr_info1549; + TALLOC_CTX *_mem_save_info1550_0; ++ uint32_t _ptr_info1550; + TALLOC_CTX *_mem_save_info1552_0; ++ uint32_t _ptr_info1552; + TALLOC_CTX *_mem_save_info1553_0; ++ uint32_t _ptr_info1553; + TALLOC_CTX *_mem_save_info1554_0; ++ uint32_t _ptr_info1554; + TALLOC_CTX *_mem_save_info1555_0; ++ uint32_t _ptr_info1555; + TALLOC_CTX *_mem_save_info1556_0; ++ uint32_t _ptr_info1556; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -10153,7 +10470,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 100: { +- uint32_t _ptr_info100; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info100)); + if (_ptr_info100) { + NDR_PULL_ALLOC(ndr, r->info100); +@@ -10163,7 +10479,6 @@ + break; } + + case 101: { +- uint32_t _ptr_info101; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info101)); + if (_ptr_info101) { + NDR_PULL_ALLOC(ndr, r->info101); +@@ -10173,7 +10488,6 @@ + break; } + + case 102: { +- uint32_t _ptr_info102; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info102)); + if (_ptr_info102) { + NDR_PULL_ALLOC(ndr, r->info102); +@@ -10183,7 +10497,6 @@ + break; } + + case 402: { +- uint32_t _ptr_info402; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info402)); + if (_ptr_info402) { + NDR_PULL_ALLOC(ndr, r->info402); +@@ -10193,7 +10506,6 @@ + break; } + + case 403: { +- uint32_t _ptr_info403; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info403)); + if (_ptr_info403) { + NDR_PULL_ALLOC(ndr, r->info403); +@@ -10203,7 +10515,6 @@ + break; } + + case 502: { +- uint32_t _ptr_info502; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info502)); + if (_ptr_info502) { + NDR_PULL_ALLOC(ndr, r->info502); +@@ -10213,7 +10524,6 @@ + break; } + + case 503: { +- uint32_t _ptr_info503; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info503)); + if (_ptr_info503) { + NDR_PULL_ALLOC(ndr, r->info503); +@@ -10223,7 +10533,6 @@ + break; } + + case 599: { +- uint32_t _ptr_info599; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info599)); + if (_ptr_info599) { + NDR_PULL_ALLOC(ndr, r->info599); +@@ -10233,7 +10542,6 @@ + break; } + + case 1005: { +- uint32_t _ptr_info1005; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1005)); + if (_ptr_info1005) { + NDR_PULL_ALLOC(ndr, r->info1005); +@@ -10243,7 +10551,6 @@ + break; } + + case 1010: { +- uint32_t _ptr_info1010; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1010)); + if (_ptr_info1010) { + NDR_PULL_ALLOC(ndr, r->info1010); +@@ -10253,7 +10560,6 @@ + break; } + + case 1016: { +- uint32_t _ptr_info1016; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1016)); + if (_ptr_info1016) { + NDR_PULL_ALLOC(ndr, r->info1016); +@@ -10263,7 +10569,6 @@ + break; } + + case 1017: { +- uint32_t _ptr_info1017; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1017)); + if (_ptr_info1017) { + NDR_PULL_ALLOC(ndr, r->info1017); +@@ -10273,7 +10578,6 @@ + break; } + + case 1018: { +- uint32_t _ptr_info1018; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1018)); + if (_ptr_info1018) { + NDR_PULL_ALLOC(ndr, r->info1018); +@@ -10283,7 +10587,6 @@ + break; } + + case 1107: { +- uint32_t _ptr_info1107; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1107)); + if (_ptr_info1107) { + NDR_PULL_ALLOC(ndr, r->info1107); +@@ -10293,7 +10596,6 @@ + break; } + + case 1501: { +- uint32_t _ptr_info1501; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1501)); + if (_ptr_info1501) { + NDR_PULL_ALLOC(ndr, r->info1501); +@@ -10303,7 +10605,6 @@ + break; } + + case 1502: { +- uint32_t _ptr_info1502; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1502)); + if (_ptr_info1502) { + NDR_PULL_ALLOC(ndr, r->info1502); +@@ -10313,7 +10614,6 @@ + break; } + + case 1503: { +- uint32_t _ptr_info1503; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1503)); + if (_ptr_info1503) { + NDR_PULL_ALLOC(ndr, r->info1503); +@@ -10323,7 +10623,6 @@ + break; } + + case 1506: { +- uint32_t _ptr_info1506; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1506)); + if (_ptr_info1506) { + NDR_PULL_ALLOC(ndr, r->info1506); +@@ -10333,7 +10632,6 @@ + break; } + + case 1509: { +- uint32_t _ptr_info1509; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1509)); + if (_ptr_info1509) { + NDR_PULL_ALLOC(ndr, r->info1509); +@@ -10343,7 +10641,6 @@ + break; } + + case 1510: { +- uint32_t _ptr_info1510; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1510)); + if (_ptr_info1510) { + NDR_PULL_ALLOC(ndr, r->info1510); +@@ -10353,7 +10650,6 @@ + break; } + + case 1511: { +- uint32_t _ptr_info1511; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1511)); + if (_ptr_info1511) { + NDR_PULL_ALLOC(ndr, r->info1511); +@@ -10363,7 +10659,6 @@ + break; } + + case 1512: { +- uint32_t _ptr_info1512; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1512)); + if (_ptr_info1512) { + NDR_PULL_ALLOC(ndr, r->info1512); +@@ -10373,7 +10668,6 @@ + break; } + + case 1513: { +- uint32_t _ptr_info1513; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1513)); + if (_ptr_info1513) { + NDR_PULL_ALLOC(ndr, r->info1513); +@@ -10383,7 +10677,6 @@ + break; } + + case 1514: { +- uint32_t _ptr_info1514; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1514)); + if (_ptr_info1514) { + NDR_PULL_ALLOC(ndr, r->info1514); +@@ -10393,7 +10686,6 @@ + break; } + + case 1515: { +- uint32_t _ptr_info1515; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1515)); + if (_ptr_info1515) { + NDR_PULL_ALLOC(ndr, r->info1515); +@@ -10403,7 +10695,6 @@ + break; } + + case 1516: { +- uint32_t _ptr_info1516; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1516)); + if (_ptr_info1516) { + NDR_PULL_ALLOC(ndr, r->info1516); +@@ -10413,7 +10704,6 @@ + break; } + + case 1518: { +- uint32_t _ptr_info1518; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1518)); + if (_ptr_info1518) { + NDR_PULL_ALLOC(ndr, r->info1518); +@@ -10423,7 +10713,6 @@ + break; } + + case 1520: { +- uint32_t _ptr_info1520; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1520)); + if (_ptr_info1520) { + NDR_PULL_ALLOC(ndr, r->info1520); +@@ -10433,7 +10722,6 @@ + break; } + + case 1521: { +- uint32_t _ptr_info1521; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1521)); + if (_ptr_info1521) { + NDR_PULL_ALLOC(ndr, r->info1521); +@@ -10443,7 +10731,6 @@ + break; } + + case 1522: { +- uint32_t _ptr_info1522; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1522)); + if (_ptr_info1522) { + NDR_PULL_ALLOC(ndr, r->info1522); +@@ -10453,7 +10740,6 @@ + break; } + + case 1523: { +- uint32_t _ptr_info1523; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1523)); + if (_ptr_info1523) { + NDR_PULL_ALLOC(ndr, r->info1523); +@@ -10463,7 +10749,6 @@ + break; } + + case 1524: { +- uint32_t _ptr_info1524; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1524)); + if (_ptr_info1524) { + NDR_PULL_ALLOC(ndr, r->info1524); +@@ -10473,7 +10758,6 @@ + break; } + + case 1525: { +- uint32_t _ptr_info1525; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1525)); + if (_ptr_info1525) { + NDR_PULL_ALLOC(ndr, r->info1525); +@@ -10483,7 +10767,6 @@ + break; } + + case 1528: { +- uint32_t _ptr_info1528; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1528)); + if (_ptr_info1528) { + NDR_PULL_ALLOC(ndr, r->info1528); +@@ -10493,7 +10776,6 @@ + break; } + + case 1529: { +- uint32_t _ptr_info1529; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1529)); + if (_ptr_info1529) { + NDR_PULL_ALLOC(ndr, r->info1529); +@@ -10503,7 +10785,6 @@ + break; } + + case 1530: { +- uint32_t _ptr_info1530; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1530)); + if (_ptr_info1530) { + NDR_PULL_ALLOC(ndr, r->info1530); +@@ -10513,7 +10794,6 @@ + break; } + + case 1533: { +- uint32_t _ptr_info1533; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1533)); + if (_ptr_info1533) { + NDR_PULL_ALLOC(ndr, r->info1533); +@@ -10523,7 +10803,6 @@ + break; } + + case 1534: { +- uint32_t _ptr_info1534; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1534)); + if (_ptr_info1534) { + NDR_PULL_ALLOC(ndr, r->info1534); +@@ -10533,7 +10812,6 @@ + break; } + + case 1535: { +- uint32_t _ptr_info1535; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1535)); + if (_ptr_info1535) { + NDR_PULL_ALLOC(ndr, r->info1535); +@@ -10543,7 +10821,6 @@ + break; } + + case 1536: { +- uint32_t _ptr_info1536; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1536)); + if (_ptr_info1536) { + NDR_PULL_ALLOC(ndr, r->info1536); +@@ -10553,7 +10830,6 @@ + break; } + + case 1537: { +- uint32_t _ptr_info1537; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1537)); + if (_ptr_info1537) { + NDR_PULL_ALLOC(ndr, r->info1537); +@@ -10563,7 +10839,6 @@ + break; } + + case 1538: { +- uint32_t _ptr_info1538; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1538)); + if (_ptr_info1538) { + NDR_PULL_ALLOC(ndr, r->info1538); +@@ -10573,7 +10848,6 @@ + break; } + + case 1539: { +- uint32_t _ptr_info1539; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1539)); + if (_ptr_info1539) { + NDR_PULL_ALLOC(ndr, r->info1539); +@@ -10583,7 +10857,6 @@ + break; } + + case 1540: { +- uint32_t _ptr_info1540; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1540)); + if (_ptr_info1540) { + NDR_PULL_ALLOC(ndr, r->info1540); +@@ -10593,7 +10866,6 @@ + break; } + + case 1541: { +- uint32_t _ptr_info1541; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1541)); + if (_ptr_info1541) { + NDR_PULL_ALLOC(ndr, r->info1541); +@@ -10603,7 +10875,6 @@ + break; } + + case 1542: { +- uint32_t _ptr_info1542; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1542)); + if (_ptr_info1542) { + NDR_PULL_ALLOC(ndr, r->info1542); +@@ -10613,7 +10884,6 @@ + break; } + + case 1543: { +- uint32_t _ptr_info1543; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1543)); + if (_ptr_info1543) { + NDR_PULL_ALLOC(ndr, r->info1543); +@@ -10623,7 +10893,6 @@ + break; } + + case 1544: { +- uint32_t _ptr_info1544; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1544)); + if (_ptr_info1544) { + NDR_PULL_ALLOC(ndr, r->info1544); +@@ -10633,7 +10902,6 @@ + break; } + + case 1545: { +- uint32_t _ptr_info1545; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1545)); + if (_ptr_info1545) { + NDR_PULL_ALLOC(ndr, r->info1545); +@@ -10643,7 +10911,6 @@ + break; } + + case 1546: { +- uint32_t _ptr_info1546; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1546)); + if (_ptr_info1546) { + NDR_PULL_ALLOC(ndr, r->info1546); +@@ -10653,7 +10920,6 @@ + break; } + + case 1547: { +- uint32_t _ptr_info1547; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1547)); + if (_ptr_info1547) { + NDR_PULL_ALLOC(ndr, r->info1547); +@@ -10663,7 +10929,6 @@ + break; } + + case 1548: { +- uint32_t _ptr_info1548; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1548)); + if (_ptr_info1548) { + NDR_PULL_ALLOC(ndr, r->info1548); +@@ -10673,7 +10938,6 @@ + break; } + + case 1549: { +- uint32_t _ptr_info1549; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1549)); + if (_ptr_info1549) { + NDR_PULL_ALLOC(ndr, r->info1549); +@@ -10683,7 +10947,6 @@ + break; } + + case 1550: { +- uint32_t _ptr_info1550; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1550)); + if (_ptr_info1550) { + NDR_PULL_ALLOC(ndr, r->info1550); +@@ -10693,7 +10956,6 @@ + break; } + + case 1552: { +- uint32_t _ptr_info1552; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1552)); + if (_ptr_info1552) { + NDR_PULL_ALLOC(ndr, r->info1552); +@@ -10703,7 +10965,6 @@ + break; } + + case 1553: { +- uint32_t _ptr_info1553; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1553)); + if (_ptr_info1553) { + NDR_PULL_ALLOC(ndr, r->info1553); +@@ -10713,7 +10974,6 @@ + break; } + + case 1554: { +- uint32_t _ptr_info1554; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1554)); + if (_ptr_info1554) { + NDR_PULL_ALLOC(ndr, r->info1554); +@@ -10723,7 +10983,6 @@ + break; } + + case 1555: { +- uint32_t _ptr_info1555; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1555)); + if (_ptr_info1555) { + NDR_PULL_ALLOC(ndr, r->info1555); +@@ -10733,7 +10992,6 @@ + break; } + + case 1556: { +- uint32_t _ptr_info1556; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1556)); + if (_ptr_info1556) { + NDR_PULL_ALLOC(ndr, r->info1556); +@@ -11847,11 +12105,13 @@ + + static enum ndr_err_code ndr_pull_srvsvc_NetDiskInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetDiskInfo0 *r) + { ++ uint32_t size_disk_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__disk_offset)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->__disk_length)); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->disk, r->__disk_length, sizeof(uint16_t), CH_UTF16)); ++ size_disk_0 = r->__disk_length; ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->disk, size_disk_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -11895,6 +12155,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetDiskInfo(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetDiskInfo *r) + { + uint32_t _ptr_disks; ++ uint32_t size_disks_1 = 0; ++ uint32_t length_disks_1 = 0; + uint32_t cntr_disks_1; + TALLOC_CTX *_mem_save_disks_0; + TALLOC_CTX *_mem_save_disks_1; +@@ -11915,13 +12177,15 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->disks, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->disks)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->disks)); +- if (ndr_get_array_length(ndr, &r->disks) > ndr_get_array_size(ndr, &r->disks)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->disks), ndr_get_array_length(ndr, &r->disks)); ++ size_disks_1 = ndr_get_array_size(ndr, &r->disks); ++ length_disks_1 = ndr_get_array_length(ndr, &r->disks); ++ if (length_disks_1 > size_disks_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_disks_1, length_disks_1); + } +- NDR_PULL_ALLOC_N(ndr, r->disks, ndr_get_array_size(ndr, &r->disks)); ++ NDR_PULL_ALLOC_N(ndr, r->disks, size_disks_1); + _mem_save_disks_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->disks, 0); +- for (cntr_disks_1 = 0; cntr_disks_1 < ndr_get_array_length(ndr, &r->disks); cntr_disks_1++) { ++ for (cntr_disks_1 = 0; cntr_disks_1 < length_disks_1; cntr_disks_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetDiskInfo0(ndr, NDR_SCALARS, &r->disks[cntr_disks_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_disks_1, 0); +@@ -12074,10 +12338,15 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo0 *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_addr; ++ uint32_t size_addr_1 = 0; + TALLOC_CTX *_mem_save_addr_0; + uint32_t _ptr_net_addr; ++ uint32_t size_net_addr_1 = 0; ++ uint32_t length_net_addr_1 = 0; + TALLOC_CTX *_mem_save_net_addr_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -12109,19 +12378,22 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->addr) { + _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); +- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); ++ size_addr_1 = ndr_get_array_size(ndr, &r->addr); ++ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); + } + if (r->net_addr) { +@@ -12129,11 +12401,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); +- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); ++ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); ++ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); ++ if (length_net_addr_1 > size_net_addr_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); + } + if (r->addr) { +@@ -12197,6 +12471,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr0(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr0 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -12216,13 +12491,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -12298,12 +12574,19 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo1 *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_addr; ++ uint32_t size_addr_1 = 0; + TALLOC_CTX *_mem_save_addr_0; + uint32_t _ptr_net_addr; ++ uint32_t size_net_addr_1 = 0; ++ uint32_t length_net_addr_1 = 0; + TALLOC_CTX *_mem_save_net_addr_0; + uint32_t _ptr_domain; ++ uint32_t size_domain_1 = 0; ++ uint32_t length_domain_1 = 0; + TALLOC_CTX *_mem_save_domain_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -12341,19 +12624,22 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->addr) { + _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); +- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); ++ size_addr_1 = ndr_get_array_size(ndr, &r->addr); ++ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); + } + if (r->net_addr) { +@@ -12361,11 +12647,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); +- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); ++ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); ++ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); ++ if (length_net_addr_1 > size_net_addr_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); + } + if (r->domain) { +@@ -12373,11 +12661,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + if (r->addr) { +@@ -12447,6 +12737,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr1(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr1 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -12466,13 +12757,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -12549,12 +12841,19 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo2 *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_addr; ++ uint32_t size_addr_1 = 0; + TALLOC_CTX *_mem_save_addr_0; + uint32_t _ptr_net_addr; ++ uint32_t size_net_addr_1 = 0; ++ uint32_t length_net_addr_1 = 0; + TALLOC_CTX *_mem_save_net_addr_0; + uint32_t _ptr_domain; ++ uint32_t size_domain_1 = 0; ++ uint32_t length_domain_1 = 0; + TALLOC_CTX *_mem_save_domain_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -12593,19 +12892,22 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->addr) { + _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); +- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); ++ size_addr_1 = ndr_get_array_size(ndr, &r->addr); ++ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); + } + if (r->net_addr) { +@@ -12613,11 +12915,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); +- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); ++ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); ++ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); ++ if (length_net_addr_1 > size_net_addr_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); + } + if (r->domain) { +@@ -12625,11 +12929,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + if (r->addr) { +@@ -12700,6 +13006,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr2(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr2 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -12719,13 +13026,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -12804,13 +13112,21 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportInfo3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportInfo3 *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_addr; ++ uint32_t size_addr_1 = 0; + TALLOC_CTX *_mem_save_addr_0; + uint32_t _ptr_net_addr; ++ uint32_t size_net_addr_1 = 0; ++ uint32_t length_net_addr_1 = 0; + TALLOC_CTX *_mem_save_net_addr_0; + uint32_t _ptr_domain; ++ uint32_t size_domain_1 = 0; ++ uint32_t length_domain_1 = 0; + TALLOC_CTX *_mem_save_domain_0; ++ uint32_t size_unknown3_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->vcs)); +@@ -12841,7 +13157,8 @@ + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown2)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unknown3, 256)); ++ size_unknown3_0 = 256; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->unknown3, size_unknown3_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -12850,19 +13167,22 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->addr) { + _mem_save_addr_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->addr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->addr)); +- NDR_PULL_ALLOC_N(ndr, r->addr, ndr_get_array_size(ndr, &r->addr)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, ndr_get_array_size(ndr, &r->addr))); ++ size_addr_1 = ndr_get_array_size(ndr, &r->addr); ++ NDR_PULL_ALLOC_N(ndr, r->addr, size_addr_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->addr, size_addr_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_addr_0, 0); + } + if (r->net_addr) { +@@ -12870,11 +13190,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->net_addr, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->net_addr)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->net_addr)); +- if (ndr_get_array_length(ndr, &r->net_addr) > ndr_get_array_size(ndr, &r->net_addr)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->net_addr), ndr_get_array_length(ndr, &r->net_addr)); ++ size_net_addr_1 = ndr_get_array_size(ndr, &r->net_addr); ++ length_net_addr_1 = ndr_get_array_length(ndr, &r->net_addr); ++ if (length_net_addr_1 > size_net_addr_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_net_addr_1, length_net_addr_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, ndr_get_array_length(ndr, &r->net_addr), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_net_addr_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->net_addr, length_net_addr_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_net_addr_0, 0); + } + if (r->domain) { +@@ -12882,11 +13204,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain)); +- if (ndr_get_array_length(ndr, &r->domain) > ndr_get_array_size(ndr, &r->domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain), ndr_get_array_length(ndr, &r->domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, ndr_get_array_length(ndr, &r->domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain, length_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, 0); + } + if (r->addr) { +@@ -12959,6 +13283,7 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportCtr3(struct ndr_pull *ndr, int ndr_flags, struct srvsvc_NetTransportCtr3 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -12978,13 +13303,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo3(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_srvsvc_NetTransportInfo3(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -13087,9 +13413,13 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_ctr0_0; ++ uint32_t _ptr_ctr0; + TALLOC_CTX *_mem_save_ctr1_0; ++ uint32_t _ptr_ctr1; + TALLOC_CTX *_mem_save_ctr2_0; ++ uint32_t _ptr_ctr2; + TALLOC_CTX *_mem_save_ctr3_0; ++ uint32_t _ptr_ctr3; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -13100,7 +13430,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_ctr0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); + if (_ptr_ctr0) { + NDR_PULL_ALLOC(ndr, r->ctr0); +@@ -13110,7 +13439,6 @@ + break; } + + case 1: { +- uint32_t _ptr_ctr1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); + if (_ptr_ctr1) { + NDR_PULL_ALLOC(ndr, r->ctr1); +@@ -13120,7 +13448,6 @@ + break; } + + case 2: { +- uint32_t _ptr_ctr2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); + if (_ptr_ctr2) { + NDR_PULL_ALLOC(ndr, r->ctr2); +@@ -13130,7 +13457,6 @@ + break; } + + case 3: { +- uint32_t _ptr_ctr3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr3)); + if (_ptr_ctr3) { + NDR_PULL_ALLOC(ndr, r->ctr3); +@@ -13525,6 +13851,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevEnum *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_ctr_0; +@@ -13544,11 +13872,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -13691,6 +14021,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevGetInfo *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_device_name_0 = 0; ++ uint32_t length_device_name_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -13707,20 +14041,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.device_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.device_name)); +- if (ndr_get_array_length(ndr, &r->in.device_name) > ndr_get_array_size(ndr, &r->in.device_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.device_name), ndr_get_array_length(ndr, &r->in.device_name)); ++ size_device_name_0 = ndr_get_array_size(ndr, &r->in.device_name); ++ length_device_name_0 = ndr_get_array_length(ndr, &r->in.device_name); ++ if (length_device_name_0 > size_device_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_name_0, length_device_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, length_device_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); + NDR_PULL_ALLOC(ndr, r->out.info); + ZERO_STRUCTP(r->out.info); +@@ -13799,6 +14137,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevControl(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevControl *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_device_name_0 = 0; ++ uint32_t length_device_name_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -13812,20 +14154,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.device_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.device_name)); +- if (ndr_get_array_length(ndr, &r->in.device_name) > ndr_get_array_size(ndr, &r->in.device_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.device_name), ndr_get_array_length(ndr, &r->in.device_name)); ++ size_device_name_0 = ndr_get_array_size(ndr, &r->in.device_name); ++ length_device_name_0 = ndr_get_array_length(ndr, &r->in.device_name); ++ if (length_device_name_0 > size_device_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_name_0, length_device_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, length_device_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.opcode)); + } + if (flags & NDR_OUT) { +@@ -13912,7 +14258,11 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQEnum *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_user_0; +@@ -13933,11 +14283,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); +@@ -13951,11 +14303,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); +- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->in.user); ++ length_user_1 = ndr_get_array_length(ndr, &r->in.user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -14108,6 +14462,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQGetInfo *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_queue_name_0 = 0; ++ uint32_t length_queue_name_0 = 0; ++ uint32_t size_user_0 = 0; ++ uint32_t length_user_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -14124,27 +14484,33 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); +- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); ++ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); ++ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); ++ if (length_queue_name_0 > size_queue_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); +- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); ++ size_user_0 = ndr_get_array_size(ndr, &r->in.user); ++ length_user_0 = ndr_get_array_length(ndr, &r->in.user); ++ if (length_user_0 > size_user_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_0, length_user_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); + NDR_PULL_ALLOC(ndr, r->out.info); + ZERO_STRUCTP(r->out.info); +@@ -14234,6 +14600,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQSetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQSetInfo *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_queue_name_0 = 0; ++ uint32_t length_queue_name_0 = 0; + uint32_t _ptr_parm_error; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_parm_error_0; +@@ -14251,20 +14621,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); +- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); ++ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); ++ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); ++ if (length_queue_name_0 > size_queue_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->in.info, r->in.level)); + NDR_CHECK(ndr_pull_srvsvc_NetCharDevQInfo(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.info)); +@@ -14367,6 +14741,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQPurge(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQPurge *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_queue_name_0 = 0; ++ uint32_t length_queue_name_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -14380,20 +14758,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); +- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); ++ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); ++ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); ++ if (length_queue_name_0 > size_queue_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -14458,6 +14840,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetCharDevQPurgeSelf(struct ndr_pull *ndr, int flags, struct srvsvc_NetCharDevQPurgeSelf *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_queue_name_0 = 0; ++ uint32_t length_queue_name_0 = 0; ++ uint32_t size_computer_name_0 = 0; ++ uint32_t length_computer_name_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -14471,27 +14859,33 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.queue_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.queue_name)); +- if (ndr_get_array_length(ndr, &r->in.queue_name) > ndr_get_array_size(ndr, &r->in.queue_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.queue_name), ndr_get_array_length(ndr, &r->in.queue_name)); ++ size_queue_name_0 = ndr_get_array_size(ndr, &r->in.queue_name); ++ length_queue_name_0 = ndr_get_array_length(ndr, &r->in.queue_name); ++ if (length_queue_name_0 > size_queue_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_queue_name_0, length_queue_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, ndr_get_array_length(ndr, &r->in.queue_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_queue_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.queue_name, length_queue_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.computer_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.computer_name)); +- if (ndr_get_array_length(ndr, &r->in.computer_name) > ndr_get_array_size(ndr, &r->in.computer_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.computer_name), ndr_get_array_length(ndr, &r->in.computer_name)); ++ size_computer_name_0 = ndr_get_array_size(ndr, &r->in.computer_name); ++ length_computer_name_0 = ndr_get_array_length(ndr, &r->in.computer_name); ++ if (length_computer_name_0 > size_computer_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_computer_name_0, length_computer_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_computer_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, length_computer_name_0, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -14577,7 +14971,11 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetConnEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetConnEnum *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_path_0; +@@ -14598,11 +14996,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_path)); +@@ -14616,11 +15016,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); +- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->in.path); ++ length_path_1 = ndr_get_array_length(ndr, &r->in.path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -14794,8 +15196,14 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetFileEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetFileEnum *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_path; ++ uint32_t size_path_1 = 0; ++ uint32_t length_path_1 = 0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_path_0; +@@ -14817,11 +15225,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_path)); +@@ -14835,11 +15245,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); +- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); ++ size_path_1 = ndr_get_array_size(ndr, &r->in.path); ++ length_path_1 = ndr_get_array_length(ndr, &r->in.path); ++ if (length_path_1 > size_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_1, length_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_path_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); +@@ -14853,11 +15265,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); +- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->in.user); ++ length_user_1 = ndr_get_array_length(ndr, &r->in.user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -15009,6 +15423,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetFileGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetFileGetInfo *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -15025,11 +15441,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.fid)); +@@ -15107,6 +15525,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetFileClose(struct ndr_pull *ndr, int flags, struct srvsvc_NetFileClose *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -15120,11 +15540,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.fid)); +@@ -15219,8 +15641,14 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetSessEnum *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_client; ++ uint32_t size_client_1 = 0; ++ uint32_t length_client_1 = 0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_client_0; +@@ -15242,11 +15670,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client)); +@@ -15260,11 +15690,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.client, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.client)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.client)); +- if (ndr_get_array_length(ndr, &r->in.client) > ndr_get_array_size(ndr, &r->in.client)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.client), ndr_get_array_length(ndr, &r->in.client)); ++ size_client_1 = ndr_get_array_size(ndr, &r->in.client); ++ length_client_1 = ndr_get_array_length(ndr, &r->in.client); ++ if (length_client_1 > size_client_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, length_client_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); +@@ -15278,11 +15710,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); +- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->in.user); ++ length_user_1 = ndr_get_array_length(ndr, &r->in.user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -15441,8 +15875,14 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSessDel(struct ndr_pull *ndr, int flags, struct srvsvc_NetSessDel *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_client; ++ uint32_t size_client_1 = 0; ++ uint32_t length_client_1 = 0; + uint32_t _ptr_user; ++ uint32_t size_user_1 = 0; ++ uint32_t length_user_1 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_client_0; + TALLOC_CTX *_mem_save_user_0; +@@ -15458,11 +15898,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client)); +@@ -15476,11 +15918,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.client, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.client)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.client)); +- if (ndr_get_array_length(ndr, &r->in.client) > ndr_get_array_size(ndr, &r->in.client)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.client), ndr_get_array_length(ndr, &r->in.client)); ++ size_client_1 = ndr_get_array_size(ndr, &r->in.client); ++ length_client_1 = ndr_get_array_length(ndr, &r->in.client); ++ if (length_client_1 > size_client_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_client_1, length_client_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, ndr_get_array_length(ndr, &r->in.client), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_client_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.client, length_client_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user)); +@@ -15494,11 +15938,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.user, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.user)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.user)); +- if (ndr_get_array_length(ndr, &r->in.user) > ndr_get_array_size(ndr, &r->in.user)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.user), ndr_get_array_length(ndr, &r->in.user)); ++ size_user_1 = ndr_get_array_size(ndr, &r->in.user); ++ length_user_1 = ndr_get_array_length(ndr, &r->in.user); ++ if (length_user_1 > size_user_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_1, length_user_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, ndr_get_array_length(ndr, &r->in.user), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.user, length_user_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_0, 0); + } + } +@@ -15582,6 +16028,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareAdd(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareAdd *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_parm_error; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; +@@ -15600,11 +16048,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -15734,6 +16184,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareEnumAll(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareEnumAll *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_ctr_0; +@@ -15753,11 +16205,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -15900,6 +16354,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareGetInfo *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_share_name_0 = 0; ++ uint32_t length_share_name_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -15916,20 +16374,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); +- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); ++ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); ++ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); ++ if (length_share_name_0 > size_share_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); + NDR_PULL_ALLOC(ndr, r->out.info); + ZERO_STRUCTP(r->out.info); +@@ -16021,6 +16483,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareSetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareSetInfo *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_share_name_0 = 0; ++ uint32_t length_share_name_0 = 0; + uint32_t _ptr_parm_error; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; +@@ -16039,20 +16505,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); +- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); ++ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); ++ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); ++ if (length_share_name_0 > size_share_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.info); +@@ -16165,6 +16635,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareDel(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareDel *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_share_name_0 = 0; ++ uint32_t length_share_name_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -16178,20 +16652,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); +- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); ++ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); ++ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); ++ if (length_share_name_0 > size_share_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.reserved)); + } + if (flags & NDR_OUT) { +@@ -16255,6 +16733,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareDelSticky(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareDelSticky *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_share_name_0 = 0; ++ uint32_t length_share_name_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -16268,20 +16750,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share_name)); +- if (ndr_get_array_length(ndr, &r->in.share_name) > ndr_get_array_size(ndr, &r->in.share_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share_name), ndr_get_array_length(ndr, &r->in.share_name)); ++ size_share_name_0 = ndr_get_array_size(ndr, &r->in.share_name); ++ length_share_name_0 = ndr_get_array_length(ndr, &r->in.share_name); ++ if (length_share_name_0 > size_share_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_name_0, length_share_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, ndr_get_array_length(ndr, &r->in.share_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share_name, length_share_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.reserved)); + } + if (flags & NDR_OUT) { +@@ -16348,6 +16834,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareCheck(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareCheck *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_device_name_0 = 0; ++ uint32_t length_device_name_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_type_0; + if (flags & NDR_IN) { +@@ -16364,20 +16854,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.device_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.device_name)); +- if (ndr_get_array_length(ndr, &r->in.device_name) > ndr_get_array_size(ndr, &r->in.device_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.device_name), ndr_get_array_length(ndr, &r->in.device_name)); ++ size_device_name_0 = ndr_get_array_size(ndr, &r->in.device_name); ++ length_device_name_0 = ndr_get_array_length(ndr, &r->in.device_name); ++ if (length_device_name_0 > size_device_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_device_name_0, length_device_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, ndr_get_array_length(ndr, &r->in.device_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_device_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.device_name, length_device_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_ALLOC(ndr, r->out.type); + ZERO_STRUCTP(r->out.type); + } +@@ -16453,6 +16947,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSrvGetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetSrvGetInfo *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -16469,11 +16965,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -16562,6 +17060,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSrvSetInfo(struct ndr_pull *ndr, int flags, struct srvsvc_NetSrvSetInfo *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_parm_error; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; +@@ -16580,11 +17080,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -16715,6 +17217,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetDiskEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetDiskEnum *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; +@@ -16734,11 +17238,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -16889,7 +17395,11 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetServerStatisticsGet(struct ndr_pull *ndr, int flags, struct srvsvc_NetServerStatisticsGet *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_service; ++ uint32_t size_service_1 = 0; ++ uint32_t length_service_1 = 0; + uint32_t _ptr_stats; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_service_0; +@@ -16909,11 +17419,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service)); +@@ -16927,11 +17439,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.service, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service)); +- if (ndr_get_array_length(ndr, &r->in.service) > ndr_get_array_size(ndr, &r->in.service)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service), ndr_get_array_length(ndr, &r->in.service)); ++ size_service_1 = ndr_get_array_size(ndr, &r->in.service); ++ length_service_1 = ndr_get_array_length(ndr, &r->in.service); ++ if (length_service_1 > size_service_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_1, length_service_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service, ndr_get_array_length(ndr, &r->in.service), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service, length_service_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -17031,6 +17545,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportAdd(struct ndr_pull *ndr, int flags, struct srvsvc_NetTransportAdd *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -17044,11 +17560,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -17133,6 +17651,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetTransportEnum *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_transports_0; +@@ -17152,11 +17672,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -17294,6 +17816,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetTransportDel(struct ndr_pull *ndr, int flags, struct srvsvc_NetTransportDel *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info0_0; + if (flags & NDR_IN) { +@@ -17308,11 +17832,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -17390,6 +17916,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetRemoteTOD(struct ndr_pull *ndr, int flags, struct srvsvc_NetRemoteTOD *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_0; +@@ -17408,11 +17936,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.info); +@@ -17508,7 +18038,11 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSetServiceBits(struct ndr_pull *ndr, int flags, struct srvsvc_NetSetServiceBits *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_transport; ++ uint32_t size_transport_1 = 0; ++ uint32_t length_transport_1 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_transport_0; + if (flags & NDR_IN) { +@@ -17523,11 +18057,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_transport)); +@@ -17541,11 +18077,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.transport, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.transport)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.transport)); +- if (ndr_get_array_length(ndr, &r->in.transport) > ndr_get_array_size(ndr, &r->in.transport)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.transport), ndr_get_array_length(ndr, &r->in.transport)); ++ size_transport_1 = ndr_get_array_size(ndr, &r->in.transport); ++ length_transport_1 = ndr_get_array_length(ndr, &r->in.transport); ++ if (length_transport_1 > size_transport_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_1, length_transport_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, length_transport_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.servicebits)); +@@ -17622,6 +18160,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetPathType(struct ndr_pull *ndr, int flags, struct srvsvc_NetPathType *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_path_0 = 0; ++ uint32_t length_path_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_pathtype_0; + if (flags & NDR_IN) { +@@ -17638,20 +18180,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); +- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); ++ size_path_0 = ndr_get_array_size(ndr, &r->in.path); ++ length_path_0 = ndr_get_array_length(ndr, &r->in.path); ++ if (length_path_0 > size_path_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_0, length_path_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.pathflags)); + NDR_PULL_ALLOC(ndr, r->out.pathtype); + ZERO_STRUCTP(r->out.pathtype); +@@ -17743,6 +18289,13 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetPathCanonicalize(struct ndr_pull *ndr, int flags, struct srvsvc_NetPathCanonicalize *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_path_0 = 0; ++ uint32_t length_path_0 = 0; ++ uint32_t size_can_path_0 = 0; ++ uint32_t size_prefix_0 = 0; ++ uint32_t length_prefix_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_pathtype_0; + if (flags & NDR_IN) { +@@ -17759,28 +18312,34 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path)); +- if (ndr_get_array_length(ndr, &r->in.path) > ndr_get_array_size(ndr, &r->in.path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path), ndr_get_array_length(ndr, &r->in.path)); ++ size_path_0 = ndr_get_array_size(ndr, &r->in.path); ++ length_path_0 = ndr_get_array_length(ndr, &r->in.path); ++ if (length_path_0 > size_path_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path_0, length_path_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, ndr_get_array_length(ndr, &r->in.path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path, length_path_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.maxbuf)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.prefix)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.prefix)); +- if (ndr_get_array_length(ndr, &r->in.prefix) > ndr_get_array_size(ndr, &r->in.prefix)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.prefix), ndr_get_array_length(ndr, &r->in.prefix)); ++ size_prefix_0 = ndr_get_array_size(ndr, &r->in.prefix); ++ length_prefix_0 = ndr_get_array_length(ndr, &r->in.prefix); ++ if (length_prefix_0 > size_prefix_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_prefix_0, length_prefix_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.prefix), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.prefix, ndr_get_array_length(ndr, &r->in.prefix), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_prefix_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.prefix, length_prefix_0, sizeof(uint16_t), CH_UTF16)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.pathtype); + } +@@ -17794,8 +18353,9 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.can_path)); +- NDR_PULL_ALLOC_N(ndr, r->out.can_path, ndr_get_array_size(ndr, &r->out.can_path)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.can_path, ndr_get_array_size(ndr, &r->out.can_path))); ++ size_can_path_0 = ndr_get_array_size(ndr, &r->out.can_path); ++ NDR_PULL_ALLOC_N(ndr, r->out.can_path, size_can_path_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.can_path, size_can_path_0)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.pathtype); + } +@@ -17882,6 +18442,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetPathCompare(struct ndr_pull *ndr, int flags, struct srvsvc_NetPathCompare *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_path1_0 = 0; ++ uint32_t length_path1_0 = 0; ++ uint32_t size_path2_0 = 0; ++ uint32_t length_path2_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -17895,27 +18461,33 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path1)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path1)); +- if (ndr_get_array_length(ndr, &r->in.path1) > ndr_get_array_size(ndr, &r->in.path1)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path1), ndr_get_array_length(ndr, &r->in.path1)); ++ size_path1_0 = ndr_get_array_size(ndr, &r->in.path1); ++ length_path1_0 = ndr_get_array_length(ndr, &r->in.path1); ++ if (length_path1_0 > size_path1_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path1_0, length_path1_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path1), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path1, ndr_get_array_length(ndr, &r->in.path1), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path1_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path1, length_path1_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.path2)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.path2)); +- if (ndr_get_array_length(ndr, &r->in.path2) > ndr_get_array_size(ndr, &r->in.path2)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.path2), ndr_get_array_length(ndr, &r->in.path2)); ++ size_path2_0 = ndr_get_array_size(ndr, &r->in.path2); ++ length_path2_0 = ndr_get_array_length(ndr, &r->in.path2); ++ if (length_path2_0 > size_path2_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_path2_0, length_path2_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.path2), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path2, ndr_get_array_length(ndr, &r->in.path2), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_path2_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.path2, length_path2_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.pathtype)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.pathflags)); + } +@@ -17983,6 +18555,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetNameValidate(struct ndr_pull *ndr, int flags, struct srvsvc_NetNameValidate *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_name_0 = 0; ++ uint32_t length_name_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -17996,20 +18572,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name)); +- if (ndr_get_array_length(ndr, &r->in.name) > ndr_get_array_size(ndr, &r->in.name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name), ndr_get_array_length(ndr, &r->in.name)); ++ size_name_0 = ndr_get_array_size(ndr, &r->in.name); ++ length_name_0 = ndr_get_array_length(ndr, &r->in.name); ++ if (length_name_0 > size_name_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_0, length_name_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, length_name_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_type)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + } +@@ -18122,6 +18702,12 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetPRNameCompare(struct ndr_pull *ndr, int flags, struct srvsvc_NetPRNameCompare *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_name1_0 = 0; ++ uint32_t length_name1_0 = 0; ++ uint32_t size_name2_0 = 0; ++ uint32_t length_name2_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -18135,27 +18721,33 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name1)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name1)); +- if (ndr_get_array_length(ndr, &r->in.name1) > ndr_get_array_size(ndr, &r->in.name1)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name1), ndr_get_array_length(ndr, &r->in.name1)); ++ size_name1_0 = ndr_get_array_size(ndr, &r->in.name1); ++ length_name1_0 = ndr_get_array_length(ndr, &r->in.name1); ++ if (length_name1_0 > size_name1_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name1_0, length_name1_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name1), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name1, ndr_get_array_length(ndr, &r->in.name1), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name1_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name1, length_name1_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name2)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name2)); +- if (ndr_get_array_length(ndr, &r->in.name2) > ndr_get_array_size(ndr, &r->in.name2)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name2), ndr_get_array_length(ndr, &r->in.name2)); ++ size_name2_0 = ndr_get_array_size(ndr, &r->in.name2); ++ length_name2_0 = ndr_get_array_length(ndr, &r->in.name2); ++ if (length_name2_0 > size_name2_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name2_0, length_name2_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name2), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name2, ndr_get_array_length(ndr, &r->in.name2), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name2_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name2, length_name2_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.name_type)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + } +@@ -18238,6 +18830,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareEnum(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareEnum *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_info_ctr_0; +@@ -18257,11 +18851,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -18403,6 +18999,10 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetShareDelStart(struct ndr_pull *ndr, int flags, struct srvsvc_NetShareDelStart *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; ++ uint32_t size_share_0 = 0; ++ uint32_t length_share_0 = 0; + uint32_t _ptr_hnd; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_hnd_0; +@@ -18420,20 +19020,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); +- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); ++ size_share_0 = ndr_get_array_size(ndr, &r->in.share); ++ length_share_0 = ndr_get_array_length(ndr, &r->in.share); ++ if (length_share_0 > size_share_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_0, length_share_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.reserved)); + } + if (flags & NDR_OUT) { +@@ -18619,7 +19223,13 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetGetFileSecurity(struct ndr_pull *ndr, int flags, struct srvsvc_NetGetFileSecurity *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_share; ++ uint32_t size_share_1 = 0; ++ uint32_t length_share_1 = 0; ++ uint32_t size_file_0 = 0; ++ uint32_t length_file_0 = 0; + uint32_t _ptr_sd_buf; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_share_0; +@@ -18639,11 +19249,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_share)); +@@ -18657,20 +19269,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.share, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); +- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); ++ size_share_1 = ndr_get_array_size(ndr, &r->in.share); ++ length_share_1 = ndr_get_array_length(ndr, &r->in.share); ++ if (length_share_1 > size_share_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.file)); +- if (ndr_get_array_length(ndr, &r->in.file) > ndr_get_array_size(ndr, &r->in.file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.file), ndr_get_array_length(ndr, &r->in.file)); ++ size_file_0 = ndr_get_array_size(ndr, &r->in.file); ++ length_file_0 = ndr_get_array_length(ndr, &r->in.file); ++ if (length_file_0 > size_file_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_file_0, length_file_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_file_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, length_file_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_security_secinfo(ndr, NDR_SCALARS, &r->in.securityinformation)); + NDR_PULL_ALLOC(ndr, r->out.sd_buf); + ZERO_STRUCTP(r->out.sd_buf); +@@ -18780,7 +19396,13 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetSetFileSecurity(struct ndr_pull *ndr, int flags, struct srvsvc_NetSetFileSecurity *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_share; ++ uint32_t size_share_1 = 0; ++ uint32_t length_share_1 = 0; ++ uint32_t size_file_0 = 0; ++ uint32_t length_file_0 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_share_0; + TALLOC_CTX *_mem_save_sd_buf_0; +@@ -18796,11 +19418,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_share)); +@@ -18814,20 +19438,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.share, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.share)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.share)); +- if (ndr_get_array_length(ndr, &r->in.share) > ndr_get_array_size(ndr, &r->in.share)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.share), ndr_get_array_length(ndr, &r->in.share)); ++ size_share_1 = ndr_get_array_size(ndr, &r->in.share); ++ length_share_1 = ndr_get_array_length(ndr, &r->in.share); ++ if (length_share_1 > size_share_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_share_1, length_share_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, ndr_get_array_length(ndr, &r->in.share), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_share_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.share, length_share_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_share_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.file)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.file)); +- if (ndr_get_array_length(ndr, &r->in.file) > ndr_get_array_size(ndr, &r->in.file)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.file), ndr_get_array_length(ndr, &r->in.file)); ++ size_file_0 = ndr_get_array_size(ndr, &r->in.file); ++ length_file_0 = ndr_get_array_length(ndr, &r->in.file); ++ if (length_file_0 > size_file_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_file_0, length_file_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, ndr_get_array_length(ndr, &r->in.file), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_file_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.file, length_file_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_security_secinfo(ndr, NDR_SCALARS, &r->in.securityinformation)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->in.sd_buf); +@@ -18906,6 +19534,8 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetServerTransportAddEx(struct ndr_pull *ndr, int flags, struct srvsvc_NetServerTransportAddEx *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_unc)); +@@ -18919,11 +19549,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -19004,8 +19636,14 @@ + static enum ndr_err_code ndr_pull_srvsvc_NetServerSetServiceBitsEx(struct ndr_pull *ndr, int flags, struct srvsvc_NetServerSetServiceBitsEx *r) + { + uint32_t _ptr_server_unc; ++ uint32_t size_server_unc_1 = 0; ++ uint32_t length_server_unc_1 = 0; + uint32_t _ptr_emulated_server_unc; ++ uint32_t size_emulated_server_unc_1 = 0; ++ uint32_t length_emulated_server_unc_1 = 0; + uint32_t _ptr_transport; ++ uint32_t size_transport_1 = 0; ++ uint32_t length_transport_1 = 0; + TALLOC_CTX *_mem_save_server_unc_0; + TALLOC_CTX *_mem_save_emulated_server_unc_0; + TALLOC_CTX *_mem_save_transport_0; +@@ -19021,11 +19659,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_unc)); +- if (ndr_get_array_length(ndr, &r->in.server_unc) > ndr_get_array_size(ndr, &r->in.server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_unc), ndr_get_array_length(ndr, &r->in.server_unc)); ++ size_server_unc_1 = ndr_get_array_size(ndr, &r->in.server_unc); ++ length_server_unc_1 = ndr_get_array_length(ndr, &r->in.server_unc); ++ if (length_server_unc_1 > size_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_unc_1, length_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, ndr_get_array_length(ndr, &r->in.server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_unc, length_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_emulated_server_unc)); +@@ -19039,11 +19679,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.emulated_server_unc, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.emulated_server_unc)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.emulated_server_unc)); +- if (ndr_get_array_length(ndr, &r->in.emulated_server_unc) > ndr_get_array_size(ndr, &r->in.emulated_server_unc)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.emulated_server_unc), ndr_get_array_length(ndr, &r->in.emulated_server_unc)); ++ size_emulated_server_unc_1 = ndr_get_array_size(ndr, &r->in.emulated_server_unc); ++ length_emulated_server_unc_1 = ndr_get_array_length(ndr, &r->in.emulated_server_unc); ++ if (length_emulated_server_unc_1 > size_emulated_server_unc_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_emulated_server_unc_1, length_emulated_server_unc_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.emulated_server_unc), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.emulated_server_unc, ndr_get_array_length(ndr, &r->in.emulated_server_unc), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_emulated_server_unc_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.emulated_server_unc, length_emulated_server_unc_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_emulated_server_unc_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_transport)); +@@ -19057,11 +19699,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.transport, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.transport)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.transport)); +- if (ndr_get_array_length(ndr, &r->in.transport) > ndr_get_array_size(ndr, &r->in.transport)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.transport), ndr_get_array_length(ndr, &r->in.transport)); ++ size_transport_1 = ndr_get_array_size(ndr, &r->in.transport); ++ length_transport_1 = ndr_get_array_length(ndr, &r->in.transport); ++ if (length_transport_1 > size_transport_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_1, length_transport_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, ndr_get_array_length(ndr, &r->in.transport), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport, length_transport_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.servicebitsofinterest)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_svcctl.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_svcctl.c 2012-04-12 12:09:50.655287455 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_svcctl.c 2012-04-12 12:19:20.991301010 -0500 +@@ -28,6 +28,8 @@ + static enum ndr_err_code ndr_pull_SERVICE_LOCK_STATUS(struct ndr_pull *ndr, int ndr_flags, struct SERVICE_LOCK_STATUS *r) + { + uint32_t _ptr_lock_owner; ++ uint32_t size_lock_owner_1 = 0; ++ uint32_t length_lock_owner_1 = 0; + TALLOC_CTX *_mem_save_lock_owner_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -47,11 +49,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->lock_owner, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->lock_owner)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->lock_owner)); +- if (ndr_get_array_length(ndr, &r->lock_owner) > ndr_get_array_size(ndr, &r->lock_owner)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->lock_owner), ndr_get_array_length(ndr, &r->lock_owner)); ++ size_lock_owner_1 = ndr_get_array_size(ndr, &r->lock_owner); ++ length_lock_owner_1 = ndr_get_array_length(ndr, &r->lock_owner); ++ if (length_lock_owner_1 > size_lock_owner_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_lock_owner_1, length_lock_owner_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->lock_owner), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lock_owner, ndr_get_array_length(ndr, &r->lock_owner), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_lock_owner_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lock_owner, length_lock_owner_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_lock_owner_0, 0); + } + } +@@ -782,14 +786,24 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_QUERY_SERVICE_CONFIG(struct ndr_pull *ndr, int ndr_flags, struct QUERY_SERVICE_CONFIG *r) + { + uint32_t _ptr_executablepath; ++ uint32_t size_executablepath_1 = 0; ++ uint32_t length_executablepath_1 = 0; + TALLOC_CTX *_mem_save_executablepath_0; + uint32_t _ptr_loadordergroup; ++ uint32_t size_loadordergroup_1 = 0; ++ uint32_t length_loadordergroup_1 = 0; + TALLOC_CTX *_mem_save_loadordergroup_0; + uint32_t _ptr_dependencies; ++ uint32_t size_dependencies_1 = 0; ++ uint32_t length_dependencies_1 = 0; + TALLOC_CTX *_mem_save_dependencies_0; + uint32_t _ptr_startname; ++ uint32_t size_startname_1 = 0; ++ uint32_t length_startname_1 = 0; + TALLOC_CTX *_mem_save_startname_0; + uint32_t _ptr_displayname; ++ uint32_t size_displayname_1 = 0; ++ uint32_t length_displayname_1 = 0; + TALLOC_CTX *_mem_save_displayname_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -835,14 +849,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->executablepath, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->executablepath)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->executablepath)); +- if (ndr_get_array_length(ndr, &r->executablepath) > ndr_get_array_size(ndr, &r->executablepath)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->executablepath), ndr_get_array_length(ndr, &r->executablepath)); ++ size_executablepath_1 = ndr_get_array_size(ndr, &r->executablepath); ++ if (size_executablepath_1 > 8192) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->executablepath) > 8192) { ++ length_executablepath_1 = ndr_get_array_length(ndr, &r->executablepath); ++ if (length_executablepath_1 > 8192) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->executablepath), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->executablepath, ndr_get_array_length(ndr, &r->executablepath), sizeof(uint16_t), CH_UTF16)); ++ if (length_executablepath_1 > size_executablepath_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_executablepath_1, length_executablepath_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_executablepath_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->executablepath, length_executablepath_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_executablepath_0, 0); + } + if (r->loadordergroup) { +@@ -850,14 +869,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->loadordergroup, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->loadordergroup)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->loadordergroup)); +- if (ndr_get_array_length(ndr, &r->loadordergroup) > ndr_get_array_size(ndr, &r->loadordergroup)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->loadordergroup), ndr_get_array_length(ndr, &r->loadordergroup)); ++ size_loadordergroup_1 = ndr_get_array_size(ndr, &r->loadordergroup); ++ if (size_loadordergroup_1 > 8192) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->loadordergroup) > 8192) { ++ length_loadordergroup_1 = ndr_get_array_length(ndr, &r->loadordergroup); ++ if (length_loadordergroup_1 > 8192) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->loadordergroup), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->loadordergroup, ndr_get_array_length(ndr, &r->loadordergroup), sizeof(uint16_t), CH_UTF16)); ++ if (length_loadordergroup_1 > size_loadordergroup_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_loadordergroup_1, length_loadordergroup_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_loadordergroup_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->loadordergroup, length_loadordergroup_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_loadordergroup_0, 0); + } + if (r->dependencies) { +@@ -865,14 +889,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->dependencies, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->dependencies)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->dependencies)); +- if (ndr_get_array_length(ndr, &r->dependencies) > ndr_get_array_size(ndr, &r->dependencies)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->dependencies), ndr_get_array_length(ndr, &r->dependencies)); ++ size_dependencies_1 = ndr_get_array_size(ndr, &r->dependencies); ++ if (size_dependencies_1 > 8192) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->dependencies) > 8192) { ++ length_dependencies_1 = ndr_get_array_length(ndr, &r->dependencies); ++ if (length_dependencies_1 > 8192) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->dependencies), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dependencies, ndr_get_array_length(ndr, &r->dependencies), sizeof(uint16_t), CH_UTF16)); ++ if (length_dependencies_1 > size_dependencies_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); + } + if (r->startname) { +@@ -880,14 +909,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->startname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->startname)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->startname)); +- if (ndr_get_array_length(ndr, &r->startname) > ndr_get_array_size(ndr, &r->startname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->startname), ndr_get_array_length(ndr, &r->startname)); ++ size_startname_1 = ndr_get_array_size(ndr, &r->startname); ++ if (size_startname_1 > 8192) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->startname) > 8192) { ++ length_startname_1 = ndr_get_array_length(ndr, &r->startname); ++ if (length_startname_1 > 8192) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->startname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->startname, ndr_get_array_length(ndr, &r->startname), sizeof(uint16_t), CH_UTF16)); ++ if (length_startname_1 > size_startname_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_startname_1, length_startname_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_startname_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->startname, length_startname_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_startname_0, 0); + } + if (r->displayname) { +@@ -895,14 +929,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->displayname, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->displayname)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->displayname)); +- if (ndr_get_array_length(ndr, &r->displayname) > ndr_get_array_size(ndr, &r->displayname)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->displayname), ndr_get_array_length(ndr, &r->displayname)); ++ size_displayname_1 = ndr_get_array_size(ndr, &r->displayname); ++ if (size_displayname_1 > 8192) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->displayname) > 8192) { ++ length_displayname_1 = ndr_get_array_length(ndr, &r->displayname); ++ if (length_displayname_1 > 8192) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->displayname), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->displayname, ndr_get_array_length(ndr, &r->displayname), sizeof(uint16_t), CH_UTF16)); ++ if (length_displayname_1 > size_displayname_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_displayname_1, length_displayname_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_displayname_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->displayname, length_displayname_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_displayname_0, 0); + } + } +@@ -977,6 +1016,8 @@ + static enum ndr_err_code ndr_pull_svcctl_ArgumentString(struct ndr_pull *ndr, int ndr_flags, struct svcctl_ArgumentString *r) + { + uint32_t _ptr_string; ++ uint32_t size_string_1 = 0; ++ uint32_t length_string_1 = 0; + TALLOC_CTX *_mem_save_string_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -994,14 +1035,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->string, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->string)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->string)); +- if (ndr_get_array_length(ndr, &r->string) > ndr_get_array_size(ndr, &r->string)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->string), ndr_get_array_length(ndr, &r->string)); ++ size_string_1 = ndr_get_array_size(ndr, &r->string); ++ if (size_string_1 > SC_MAX_ARGUMENT_LENGTH) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- if (ndr_get_array_length(ndr, &r->string) > SC_MAX_ARGUMENT_LENGTH) { ++ length_string_1 = ndr_get_array_length(ndr, &r->string); ++ if (length_string_1 > SC_MAX_ARGUMENT_LENGTH) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, ndr_get_array_length(ndr, &r->string), sizeof(uint16_t), CH_UTF16)); ++ if (length_string_1 > size_string_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_string_1, length_string_1); ++ } ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_string_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->string, length_string_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_string_0, 0); + } + } +@@ -1261,6 +1307,7 @@ + uint32_t _ptr_command; + TALLOC_CTX *_mem_save_command_0; + uint32_t _ptr_actions; ++ uint32_t size_actions_1 = 0; + uint32_t cntr_actions_1; + TALLOC_CTX *_mem_save_actions_0; + TALLOC_CTX *_mem_save_actions_1; +@@ -1348,10 +1395,11 @@ + _mem_save_actions_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->actions, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->actions)); +- NDR_PULL_ALLOC_N(ndr, r->actions, ndr_get_array_size(ndr, &r->actions)); ++ size_actions_1 = ndr_get_array_size(ndr, &r->actions); ++ NDR_PULL_ALLOC_N(ndr, r->actions, size_actions_1); + _mem_save_actions_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->actions, 0); +- for (cntr_actions_1 = 0; cntr_actions_1 < r->num_actions; cntr_actions_1++) { ++ for (cntr_actions_1 = 0; cntr_actions_1 < size_actions_1; cntr_actions_1++) { + NDR_CHECK(ndr_pull_SC_ACTION(ndr, NDR_SCALARS, &r->actions[cntr_actions_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_actions_1, 0); +@@ -1752,6 +1800,7 @@ + + static enum ndr_err_code ndr_pull_svcctl_QueryServiceObjectSecurity(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceObjectSecurity *r) + { ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_needed_0; + if (flags & NDR_IN) { +@@ -1776,10 +1825,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); ++ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -1857,6 +1907,7 @@ + + static enum ndr_err_code ndr_pull_svcctl_SetServiceObjectSecurity(struct ndr_pull *ndr, int flags, struct svcctl_SetServiceObjectSecurity *r) + { ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -1868,10 +1919,11 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_security_secinfo(ndr, NDR_SCALARS, &r->in.security_flags)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); ++ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, size_buffer_1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.offered)); + if (r->in.buffer) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.buffer, r->in.offered)); +@@ -2287,11 +2339,23 @@ + static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigW(struct ndr_pull *ndr, int flags, struct svcctl_ChangeServiceConfigW *r) + { + uint32_t _ptr_binary_path; ++ uint32_t size_binary_path_1 = 0; ++ uint32_t length_binary_path_1 = 0; + uint32_t _ptr_load_order_group; ++ uint32_t size_load_order_group_1 = 0; ++ uint32_t length_load_order_group_1 = 0; + uint32_t _ptr_dependencies; ++ uint32_t size_dependencies_1 = 0; ++ uint32_t length_dependencies_1 = 0; + uint32_t _ptr_service_start_name; ++ uint32_t size_service_start_name_1 = 0; ++ uint32_t length_service_start_name_1 = 0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; ++ uint32_t length_password_1 = 0; + uint32_t _ptr_display_name; ++ uint32_t size_display_name_1 = 0; ++ uint32_t length_display_name_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_binary_path_0; + TALLOC_CTX *_mem_save_load_order_group_0; +@@ -2324,11 +2388,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.binary_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); +- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); ++ size_binary_path_1 = ndr_get_array_size(ndr, &r->in.binary_path); ++ length_binary_path_1 = ndr_get_array_length(ndr, &r->in.binary_path); ++ if (length_binary_path_1 > size_binary_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_1, length_binary_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_binary_path_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_load_order_group)); +@@ -2342,11 +2408,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.load_order_group, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.load_order_group)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.load_order_group)); +- if (ndr_get_array_length(ndr, &r->in.load_order_group) > ndr_get_array_size(ndr, &r->in.load_order_group)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.load_order_group), ndr_get_array_length(ndr, &r->in.load_order_group)); ++ size_load_order_group_1 = ndr_get_array_size(ndr, &r->in.load_order_group); ++ length_load_order_group_1 = ndr_get_array_length(ndr, &r->in.load_order_group); ++ if (length_load_order_group_1 > size_load_order_group_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_load_order_group_1, length_load_order_group_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_load_order_group_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, length_load_order_group_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_load_order_group_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dependencies)); +@@ -2360,11 +2428,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dependencies)); +- if (ndr_get_array_length(ndr, &r->in.dependencies) > ndr_get_array_size(ndr, &r->in.dependencies)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dependencies), ndr_get_array_length(ndr, &r->in.dependencies)); ++ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); ++ length_dependencies_1 = ndr_get_array_length(ndr, &r->in.dependencies); ++ if (length_dependencies_1 > size_dependencies_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service_start_name)); +@@ -2378,11 +2448,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); +- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); ++ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); ++ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); ++ if (length_service_start_name_1 > size_service_start_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); +@@ -2396,11 +2468,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); +- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); ++ size_password_1 = ndr_get_array_size(ndr, &r->in.password); ++ length_password_1 = ndr_get_array_length(ndr, &r->in.password); ++ if (length_password_1 > size_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name)); +@@ -2414,11 +2488,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.display_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.display_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.display_name)); +- if (ndr_get_array_length(ndr, &r->in.display_name) > ndr_get_array_size(ndr, &r->in.display_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.display_name), ndr_get_array_length(ndr, &r->in.display_name)); ++ size_display_name_1 = ndr_get_array_size(ndr, &r->in.display_name); ++ length_display_name_1 = ndr_get_array_length(ndr, &r->in.display_name); ++ if (length_display_name_1 > size_display_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_1, length_display_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, length_display_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.tag_id); +@@ -2579,12 +2655,24 @@ + + static enum ndr_err_code ndr_pull_svcctl_CreateServiceW(struct ndr_pull *ndr, int flags, struct svcctl_CreateServiceW *r) + { ++ uint32_t size_ServiceName_0 = 0; ++ uint32_t length_ServiceName_0 = 0; + uint32_t _ptr_DisplayName; ++ uint32_t size_DisplayName_1 = 0; ++ uint32_t length_DisplayName_1 = 0; ++ uint32_t size_binary_path_0 = 0; ++ uint32_t length_binary_path_0 = 0; + uint32_t _ptr_LoadOrderGroupKey; ++ uint32_t size_LoadOrderGroupKey_1 = 0; ++ uint32_t length_LoadOrderGroupKey_1 = 0; + uint32_t _ptr_TagId; + uint32_t _ptr_dependencies; ++ uint32_t size_dependencies_1 = 0; + uint32_t _ptr_service_start_name; ++ uint32_t size_service_start_name_1 = 0; ++ uint32_t length_service_start_name_1 = 0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; + TALLOC_CTX *_mem_save_scmanager_handle_0; + TALLOC_CTX *_mem_save_DisplayName_0; + TALLOC_CTX *_mem_save_LoadOrderGroupKey_0; +@@ -2605,11 +2693,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_scmanager_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); +- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); ++ size_ServiceName_0 = ndr_get_array_size(ndr, &r->in.ServiceName); ++ length_ServiceName_0 = ndr_get_array_length(ndr, &r->in.ServiceName); ++ if (length_ServiceName_0 > size_ServiceName_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_0, length_ServiceName_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DisplayName)); + if (_ptr_DisplayName) { + NDR_PULL_ALLOC(ndr, r->in.DisplayName); +@@ -2621,11 +2711,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.DisplayName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DisplayName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DisplayName)); +- if (ndr_get_array_length(ndr, &r->in.DisplayName) > ndr_get_array_size(ndr, &r->in.DisplayName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DisplayName), ndr_get_array_length(ndr, &r->in.DisplayName)); ++ size_DisplayName_1 = ndr_get_array_size(ndr, &r->in.DisplayName); ++ length_DisplayName_1 = ndr_get_array_length(ndr, &r->in.DisplayName); ++ if (length_DisplayName_1 > size_DisplayName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DisplayName_1, length_DisplayName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_DisplayName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, length_DisplayName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DisplayName_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.desired_access)); +@@ -2634,11 +2726,13 @@ + NDR_CHECK(ndr_pull_svcctl_ErrorControl(ndr, NDR_SCALARS, &r->in.error_control)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); +- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); ++ size_binary_path_0 = ndr_get_array_size(ndr, &r->in.binary_path); ++ length_binary_path_0 = ndr_get_array_length(ndr, &r->in.binary_path); ++ if (length_binary_path_0 > size_binary_path_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_0, length_binary_path_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_LoadOrderGroupKey)); + if (_ptr_LoadOrderGroupKey) { + NDR_PULL_ALLOC(ndr, r->in.LoadOrderGroupKey); +@@ -2650,11 +2744,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.LoadOrderGroupKey, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.LoadOrderGroupKey)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.LoadOrderGroupKey)); +- if (ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey) > ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey), ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey)); ++ size_LoadOrderGroupKey_1 = ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey); ++ length_LoadOrderGroupKey_1 = ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey); ++ if (length_LoadOrderGroupKey_1 > size_LoadOrderGroupKey_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_LoadOrderGroupKey_1, length_LoadOrderGroupKey_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_LoadOrderGroupKey_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, length_LoadOrderGroupKey_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_LoadOrderGroupKey_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_TagId)); +@@ -2679,8 +2775,9 @@ + _mem_save_dependencies_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); +- NDR_PULL_ALLOC_N(ndr, r->in.dependencies, ndr_get_array_size(ndr, &r->in.dependencies)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.dependencies, ndr_get_array_size(ndr, &r->in.dependencies))); ++ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); ++ NDR_PULL_ALLOC_N(ndr, r->in.dependencies, size_dependencies_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.dependencies, size_dependencies_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.dependencies_size)); +@@ -2695,11 +2792,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); +- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); ++ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); ++ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); ++ if (length_service_start_name_1 > size_service_start_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); +@@ -2712,8 +2811,9 @@ + _mem_save_password_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); +- NDR_PULL_ALLOC_N(ndr, r->in.password, ndr_get_array_size(ndr, &r->in.password)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.password, ndr_get_array_size(ndr, &r->in.password))); ++ size_password_1 = ndr_get_array_size(ndr, &r->in.password); ++ NDR_PULL_ALLOC_N(ndr, r->in.password, size_password_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.password, size_password_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.password_size)); +@@ -2862,6 +2962,7 @@ + + static enum ndr_err_code ndr_pull_svcctl_EnumDependentServicesW(struct ndr_pull *ndr, int flags, struct svcctl_EnumDependentServicesW *r) + { ++ uint32_t size_service_status_1 = 0; + TALLOC_CTX *_mem_save_service_0; + TALLOC_CTX *_mem_save_needed_0; + TALLOC_CTX *_mem_save_services_returned_0; +@@ -2889,10 +2990,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.service_status)); ++ size_service_status_1 = ndr_get_array_size(ndr, &r->out.service_status); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.service_status, ndr_get_array_size(ndr, &r->out.service_status)); ++ NDR_PULL_ALLOC_N(ndr, r->out.service_status, size_service_status_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service_status, ndr_get_array_size(ndr, &r->out.service_status))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service_status, size_service_status_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -3001,6 +3103,7 @@ + + static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusW(struct ndr_pull *ndr, int flags, struct svcctl_EnumServicesStatusW *r) + { ++ uint32_t size_service_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_needed_0; +@@ -3043,10 +3146,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.service)); ++ size_service_1 = ndr_get_array_size(ndr, &r->out.service); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.service, ndr_get_array_size(ndr, &r->out.service)); ++ NDR_PULL_ALLOC_N(ndr, r->out.service, size_service_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, ndr_get_array_size(ndr, &r->out.service))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, size_service_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -3172,7 +3276,11 @@ + static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerW(struct ndr_pull *ndr, int flags, struct svcctl_OpenSCManagerW *r) + { + uint32_t _ptr_MachineName; ++ uint32_t size_MachineName_1 = 0; ++ uint32_t length_MachineName_1 = 0; + uint32_t _ptr_DatabaseName; ++ uint32_t size_DatabaseName_1 = 0; ++ uint32_t length_DatabaseName_1 = 0; + TALLOC_CTX *_mem_save_MachineName_0; + TALLOC_CTX *_mem_save_DatabaseName_0; + TALLOC_CTX *_mem_save_handle_0; +@@ -3190,11 +3298,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.MachineName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.MachineName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.MachineName)); +- if (ndr_get_array_length(ndr, &r->in.MachineName) > ndr_get_array_size(ndr, &r->in.MachineName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.MachineName), ndr_get_array_length(ndr, &r->in.MachineName)); ++ size_MachineName_1 = ndr_get_array_size(ndr, &r->in.MachineName); ++ length_MachineName_1 = ndr_get_array_length(ndr, &r->in.MachineName); ++ if (length_MachineName_1 > size_MachineName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_MachineName_1, length_MachineName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.MachineName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.MachineName, ndr_get_array_length(ndr, &r->in.MachineName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_MachineName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.MachineName, length_MachineName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_MachineName_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DatabaseName)); +@@ -3208,11 +3318,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.DatabaseName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DatabaseName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DatabaseName)); +- if (ndr_get_array_length(ndr, &r->in.DatabaseName) > ndr_get_array_size(ndr, &r->in.DatabaseName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DatabaseName), ndr_get_array_length(ndr, &r->in.DatabaseName)); ++ size_DatabaseName_1 = ndr_get_array_size(ndr, &r->in.DatabaseName); ++ length_DatabaseName_1 = ndr_get_array_length(ndr, &r->in.DatabaseName); ++ if (length_DatabaseName_1 > size_DatabaseName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DatabaseName_1, length_DatabaseName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DatabaseName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DatabaseName, ndr_get_array_length(ndr, &r->in.DatabaseName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_DatabaseName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DatabaseName, length_DatabaseName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DatabaseName_0, 0); + } + NDR_CHECK(ndr_pull_svcctl_MgrAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); +@@ -3296,6 +3408,8 @@ + + static enum ndr_err_code ndr_pull_svcctl_OpenServiceW(struct ndr_pull *ndr, int flags, struct svcctl_OpenServiceW *r) + { ++ uint32_t size_ServiceName_0 = 0; ++ uint32_t length_ServiceName_0 = 0; + TALLOC_CTX *_mem_save_scmanager_handle_0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { +@@ -3310,11 +3424,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_scmanager_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); +- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); ++ size_ServiceName_0 = ndr_get_array_size(ndr, &r->in.ServiceName); ++ length_ServiceName_0 = ndr_get_array_length(ndr, &r->in.ServiceName); ++ if (length_ServiceName_0 > size_ServiceName_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_0, length_ServiceName_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_svcctl_ServiceAccessMask(ndr, NDR_SCALARS, &r->in.access_mask)); + NDR_PULL_ALLOC(ndr, r->out.handle); + ZERO_STRUCTP(r->out.handle); +@@ -3597,6 +3713,7 @@ + static enum ndr_err_code ndr_pull_svcctl_StartServiceW(struct ndr_pull *ndr, int flags, struct svcctl_StartServiceW *r) + { + uint32_t _ptr_Arguments; ++ uint32_t size_Arguments_1 = 0; + uint32_t cntr_Arguments_1; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_Arguments_0; +@@ -3623,13 +3740,14 @@ + _mem_save_Arguments_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.Arguments, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Arguments)); +- NDR_PULL_ALLOC_N(ndr, r->in.Arguments, ndr_get_array_size(ndr, &r->in.Arguments)); ++ size_Arguments_1 = ndr_get_array_size(ndr, &r->in.Arguments); ++ NDR_PULL_ALLOC_N(ndr, r->in.Arguments, size_Arguments_1); + _mem_save_Arguments_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.Arguments, 0); +- for (cntr_Arguments_1 = 0; cntr_Arguments_1 < r->in.NumArgs; cntr_Arguments_1++) { ++ for (cntr_Arguments_1 = 0; cntr_Arguments_1 < size_Arguments_1; cntr_Arguments_1++) { + NDR_CHECK(ndr_pull_svcctl_ArgumentString(ndr, NDR_SCALARS, &r->in.Arguments[cntr_Arguments_1])); + } +- for (cntr_Arguments_1 = 0; cntr_Arguments_1 < r->in.NumArgs; cntr_Arguments_1++) { ++ for (cntr_Arguments_1 = 0; cntr_Arguments_1 < size_Arguments_1; cntr_Arguments_1++) { + NDR_CHECK(ndr_pull_svcctl_ArgumentString(ndr, NDR_BUFFERS, &r->in.Arguments[cntr_Arguments_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Arguments_1, 0); +@@ -3726,7 +3844,11 @@ + static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameW(struct ndr_pull *ndr, int flags, struct svcctl_GetServiceDisplayNameW *r) + { + uint32_t _ptr_service_name; ++ uint32_t size_service_name_1 = 0; ++ uint32_t length_service_name_1 = 0; + uint32_t _ptr_display_name; ++ uint32_t size_display_name_2 = 0; ++ uint32_t length_display_name_2 = 0; + uint32_t _ptr_display_name_length; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_service_name_0; +@@ -3754,11 +3876,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.service_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_name)); +- if (ndr_get_array_length(ndr, &r->in.service_name) > ndr_get_array_size(ndr, &r->in.service_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_name), ndr_get_array_length(ndr, &r->in.service_name)); ++ size_service_name_1 = ndr_get_array_size(ndr, &r->in.service_name); ++ length_service_name_1 = ndr_get_array_length(ndr, &r->in.service_name); ++ if (length_service_name_1 > size_service_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_name_1, length_service_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, length_service_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name_length)); +@@ -3793,11 +3917,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.display_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.display_name)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.display_name)); +- if (ndr_get_array_length(ndr, r->out.display_name) > ndr_get_array_size(ndr, r->out.display_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.display_name), ndr_get_array_length(ndr, r->out.display_name)); ++ size_display_name_2 = ndr_get_array_size(ndr, r->out.display_name); ++ length_display_name_2 = ndr_get_array_length(ndr, r->out.display_name); ++ if (length_display_name_2 > size_display_name_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_2, length_display_name_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.display_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.display_name, ndr_get_array_length(ndr, r->out.display_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.display_name, length_display_name_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, LIBNDR_FLAG_REF_ALLOC); +@@ -3913,7 +4039,11 @@ + static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameW(struct ndr_pull *ndr, int flags, struct svcctl_GetServiceKeyNameW *r) + { + uint32_t _ptr_service_name; ++ uint32_t size_service_name_1 = 0; ++ uint32_t length_service_name_1 = 0; + uint32_t _ptr_key_name; ++ uint32_t size_key_name_2 = 0; ++ uint32_t length_key_name_2 = 0; + uint32_t _ptr_display_name_length; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_service_name_0; +@@ -3941,11 +4071,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.service_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_name)); +- if (ndr_get_array_length(ndr, &r->in.service_name) > ndr_get_array_size(ndr, &r->in.service_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_name), ndr_get_array_length(ndr, &r->in.service_name)); ++ size_service_name_1 = ndr_get_array_size(ndr, &r->in.service_name); ++ length_service_name_1 = ndr_get_array_length(ndr, &r->in.service_name); ++ if (length_service_name_1 > size_service_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_name_1, length_service_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, length_service_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name_length)); +@@ -3980,11 +4112,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.key_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.key_name)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.key_name)); +- if (ndr_get_array_length(ndr, r->out.key_name) > ndr_get_array_size(ndr, r->out.key_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.key_name), ndr_get_array_length(ndr, r->out.key_name)); ++ size_key_name_2 = ndr_get_array_size(ndr, r->out.key_name); ++ length_key_name_2 = ndr_get_array_length(ndr, r->out.key_name); ++ if (length_key_name_2 > size_key_name_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_2, length_key_name_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.key_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.key_name, ndr_get_array_length(ndr, r->out.key_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.key_name, length_key_name_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_name_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_name_0, LIBNDR_FLAG_REF_ALLOC); +@@ -4191,11 +4325,23 @@ + static enum ndr_err_code ndr_pull_svcctl_ChangeServiceConfigA(struct ndr_pull *ndr, int flags, struct svcctl_ChangeServiceConfigA *r) + { + uint32_t _ptr_binary_path; ++ uint32_t size_binary_path_1 = 0; ++ uint32_t length_binary_path_1 = 0; + uint32_t _ptr_load_order_group; ++ uint32_t size_load_order_group_1 = 0; ++ uint32_t length_load_order_group_1 = 0; + uint32_t _ptr_dependencies; ++ uint32_t size_dependencies_1 = 0; ++ uint32_t length_dependencies_1 = 0; + uint32_t _ptr_service_start_name; ++ uint32_t size_service_start_name_1 = 0; ++ uint32_t length_service_start_name_1 = 0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; ++ uint32_t length_password_1 = 0; + uint32_t _ptr_display_name; ++ uint32_t size_display_name_1 = 0; ++ uint32_t length_display_name_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_binary_path_0; + TALLOC_CTX *_mem_save_load_order_group_0; +@@ -4228,11 +4374,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.binary_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); +- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); ++ size_binary_path_1 = ndr_get_array_size(ndr, &r->in.binary_path); ++ length_binary_path_1 = ndr_get_array_length(ndr, &r->in.binary_path); ++ if (length_binary_path_1 > size_binary_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_1, length_binary_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_binary_path_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_load_order_group)); +@@ -4246,11 +4394,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.load_order_group, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.load_order_group)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.load_order_group)); +- if (ndr_get_array_length(ndr, &r->in.load_order_group) > ndr_get_array_size(ndr, &r->in.load_order_group)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.load_order_group), ndr_get_array_length(ndr, &r->in.load_order_group)); ++ size_load_order_group_1 = ndr_get_array_size(ndr, &r->in.load_order_group); ++ length_load_order_group_1 = ndr_get_array_length(ndr, &r->in.load_order_group); ++ if (length_load_order_group_1 > size_load_order_group_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_load_order_group_1, length_load_order_group_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, ndr_get_array_length(ndr, &r->in.load_order_group), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_load_order_group_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.load_order_group, length_load_order_group_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_load_order_group_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dependencies)); +@@ -4264,11 +4414,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dependencies)); +- if (ndr_get_array_length(ndr, &r->in.dependencies) > ndr_get_array_size(ndr, &r->in.dependencies)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dependencies), ndr_get_array_length(ndr, &r->in.dependencies)); ++ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); ++ length_dependencies_1 = ndr_get_array_length(ndr, &r->in.dependencies); ++ if (length_dependencies_1 > size_dependencies_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service_start_name)); +@@ -4282,11 +4434,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); +- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); ++ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); ++ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); ++ if (length_service_start_name_1 > size_service_start_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); +@@ -4300,11 +4454,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); +- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); ++ size_password_1 = ndr_get_array_size(ndr, &r->in.password); ++ length_password_1 = ndr_get_array_length(ndr, &r->in.password); ++ if (length_password_1 > size_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name)); +@@ -4318,11 +4474,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.display_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.display_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.display_name)); +- if (ndr_get_array_length(ndr, &r->in.display_name) > ndr_get_array_size(ndr, &r->in.display_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.display_name), ndr_get_array_length(ndr, &r->in.display_name)); ++ size_display_name_1 = ndr_get_array_size(ndr, &r->in.display_name); ++ length_display_name_1 = ndr_get_array_length(ndr, &r->in.display_name); ++ if (length_display_name_1 > size_display_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_1, length_display_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, ndr_get_array_length(ndr, &r->in.display_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.display_name, length_display_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.tag_id); +@@ -4484,13 +4642,27 @@ + static enum ndr_err_code ndr_pull_svcctl_CreateServiceA(struct ndr_pull *ndr, int flags, struct svcctl_CreateServiceA *r) + { + uint32_t _ptr_ServiceName; ++ uint32_t size_ServiceName_1 = 0; ++ uint32_t length_ServiceName_1 = 0; + uint32_t _ptr_DisplayName; ++ uint32_t size_DisplayName_1 = 0; ++ uint32_t length_DisplayName_1 = 0; + uint32_t _ptr_binary_path; ++ uint32_t size_binary_path_1 = 0; ++ uint32_t length_binary_path_1 = 0; + uint32_t _ptr_LoadOrderGroupKey; ++ uint32_t size_LoadOrderGroupKey_1 = 0; ++ uint32_t length_LoadOrderGroupKey_1 = 0; + uint32_t _ptr_TagId; + uint32_t _ptr_dependencies; ++ uint32_t size_dependencies_1 = 0; ++ uint32_t length_dependencies_1 = 0; + uint32_t _ptr_service_start_name; ++ uint32_t size_service_start_name_1 = 0; ++ uint32_t length_service_start_name_1 = 0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; ++ uint32_t length_password_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_ServiceName_0; + TALLOC_CTX *_mem_save_DisplayName_0; +@@ -4521,11 +4693,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.ServiceName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); +- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); ++ size_ServiceName_1 = ndr_get_array_size(ndr, &r->in.ServiceName); ++ length_ServiceName_1 = ndr_get_array_length(ndr, &r->in.ServiceName); ++ if (length_ServiceName_1 > size_ServiceName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_1, length_ServiceName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ServiceName_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DisplayName)); +@@ -4539,11 +4713,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.DisplayName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DisplayName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DisplayName)); +- if (ndr_get_array_length(ndr, &r->in.DisplayName) > ndr_get_array_size(ndr, &r->in.DisplayName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DisplayName), ndr_get_array_length(ndr, &r->in.DisplayName)); ++ size_DisplayName_1 = ndr_get_array_size(ndr, &r->in.DisplayName); ++ length_DisplayName_1 = ndr_get_array_length(ndr, &r->in.DisplayName); ++ if (length_DisplayName_1 > size_DisplayName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DisplayName_1, length_DisplayName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, ndr_get_array_length(ndr, &r->in.DisplayName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_DisplayName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DisplayName, length_DisplayName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DisplayName_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.desired_access)); +@@ -4561,11 +4737,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.binary_path, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.binary_path)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.binary_path)); +- if (ndr_get_array_length(ndr, &r->in.binary_path) > ndr_get_array_size(ndr, &r->in.binary_path)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.binary_path), ndr_get_array_length(ndr, &r->in.binary_path)); ++ size_binary_path_1 = ndr_get_array_size(ndr, &r->in.binary_path); ++ length_binary_path_1 = ndr_get_array_length(ndr, &r->in.binary_path); ++ if (length_binary_path_1 > size_binary_path_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_binary_path_1, length_binary_path_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, ndr_get_array_length(ndr, &r->in.binary_path), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_binary_path_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.binary_path, length_binary_path_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_binary_path_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_LoadOrderGroupKey)); +@@ -4579,11 +4757,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.LoadOrderGroupKey, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.LoadOrderGroupKey)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.LoadOrderGroupKey)); +- if (ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey) > ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey), ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey)); ++ size_LoadOrderGroupKey_1 = ndr_get_array_size(ndr, &r->in.LoadOrderGroupKey); ++ length_LoadOrderGroupKey_1 = ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey); ++ if (length_LoadOrderGroupKey_1 > size_LoadOrderGroupKey_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_LoadOrderGroupKey_1, length_LoadOrderGroupKey_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, ndr_get_array_length(ndr, &r->in.LoadOrderGroupKey), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_LoadOrderGroupKey_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.LoadOrderGroupKey, length_LoadOrderGroupKey_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_LoadOrderGroupKey_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dependencies)); +@@ -4597,11 +4777,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.dependencies, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dependencies)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dependencies)); +- if (ndr_get_array_length(ndr, &r->in.dependencies) > ndr_get_array_size(ndr, &r->in.dependencies)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dependencies), ndr_get_array_length(ndr, &r->in.dependencies)); ++ size_dependencies_1 = ndr_get_array_size(ndr, &r->in.dependencies); ++ length_dependencies_1 = ndr_get_array_length(ndr, &r->in.dependencies); ++ if (length_dependencies_1 > size_dependencies_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dependencies_1, length_dependencies_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, ndr_get_array_length(ndr, &r->in.dependencies), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dependencies_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dependencies, length_dependencies_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dependencies_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_service_start_name)); +@@ -4615,11 +4797,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.service_start_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_start_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_start_name)); +- if (ndr_get_array_length(ndr, &r->in.service_start_name) > ndr_get_array_size(ndr, &r->in.service_start_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_start_name), ndr_get_array_length(ndr, &r->in.service_start_name)); ++ size_service_start_name_1 = ndr_get_array_size(ndr, &r->in.service_start_name); ++ length_service_start_name_1 = ndr_get_array_length(ndr, &r->in.service_start_name); ++ if (length_service_start_name_1 > size_service_start_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_start_name_1, length_service_start_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, ndr_get_array_length(ndr, &r->in.service_start_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_start_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_start_name, length_service_start_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_start_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); +@@ -4633,11 +4817,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); +- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); ++ size_password_1 = ndr_get_array_size(ndr, &r->in.password); ++ length_password_1 = ndr_get_array_length(ndr, &r->in.password); ++ if (length_password_1 > size_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + } +@@ -4900,6 +5086,7 @@ + + static enum ndr_err_code ndr_pull_svcctl_EnumServicesStatusA(struct ndr_pull *ndr, int flags, struct svcctl_EnumServicesStatusA *r) + { ++ uint32_t size_service_0 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_needed_0; +@@ -4937,8 +5124,9 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.service)); +- NDR_PULL_ALLOC_N(ndr, r->out.service, ndr_get_array_size(ndr, &r->out.service)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, ndr_get_array_size(ndr, &r->out.service))); ++ size_service_0 = ndr_get_array_size(ndr, &r->out.service); ++ NDR_PULL_ALLOC_N(ndr, r->out.service, size_service_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.service, size_service_0)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -5055,7 +5243,11 @@ + static enum ndr_err_code ndr_pull_svcctl_OpenSCManagerA(struct ndr_pull *ndr, int flags, struct svcctl_OpenSCManagerA *r) + { + uint32_t _ptr_MachineName; ++ uint32_t size_MachineName_1 = 0; ++ uint32_t length_MachineName_1 = 0; + uint32_t _ptr_DatabaseName; ++ uint32_t size_DatabaseName_1 = 0; ++ uint32_t length_DatabaseName_1 = 0; + TALLOC_CTX *_mem_save_MachineName_0; + TALLOC_CTX *_mem_save_DatabaseName_0; + TALLOC_CTX *_mem_save_handle_0; +@@ -5073,11 +5265,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.MachineName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.MachineName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.MachineName)); +- if (ndr_get_array_length(ndr, &r->in.MachineName) > ndr_get_array_size(ndr, &r->in.MachineName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.MachineName), ndr_get_array_length(ndr, &r->in.MachineName)); ++ size_MachineName_1 = ndr_get_array_size(ndr, &r->in.MachineName); ++ length_MachineName_1 = ndr_get_array_length(ndr, &r->in.MachineName); ++ if (length_MachineName_1 > size_MachineName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_MachineName_1, length_MachineName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.MachineName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.MachineName, ndr_get_array_length(ndr, &r->in.MachineName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_MachineName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.MachineName, length_MachineName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_MachineName_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_DatabaseName)); +@@ -5091,11 +5285,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.DatabaseName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.DatabaseName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.DatabaseName)); +- if (ndr_get_array_length(ndr, &r->in.DatabaseName) > ndr_get_array_size(ndr, &r->in.DatabaseName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.DatabaseName), ndr_get_array_length(ndr, &r->in.DatabaseName)); ++ size_DatabaseName_1 = ndr_get_array_size(ndr, &r->in.DatabaseName); ++ length_DatabaseName_1 = ndr_get_array_length(ndr, &r->in.DatabaseName); ++ if (length_DatabaseName_1 > size_DatabaseName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_DatabaseName_1, length_DatabaseName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.DatabaseName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DatabaseName, ndr_get_array_length(ndr, &r->in.DatabaseName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_DatabaseName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.DatabaseName, length_DatabaseName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_DatabaseName_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.access_mask)); +@@ -5179,6 +5375,8 @@ + static enum ndr_err_code ndr_pull_svcctl_OpenServiceA(struct ndr_pull *ndr, int flags, struct svcctl_OpenServiceA *r) + { + uint32_t _ptr_ServiceName; ++ uint32_t size_ServiceName_1 = 0; ++ uint32_t length_ServiceName_1 = 0; + TALLOC_CTX *_mem_save_scmanager_handle_0; + TALLOC_CTX *_mem_save_ServiceName_0; + if (flags & NDR_IN) { +@@ -5200,11 +5398,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.ServiceName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.ServiceName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.ServiceName)); +- if (ndr_get_array_length(ndr, &r->in.ServiceName) > ndr_get_array_size(ndr, &r->in.ServiceName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.ServiceName), ndr_get_array_length(ndr, &r->in.ServiceName)); ++ size_ServiceName_1 = ndr_get_array_size(ndr, &r->in.ServiceName); ++ length_ServiceName_1 = ndr_get_array_length(ndr, &r->in.ServiceName); ++ if (length_ServiceName_1 > size_ServiceName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ServiceName_1, length_ServiceName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, ndr_get_array_length(ndr, &r->in.ServiceName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_ServiceName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.ServiceName, length_ServiceName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ServiceName_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.access_mask)); +@@ -5270,6 +5470,7 @@ + + static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfigA(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceConfigA *r) + { ++ uint32_t size_query_0 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_needed_0; + if (flags & NDR_IN) { +@@ -5287,8 +5488,9 @@ + ZERO_STRUCTP(r->out.needed); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.query, r->in.offered); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.query, r->in.offered)); ++ size_query_0 = r->in.offered; ++ NDR_PULL_ALLOC_N(ndr, r->out.query, size_query_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.query, size_query_0)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -5457,6 +5659,8 @@ + static enum ndr_err_code ndr_pull_svcctl_StartServiceA(struct ndr_pull *ndr, int flags, struct svcctl_StartServiceA *r) + { + uint32_t _ptr_Arguments; ++ uint32_t size_Arguments_1 = 0; ++ uint32_t length_Arguments_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_Arguments_0; + if (flags & NDR_IN) { +@@ -5479,11 +5683,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Arguments, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Arguments)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Arguments)); +- if (ndr_get_array_length(ndr, &r->in.Arguments) > ndr_get_array_size(ndr, &r->in.Arguments)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Arguments), ndr_get_array_length(ndr, &r->in.Arguments)); ++ size_Arguments_1 = ndr_get_array_size(ndr, &r->in.Arguments); ++ length_Arguments_1 = ndr_get_array_length(ndr, &r->in.Arguments); ++ if (length_Arguments_1 > size_Arguments_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Arguments_1, length_Arguments_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Arguments), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Arguments, ndr_get_array_length(ndr, &r->in.Arguments), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Arguments_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Arguments, length_Arguments_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Arguments_0, 0); + } + } +@@ -5568,7 +5774,11 @@ + static enum ndr_err_code ndr_pull_svcctl_GetServiceDisplayNameA(struct ndr_pull *ndr, int flags, struct svcctl_GetServiceDisplayNameA *r) + { + uint32_t _ptr_service_name; ++ uint32_t size_service_name_1 = 0; ++ uint32_t length_service_name_1 = 0; + uint32_t _ptr_display_name; ++ uint32_t size_display_name_2 = 0; ++ uint32_t length_display_name_2 = 0; + uint32_t _ptr_display_name_length; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_service_name_0; +@@ -5596,11 +5806,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.service_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_name)); +- if (ndr_get_array_length(ndr, &r->in.service_name) > ndr_get_array_size(ndr, &r->in.service_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_name), ndr_get_array_length(ndr, &r->in.service_name)); ++ size_service_name_1 = ndr_get_array_size(ndr, &r->in.service_name); ++ length_service_name_1 = ndr_get_array_length(ndr, &r->in.service_name); ++ if (length_service_name_1 > size_service_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_name_1, length_service_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, length_service_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name_length)); +@@ -5635,11 +5847,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.display_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.display_name)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.display_name)); +- if (ndr_get_array_length(ndr, r->out.display_name) > ndr_get_array_size(ndr, r->out.display_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.display_name), ndr_get_array_length(ndr, r->out.display_name)); ++ size_display_name_2 = ndr_get_array_size(ndr, r->out.display_name); ++ length_display_name_2 = ndr_get_array_length(ndr, r->out.display_name); ++ if (length_display_name_2 > size_display_name_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_display_name_2, length_display_name_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.display_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.display_name, ndr_get_array_length(ndr, r->out.display_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_display_name_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.display_name, length_display_name_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_display_name_0, LIBNDR_FLAG_REF_ALLOC); +@@ -5755,7 +5969,11 @@ + static enum ndr_err_code ndr_pull_svcctl_GetServiceKeyNameA(struct ndr_pull *ndr, int flags, struct svcctl_GetServiceKeyNameA *r) + { + uint32_t _ptr_service_name; ++ uint32_t size_service_name_1 = 0; ++ uint32_t length_service_name_1 = 0; + uint32_t _ptr_key_name; ++ uint32_t size_key_name_2 = 0; ++ uint32_t length_key_name_2 = 0; + uint32_t _ptr_display_name_length; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_service_name_0; +@@ -5783,11 +6001,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.service_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.service_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.service_name)); +- if (ndr_get_array_length(ndr, &r->in.service_name) > ndr_get_array_size(ndr, &r->in.service_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.service_name), ndr_get_array_length(ndr, &r->in.service_name)); ++ size_service_name_1 = ndr_get_array_size(ndr, &r->in.service_name); ++ length_service_name_1 = ndr_get_array_length(ndr, &r->in.service_name); ++ if (length_service_name_1 > size_service_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_service_name_1, length_service_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, ndr_get_array_length(ndr, &r->in.service_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_service_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.service_name, length_service_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_service_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_display_name_length)); +@@ -5822,11 +6042,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.key_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.key_name)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.key_name)); +- if (ndr_get_array_length(ndr, r->out.key_name) > ndr_get_array_size(ndr, r->out.key_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.key_name), ndr_get_array_length(ndr, r->out.key_name)); ++ size_key_name_2 = ndr_get_array_size(ndr, r->out.key_name); ++ length_key_name_2 = ndr_get_array_length(ndr, r->out.key_name); ++ if (length_key_name_2 > size_key_name_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_key_name_2, length_key_name_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.key_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.key_name, ndr_get_array_length(ndr, r->out.key_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_key_name_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.key_name, length_key_name_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_name_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_name_0, LIBNDR_FLAG_REF_ALLOC); +@@ -6177,6 +6399,7 @@ + + static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfig2A(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceConfig2A *r) + { ++ uint32_t size_buffer_0 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_needed_0; + if (flags & NDR_IN) { +@@ -6195,8 +6418,9 @@ + ZERO_STRUCTP(r->out.needed); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.buffer, r->in.offered); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, r->in.offered)); ++ size_buffer_0 = r->in.offered; ++ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_0)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -6269,6 +6493,7 @@ + + static enum ndr_err_code ndr_pull_svcctl_QueryServiceConfig2W(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceConfig2W *r) + { ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_needed_0; + if (flags & NDR_IN) { +@@ -6293,10 +6518,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); ++ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -6378,6 +6604,7 @@ + + static enum ndr_err_code ndr_pull_svcctl_QueryServiceStatusEx(struct ndr_pull *ndr, int flags, struct svcctl_QueryServiceStatusEx *r) + { ++ uint32_t size_buffer_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + TALLOC_CTX *_mem_save_needed_0; + if (flags & NDR_IN) { +@@ -6402,10 +6629,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); ++ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, size_buffer_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -6507,8 +6735,11 @@ + + static enum ndr_err_code ndr_pull_EnumServicesStatusExA(struct ndr_pull *ndr, int flags, struct EnumServicesStatusExA *r) + { ++ uint32_t size_services_0 = 0; + uint32_t _ptr_resume_handle; + uint32_t _ptr_group_name; ++ uint32_t size_group_name_2 = 0; ++ uint32_t length_group_name_2 = 0; + TALLOC_CTX *_mem_save_scmanager_0; + TALLOC_CTX *_mem_save_needed_0; + TALLOC_CTX *_mem_save_service_returned_0; +@@ -6549,8 +6780,9 @@ + ZERO_STRUCTP(r->out.group_name); + } + if (flags & NDR_OUT) { +- NDR_PULL_ALLOC_N(ndr, r->out.services, r->in.offered); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.services, r->in.offered)); ++ size_services_0 = r->in.offered; ++ NDR_PULL_ALLOC_N(ndr, r->out.services, size_services_0); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.services, size_services_0)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +@@ -6593,11 +6825,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.group_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.group_name)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.group_name)); +- if (ndr_get_array_length(ndr, r->out.group_name) > ndr_get_array_size(ndr, r->out.group_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.group_name), ndr_get_array_length(ndr, r->out.group_name)); ++ size_group_name_2 = ndr_get_array_size(ndr, r->out.group_name); ++ length_group_name_2 = ndr_get_array_length(ndr, r->out.group_name); ++ if (length_group_name_2 > size_group_name_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_group_name_2, length_group_name_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.group_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.group_name, ndr_get_array_length(ndr, r->out.group_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_group_name_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.group_name, length_group_name_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_name_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_name_0, LIBNDR_FLAG_REF_ALLOC); +@@ -6714,8 +6948,11 @@ + + static enum ndr_err_code ndr_pull_EnumServicesStatusExW(struct ndr_pull *ndr, int flags, struct EnumServicesStatusExW *r) + { ++ uint32_t size_services_1 = 0; + uint32_t _ptr_resume_handle; + uint32_t _ptr_group_name; ++ uint32_t size_group_name_1 = 0; ++ uint32_t length_group_name_1 = 0; + TALLOC_CTX *_mem_save_scmanager_0; + TALLOC_CTX *_mem_save_needed_0; + TALLOC_CTX *_mem_save_service_returned_0; +@@ -6764,11 +7001,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.group_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.group_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.group_name)); +- if (ndr_get_array_length(ndr, &r->in.group_name) > ndr_get_array_size(ndr, &r->in.group_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.group_name), ndr_get_array_length(ndr, &r->in.group_name)); ++ size_group_name_1 = ndr_get_array_size(ndr, &r->in.group_name); ++ length_group_name_1 = ndr_get_array_length(ndr, &r->in.group_name); ++ if (length_group_name_1 > size_group_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_group_name_1, length_group_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.group_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.group_name, ndr_get_array_length(ndr, &r->in.group_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_group_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.group_name, length_group_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_name_0, 0); + } + NDR_PULL_ALLOC_N(ndr, r->out.services, r->in.offered); +@@ -6780,10 +7019,11 @@ + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.services)); ++ size_services_1 = ndr_get_array_size(ndr, &r->out.services); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.services, ndr_get_array_size(ndr, &r->out.services)); ++ NDR_PULL_ALLOC_N(ndr, r->out.services, size_services_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.services, ndr_get_array_size(ndr, &r->out.services))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.services, size_services_1)); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { + NDR_PULL_ALLOC(ndr, r->out.needed); + } +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_unixinfo.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_unixinfo.c 2012-04-12 12:09:51.923287484 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_unixinfo.c 2012-04-12 12:19:20.995301010 -0500 +@@ -26,23 +26,31 @@ + + static enum ndr_err_code ndr_pull_unixinfo_GetPWUidInfo(struct ndr_pull *ndr, int ndr_flags, struct unixinfo_GetPWUidInfo *r) + { ++ uint32_t size_homedir_0 = 0; ++ uint32_t length_homedir_0 = 0; ++ uint32_t size_shell_0 = 0; ++ uint32_t length_shell_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->shell)); + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->status)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->homedir)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->homedir)); +- if (ndr_get_array_length(ndr, &r->homedir) > ndr_get_array_size(ndr, &r->homedir)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->homedir), ndr_get_array_length(ndr, &r->homedir)); ++ size_homedir_0 = ndr_get_array_size(ndr, &r->homedir); ++ length_homedir_0 = ndr_get_array_length(ndr, &r->homedir); ++ if (length_homedir_0 > size_homedir_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_homedir_0, length_homedir_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->homedir), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->homedir, ndr_get_array_length(ndr, &r->homedir), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_homedir_0, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->homedir, length_homedir_0, sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->shell)); +- if (ndr_get_array_length(ndr, &r->shell) > ndr_get_array_size(ndr, &r->shell)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->shell), ndr_get_array_length(ndr, &r->shell)); ++ size_shell_0 = ndr_get_array_size(ndr, &r->shell); ++ length_shell_0 = ndr_get_array_length(ndr, &r->shell); ++ if (length_shell_0 > size_shell_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_shell_0, length_shell_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->shell), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->shell, ndr_get_array_length(ndr, &r->shell), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_shell_0, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->shell, length_shell_0, sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -351,7 +359,9 @@ + + static enum ndr_err_code ndr_pull_unixinfo_GetPWUid(struct ndr_pull *ndr, int flags, struct unixinfo_GetPWUid *r) + { ++ uint32_t size_uids_0 = 0; + uint32_t cntr_uids_0; ++ uint32_t size_infos_0 = 0; + uint32_t cntr_infos_0; + TALLOC_CTX *_mem_save_count_0; + TALLOC_CTX *_mem_save_uids_0; +@@ -370,10 +380,11 @@ + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_count_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.uids)); +- NDR_PULL_ALLOC_N(ndr, r->in.uids, ndr_get_array_size(ndr, &r->in.uids)); ++ size_uids_0 = ndr_get_array_size(ndr, &r->in.uids); ++ NDR_PULL_ALLOC_N(ndr, r->in.uids, size_uids_0); + _mem_save_uids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.uids, 0); +- for (cntr_uids_0 = 0; cntr_uids_0 < *r->in.count; cntr_uids_0++) { ++ for (cntr_uids_0 = 0; cntr_uids_0 < size_uids_0; cntr_uids_0++) { + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->in.uids[cntr_uids_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_uids_0, 0); +@@ -395,10 +406,11 @@ + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_count_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.infos)); +- NDR_PULL_ALLOC_N(ndr, r->out.infos, ndr_get_array_size(ndr, &r->out.infos)); ++ size_infos_0 = ndr_get_array_size(ndr, &r->out.infos); ++ NDR_PULL_ALLOC_N(ndr, r->out.infos, size_infos_0); + _mem_save_infos_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.infos, 0); +- for (cntr_infos_0 = 0; cntr_infos_0 < *r->out.count; cntr_infos_0++) { ++ for (cntr_infos_0 = 0; cntr_infos_0 < size_infos_0; cntr_infos_0++) { + NDR_CHECK(ndr_pull_unixinfo_GetPWUidInfo(ndr, NDR_SCALARS, &r->out.infos[cntr_infos_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_infos_0, 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_wbint.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_wbint.c 2012-04-12 12:09:52.007287486 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_wbint.c 2012-04-12 12:19:20.999301009 -0500 +@@ -69,16 +69,18 @@ + + static enum ndr_err_code ndr_pull_wbint_TransIDArray(struct ndr_pull *ndr, int ndr_flags, struct wbint_TransIDArray *r) + { ++ uint32_t size_ids_0 = 0; + uint32_t cntr_ids_0; + TALLOC_CTX *_mem_save_ids_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->ids)); + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_ids)); +- NDR_PULL_ALLOC_N(ndr, r->ids, ndr_get_array_size(ndr, &r->ids)); ++ size_ids_0 = ndr_get_array_size(ndr, &r->ids); ++ NDR_PULL_ALLOC_N(ndr, r->ids, size_ids_0); + _mem_save_ids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->ids, 0); +- for (cntr_ids_0 = 0; cntr_ids_0 < r->num_ids; cntr_ids_0++) { ++ for (cntr_ids_0 = 0; cntr_ids_0 < size_ids_0; cntr_ids_0++) { + NDR_CHECK(ndr_pull_wbint_TransID(ndr, NDR_SCALARS, &r->ids[cntr_ids_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ids_0, 0); +@@ -153,12 +155,20 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_wbint_userinfo(struct ndr_pull *ndr, int ndr_flags, struct wbint_userinfo *r) + { + uint32_t _ptr_acct_name; ++ uint32_t size_acct_name_1 = 0; ++ uint32_t length_acct_name_1 = 0; + TALLOC_CTX *_mem_save_acct_name_0; + uint32_t _ptr_full_name; ++ uint32_t size_full_name_1 = 0; ++ uint32_t length_full_name_1 = 0; + TALLOC_CTX *_mem_save_full_name_0; + uint32_t _ptr_homedir; ++ uint32_t size_homedir_1 = 0; ++ uint32_t length_homedir_1 = 0; + TALLOC_CTX *_mem_save_homedir_0; + uint32_t _ptr_shell; ++ uint32_t size_shell_1 = 0; ++ uint32_t length_shell_1 = 0; + TALLOC_CTX *_mem_save_shell_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 8)); +@@ -197,11 +207,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->acct_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->acct_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->acct_name)); +- if (ndr_get_array_length(ndr, &r->acct_name) > ndr_get_array_size(ndr, &r->acct_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->acct_name), ndr_get_array_length(ndr, &r->acct_name)); ++ size_acct_name_1 = ndr_get_array_size(ndr, &r->acct_name); ++ length_acct_name_1 = ndr_get_array_length(ndr, &r->acct_name); ++ if (length_acct_name_1 > size_acct_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_acct_name_1, length_acct_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->acct_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->acct_name, ndr_get_array_length(ndr, &r->acct_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_acct_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->acct_name, length_acct_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_acct_name_0, 0); + } + if (r->full_name) { +@@ -209,11 +221,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->full_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->full_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->full_name)); +- if (ndr_get_array_length(ndr, &r->full_name) > ndr_get_array_size(ndr, &r->full_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->full_name), ndr_get_array_length(ndr, &r->full_name)); ++ size_full_name_1 = ndr_get_array_size(ndr, &r->full_name); ++ length_full_name_1 = ndr_get_array_length(ndr, &r->full_name); ++ if (length_full_name_1 > size_full_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_full_name_1, length_full_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->full_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->full_name, ndr_get_array_length(ndr, &r->full_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_full_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->full_name, length_full_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_full_name_0, 0); + } + if (r->homedir) { +@@ -221,11 +235,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->homedir, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->homedir)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->homedir)); +- if (ndr_get_array_length(ndr, &r->homedir) > ndr_get_array_size(ndr, &r->homedir)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->homedir), ndr_get_array_length(ndr, &r->homedir)); ++ size_homedir_1 = ndr_get_array_size(ndr, &r->homedir); ++ length_homedir_1 = ndr_get_array_length(ndr, &r->homedir); ++ if (length_homedir_1 > size_homedir_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_homedir_1, length_homedir_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->homedir), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->homedir, ndr_get_array_length(ndr, &r->homedir), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_homedir_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->homedir, length_homedir_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_homedir_0, 0); + } + if (r->shell) { +@@ -233,11 +249,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->shell, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->shell)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->shell)); +- if (ndr_get_array_length(ndr, &r->shell) > ndr_get_array_size(ndr, &r->shell)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->shell), ndr_get_array_length(ndr, &r->shell)); ++ size_shell_1 = ndr_get_array_size(ndr, &r->shell); ++ length_shell_1 = ndr_get_array_length(ndr, &r->shell); ++ if (length_shell_1 > size_shell_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_shell_1, length_shell_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->shell), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->shell, ndr_get_array_length(ndr, &r->shell), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_shell_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->shell, length_shell_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_shell_0, 0); + } + } +@@ -298,16 +316,18 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_wbint_SidArray(struct ndr_pull *ndr, int ndr_flags, struct wbint_SidArray *r) + { ++ uint32_t size_sids_0 = 0; + uint32_t cntr_sids_0; + TALLOC_CTX *_mem_save_sids_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->sids)); + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_sids)); +- NDR_PULL_ALLOC_N(ndr, r->sids, ndr_get_array_size(ndr, &r->sids)); ++ size_sids_0 = ndr_get_array_size(ndr, &r->sids); ++ NDR_PULL_ALLOC_N(ndr, r->sids, size_sids_0); + _mem_save_sids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sids, 0); +- for (cntr_sids_0 = 0; cntr_sids_0 < r->num_sids; cntr_sids_0++) { ++ for (cntr_sids_0 = 0; cntr_sids_0 < size_sids_0; cntr_sids_0++) { + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->sids[cntr_sids_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sids_0, 0); +@@ -356,16 +376,18 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_wbint_RidArray(struct ndr_pull *ndr, int ndr_flags, struct wbint_RidArray *r) + { ++ uint32_t size_rids_0 = 0; + uint32_t cntr_rids_0; + TALLOC_CTX *_mem_save_rids_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->rids)); + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_rids)); +- NDR_PULL_ALLOC_N(ndr, r->rids, ndr_get_array_size(ndr, &r->rids)); ++ size_rids_0 = ndr_get_array_size(ndr, &r->rids); ++ NDR_PULL_ALLOC_N(ndr, r->rids, size_rids_0); + _mem_save_rids_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->rids, 0); +- for (cntr_rids_0 = 0; cntr_rids_0 < r->num_rids; cntr_rids_0++) { ++ for (cntr_rids_0 = 0; cntr_rids_0 < size_rids_0; cntr_rids_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->rids[cntr_rids_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_rids_0, 0); +@@ -418,6 +440,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_wbint_Principal(struct ndr_pull *ndr, int ndr_flags, struct wbint_Principal *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -437,11 +461,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + } +@@ -486,16 +512,18 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_wbint_Principals(struct ndr_pull *ndr, int ndr_flags, struct wbint_Principals *r) + { ++ uint32_t size_principals_0 = 0; + uint32_t cntr_principals_0; + TALLOC_CTX *_mem_save_principals_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->principals)); + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->num_principals)); +- NDR_PULL_ALLOC_N(ndr, r->principals, ndr_get_array_size(ndr, &r->principals)); ++ size_principals_0 = ndr_get_array_size(ndr, &r->principals); ++ NDR_PULL_ALLOC_N(ndr, r->principals, size_principals_0); + _mem_save_principals_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->principals, 0); +- for (cntr_principals_0 = 0; cntr_principals_0 < r->num_principals; cntr_principals_0++) { ++ for (cntr_principals_0 = 0; cntr_principals_0 < size_principals_0; cntr_principals_0++) { + NDR_CHECK(ndr_pull_wbint_Principal(ndr, NDR_SCALARS, &r->principals[cntr_principals_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_principals_0, 0); +@@ -505,9 +533,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_principals_0 = ndr_get_array_size(ndr, &r->principals); + _mem_save_principals_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->principals, 0); +- for (cntr_principals_0 = 0; cntr_principals_0 < r->num_principals; cntr_principals_0++) { ++ for (cntr_principals_0 = 0; cntr_principals_0 < size_principals_0; cntr_principals_0++) { + NDR_CHECK(ndr_pull_wbint_Principal(ndr, NDR_BUFFERS, &r->principals[cntr_principals_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_principals_0, 0); +@@ -553,16 +582,18 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_wbint_userinfos(struct ndr_pull *ndr, int ndr_flags, struct wbint_userinfos *r) + { ++ uint32_t size_userinfos_0 = 0; + uint32_t cntr_userinfos_0; + TALLOC_CTX *_mem_save_userinfos_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->userinfos)); + NDR_CHECK(ndr_pull_align(ndr, 8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_userinfos)); +- NDR_PULL_ALLOC_N(ndr, r->userinfos, ndr_get_array_size(ndr, &r->userinfos)); ++ size_userinfos_0 = ndr_get_array_size(ndr, &r->userinfos); ++ NDR_PULL_ALLOC_N(ndr, r->userinfos, size_userinfos_0); + _mem_save_userinfos_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->userinfos, 0); +- for (cntr_userinfos_0 = 0; cntr_userinfos_0 < r->num_userinfos; cntr_userinfos_0++) { ++ for (cntr_userinfos_0 = 0; cntr_userinfos_0 < size_userinfos_0; cntr_userinfos_0++) { + NDR_CHECK(ndr_pull_wbint_userinfo(ndr, NDR_SCALARS, &r->userinfos[cntr_userinfos_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_userinfos_0, 0); +@@ -572,9 +603,10 @@ + NDR_CHECK(ndr_pull_trailer_align(ndr, 8)); + } + if (ndr_flags & NDR_BUFFERS) { ++ size_userinfos_0 = ndr_get_array_size(ndr, &r->userinfos); + _mem_save_userinfos_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->userinfos, 0); +- for (cntr_userinfos_0 = 0; cntr_userinfos_0 < r->num_userinfos; cntr_userinfos_0++) { ++ for (cntr_userinfos_0 = 0; cntr_userinfos_0 < size_userinfos_0; cntr_userinfos_0++) { + NDR_CHECK(ndr_pull_wbint_userinfo(ndr, NDR_BUFFERS, &r->userinfos[cntr_userinfos_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_userinfos_0, 0); +@@ -701,7 +733,11 @@ + static enum ndr_err_code ndr_pull_wbint_LookupSid(struct ndr_pull *ndr, int flags, struct wbint_LookupSid *r) + { + uint32_t _ptr_domain; ++ uint32_t size_domain_2 = 0; ++ uint32_t length_domain_2 = 0; + uint32_t _ptr_name; ++ uint32_t size_name_2 = 0; ++ uint32_t length_name_2 = 0; + TALLOC_CTX *_mem_save_sid_0; + TALLOC_CTX *_mem_save_type_0; + TALLOC_CTX *_mem_save_domain_0; +@@ -749,11 +785,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.domain)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.domain)); +- if (ndr_get_array_length(ndr, r->out.domain) > ndr_get_array_size(ndr, r->out.domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.domain), ndr_get_array_length(ndr, r->out.domain)); ++ size_domain_2 = ndr_get_array_size(ndr, r->out.domain); ++ length_domain_2 = ndr_get_array_length(ndr, r->out.domain); ++ if (length_domain_2 > size_domain_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_2, length_domain_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.domain), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.domain, ndr_get_array_length(ndr, r->out.domain), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_2, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.domain, length_domain_2, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_0, LIBNDR_FLAG_REF_ALLOC); +@@ -773,11 +811,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.name)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.name)); +- if (ndr_get_array_length(ndr, r->out.name) > ndr_get_array_size(ndr, r->out.name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.name), ndr_get_array_length(ndr, r->out.name)); ++ size_name_2 = ndr_get_array_size(ndr, r->out.name); ++ length_name_2 = ndr_get_array_length(ndr, r->out.name); ++ if (length_name_2 > size_name_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_2, length_name_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.name, ndr_get_array_length(ndr, r->out.name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_2, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.name, length_name_2, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, LIBNDR_FLAG_REF_ALLOC); +@@ -965,6 +1005,10 @@ + + static enum ndr_err_code ndr_pull_wbint_LookupName(struct ndr_pull *ndr, int flags, struct wbint_LookupName *r) + { ++ uint32_t size_domain_1 = 0; ++ uint32_t length_domain_1 = 0; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_type_0; + TALLOC_CTX *_mem_save_sid_0; + if (flags & NDR_IN) { +@@ -972,18 +1016,22 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain)); +- if (ndr_get_array_length(ndr, &r->in.domain) > ndr_get_array_size(ndr, &r->in.domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain), ndr_get_array_length(ndr, &r->in.domain)); ++ size_domain_1 = ndr_get_array_size(ndr, &r->in.domain); ++ length_domain_1 = ndr_get_array_length(ndr, &r->in.domain); ++ if (length_domain_1 > size_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_1, length_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, ndr_get_array_length(ndr, &r->in.domain), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain, length_domain_1, sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name)); +- if (ndr_get_array_length(ndr, &r->in.name) > ndr_get_array_size(ndr, &r->in.name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name), ndr_get_array_length(ndr, &r->in.name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->in.name); ++ length_name_1 = ndr_get_array_length(ndr, &r->in.name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, ndr_get_array_length(ndr, &r->in.name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, length_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); + NDR_PULL_ALLOC(ndr, r->out.type); + ZERO_STRUCTP(r->out.type); +@@ -1077,6 +1125,8 @@ + static enum ndr_err_code ndr_pull_wbint_Sid2Uid(struct ndr_pull *ndr, int flags, struct wbint_Sid2Uid *r) + { + uint32_t _ptr_dom_name; ++ uint32_t size_dom_name_1 = 0; ++ uint32_t length_dom_name_1 = 0; + TALLOC_CTX *_mem_save_dom_name_0; + TALLOC_CTX *_mem_save_sid_0; + TALLOC_CTX *_mem_save_uid_0; +@@ -1094,11 +1144,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.dom_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dom_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dom_name)); +- if (ndr_get_array_length(ndr, &r->in.dom_name) > ndr_get_array_size(ndr, &r->in.dom_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dom_name), ndr_get_array_length(ndr, &r->in.dom_name)); ++ size_dom_name_1 = ndr_get_array_size(ndr, &r->in.dom_name); ++ length_dom_name_1 = ndr_get_array_length(ndr, &r->in.dom_name); ++ if (length_dom_name_1 > size_dom_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_name_1, length_dom_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, length_dom_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -1188,6 +1240,8 @@ + static enum ndr_err_code ndr_pull_wbint_Sid2Gid(struct ndr_pull *ndr, int flags, struct wbint_Sid2Gid *r) + { + uint32_t _ptr_dom_name; ++ uint32_t size_dom_name_1 = 0; ++ uint32_t length_dom_name_1 = 0; + TALLOC_CTX *_mem_save_dom_name_0; + TALLOC_CTX *_mem_save_sid_0; + TALLOC_CTX *_mem_save_gid_0; +@@ -1205,11 +1259,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.dom_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dom_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dom_name)); +- if (ndr_get_array_length(ndr, &r->in.dom_name) > ndr_get_array_size(ndr, &r->in.dom_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dom_name), ndr_get_array_length(ndr, &r->in.dom_name)); ++ size_dom_name_1 = ndr_get_array_size(ndr, &r->in.dom_name); ++ length_dom_name_1 = ndr_get_array_length(ndr, &r->in.dom_name); ++ if (length_dom_name_1 > size_dom_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_name_1, length_dom_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, length_dom_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -1389,6 +1445,8 @@ + static enum ndr_err_code ndr_pull_wbint_Uid2Sid(struct ndr_pull *ndr, int flags, struct wbint_Uid2Sid *r) + { + uint32_t _ptr_dom_name; ++ uint32_t size_dom_name_1 = 0; ++ uint32_t length_dom_name_1 = 0; + TALLOC_CTX *_mem_save_dom_name_0; + TALLOC_CTX *_mem_save_sid_0; + if (flags & NDR_IN) { +@@ -1405,11 +1463,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.dom_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dom_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dom_name)); +- if (ndr_get_array_length(ndr, &r->in.dom_name) > ndr_get_array_size(ndr, &r->in.dom_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dom_name), ndr_get_array_length(ndr, &r->in.dom_name)); ++ size_dom_name_1 = ndr_get_array_size(ndr, &r->in.dom_name); ++ length_dom_name_1 = ndr_get_array_length(ndr, &r->in.dom_name); ++ if (length_dom_name_1 > size_dom_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_name_1, length_dom_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, length_dom_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_name_0, 0); + } + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->in.uid)); +@@ -1487,6 +1547,8 @@ + static enum ndr_err_code ndr_pull_wbint_Gid2Sid(struct ndr_pull *ndr, int flags, struct wbint_Gid2Sid *r) + { + uint32_t _ptr_dom_name; ++ uint32_t size_dom_name_1 = 0; ++ uint32_t length_dom_name_1 = 0; + TALLOC_CTX *_mem_save_dom_name_0; + TALLOC_CTX *_mem_save_sid_0; + if (flags & NDR_IN) { +@@ -1503,11 +1565,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.dom_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.dom_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.dom_name)); +- if (ndr_get_array_length(ndr, &r->in.dom_name) > ndr_get_array_size(ndr, &r->in.dom_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.dom_name), ndr_get_array_length(ndr, &r->in.dom_name)); ++ size_dom_name_1 = ndr_get_array_size(ndr, &r->in.dom_name); ++ length_dom_name_1 = ndr_get_array_length(ndr, &r->in.dom_name); ++ if (length_dom_name_1 > size_dom_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_dom_name_1, length_dom_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, ndr_get_array_length(ndr, &r->in.dom_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_dom_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.dom_name, length_dom_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dom_name_0, 0); + } + NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->in.gid)); +@@ -2223,8 +2287,12 @@ + + static enum ndr_err_code ndr_pull_wbint_DsGetDcName(struct ndr_pull *ndr, int flags, struct wbint_DsGetDcName *r) + { ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + uint32_t _ptr_domain_guid; + uint32_t _ptr_site_name; ++ uint32_t size_site_name_1 = 0; ++ uint32_t length_site_name_1 = 0; + uint32_t _ptr_dc_info; + TALLOC_CTX *_mem_save_domain_guid_0; + TALLOC_CTX *_mem_save_site_name_0; +@@ -2235,11 +2303,13 @@ + + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_domain_guid)); + if (_ptr_domain_guid) { + NDR_PULL_ALLOC(ndr, r->in.domain_guid); +@@ -2263,11 +2333,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.site_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.site_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.site_name)); +- if (ndr_get_array_length(ndr, &r->in.site_name) > ndr_get_array_size(ndr, &r->in.site_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.site_name), ndr_get_array_length(ndr, &r->in.site_name)); ++ size_site_name_1 = ndr_get_array_size(ndr, &r->in.site_name); ++ length_site_name_1 = ndr_get_array_length(ndr, &r->in.site_name); ++ if (length_site_name_1 > size_site_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_site_name_1, length_site_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, ndr_get_array_length(ndr, &r->in.site_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_site_name_1, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.site_name, length_site_name_1, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_site_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.flags)); +@@ -2381,6 +2453,8 @@ + static enum ndr_err_code ndr_pull_wbint_LookupRids(struct ndr_pull *ndr, int flags, struct wbint_LookupRids *r) + { + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_2 = 0; ++ uint32_t length_domain_name_2 = 0; + TALLOC_CTX *_mem_save_domain_sid_0; + TALLOC_CTX *_mem_save_rids_0; + TALLOC_CTX *_mem_save_domain_name_0; +@@ -2425,11 +2499,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.domain_name)); +- if (ndr_get_array_length(ndr, r->out.domain_name) > ndr_get_array_size(ndr, r->out.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.domain_name), ndr_get_array_length(ndr, r->out.domain_name)); ++ size_domain_name_2 = ndr_get_array_size(ndr, r->out.domain_name); ++ length_domain_name_2 = ndr_get_array_length(ndr, r->out.domain_name); ++ if (length_domain_name_2 > size_domain_name_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_2, length_domain_name_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.domain_name), sizeof(uint8_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.domain_name, ndr_get_array_length(ndr, r->out.domain_name), sizeof(uint8_t), CH_UTF8)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_2, sizeof(uint8_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.domain_name, length_domain_name_2, sizeof(uint8_t), CH_UTF8)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, LIBNDR_FLAG_REF_ALLOC); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_winreg.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_winreg.c 2012-04-12 12:09:51.779287481 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_winreg.c 2012-04-12 12:19:21.003301009 -0500 +@@ -58,6 +58,8 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_winreg_String(struct ndr_pull *ndr, int ndr_flags, struct winreg_String *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -77,11 +79,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + } +@@ -127,6 +131,8 @@ + static enum ndr_err_code ndr_pull_KeySecurityData(struct ndr_pull *ndr, int ndr_flags, struct KeySecurityData *r) + { + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; ++ uint32_t length_data_1 = 0; + TALLOC_CTX *_mem_save_data_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -146,11 +152,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); +- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->data); ++ length_data_1 = ndr_get_array_length(ndr, &r->data); ++ if (length_data_1 > size_data_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); + } +- NDR_PULL_ALLOC_N(ndr, r->data, ndr_get_array_size(ndr, &r->data)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, ndr_get_array_length(ndr, &r->data))); ++ NDR_PULL_ALLOC_N(ndr, r->data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, length_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + if (r->data) { +@@ -294,6 +302,8 @@ + static enum ndr_err_code ndr_pull_winreg_StringBuf(struct ndr_pull *ndr, int ndr_flags, struct winreg_StringBuf *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -313,10 +323,12 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->name) { +@@ -368,6 +380,8 @@ + static enum ndr_err_code ndr_pull_winreg_ValNameBuf(struct ndr_pull *ndr, int ndr_flags, struct winreg_ValNameBuf *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -387,10 +401,12 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->name) { +@@ -1630,6 +1646,8 @@ + { + uint32_t _ptr_type; + uint32_t _ptr_value; ++ uint32_t size_value_1 = 0; ++ uint32_t length_value_1 = 0; + uint32_t _ptr_size; + uint32_t _ptr_length; + TALLOC_CTX *_mem_save_handle_0; +@@ -1679,14 +1697,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.value, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.value)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.value)); +- if (ndr_get_array_length(ndr, &r->in.value) > ndr_get_array_size(ndr, &r->in.value)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.value), ndr_get_array_length(ndr, &r->in.value)); ++ size_value_1 = ndr_get_array_size(ndr, &r->in.value); ++ if (size_value_1 > 0x4000000) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_PULL_ALLOC_N(ndr, r->in.value, ndr_get_array_size(ndr, &r->in.value)); +- if (ndr_get_array_length(ndr, &r->in.value) > 0x4000000) { ++ length_value_1 = ndr_get_array_length(ndr, &r->in.value); ++ if (length_value_1 > 0x4000000) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.value, ndr_get_array_length(ndr, &r->in.value))); ++ if (length_value_1 > size_value_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_1, length_value_1); ++ } ++ NDR_PULL_ALLOC_N(ndr, r->in.value, size_value_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.value, length_value_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_value_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_size)); +@@ -1755,14 +1778,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->out.value, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.value)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.value)); +- if (ndr_get_array_length(ndr, &r->out.value) > ndr_get_array_size(ndr, &r->out.value)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.value), ndr_get_array_length(ndr, &r->out.value)); ++ size_value_1 = ndr_get_array_size(ndr, &r->out.value); ++ if (size_value_1 > 0x4000000) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_PULL_ALLOC_N(ndr, r->out.value, ndr_get_array_size(ndr, &r->out.value)); +- if (ndr_get_array_length(ndr, &r->out.value) > 0x4000000) { ++ length_value_1 = ndr_get_array_length(ndr, &r->out.value); ++ if (length_value_1 > 0x4000000) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.value, ndr_get_array_length(ndr, &r->out.value))); ++ if (length_value_1 > size_value_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_value_1, length_value_1); ++ } ++ NDR_PULL_ALLOC_N(ndr, r->out.value, size_value_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.value, length_value_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_value_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_size)); +@@ -2607,6 +2635,8 @@ + { + uint32_t _ptr_type; + uint32_t _ptr_data; ++ uint32_t size_data_1 = 0; ++ uint32_t length_data_1 = 0; + uint32_t _ptr_data_size; + uint32_t _ptr_data_length; + TALLOC_CTX *_mem_save_handle_0; +@@ -2655,14 +2685,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.data)); +- if (ndr_get_array_length(ndr, &r->in.data) > ndr_get_array_size(ndr, &r->in.data)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.data), ndr_get_array_length(ndr, &r->in.data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->in.data); ++ if (size_data_1 > 0x4000000) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); +- if (ndr_get_array_length(ndr, &r->in.data) > 0x4000000) { ++ length_data_1 = ndr_get_array_length(ndr, &r->in.data); ++ if (length_data_1 > 0x4000000) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_length(ndr, &r->in.data))); ++ if (length_data_1 > size_data_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); ++ } ++ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, length_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_data_size)); +@@ -2722,14 +2757,19 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->out.data, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.data)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.data)); +- if (ndr_get_array_length(ndr, &r->out.data) > ndr_get_array_size(ndr, &r->out.data)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.data), ndr_get_array_length(ndr, &r->out.data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->out.data); ++ if (size_data_1 > 0x4000000) { ++ return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_PULL_ALLOC_N(ndr, r->out.data, ndr_get_array_size(ndr, &r->out.data)); +- if (ndr_get_array_length(ndr, &r->out.data) > 0x4000000) { ++ length_data_1 = ndr_get_array_length(ndr, &r->out.data); ++ if (length_data_1 > 0x4000000) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, ndr_get_array_length(ndr, &r->out.data))); ++ if (length_data_1 > size_data_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_1, length_data_1); ++ } ++ NDR_PULL_ALLOC_N(ndr, r->out.data, size_data_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.data, length_data_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_data_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_data_size)); +@@ -3231,6 +3271,7 @@ + + static enum ndr_err_code ndr_pull_winreg_SetValue(struct ndr_pull *ndr, int flags, struct winreg_SetValue *r) + { ++ uint32_t size_data_1 = 0; + TALLOC_CTX *_mem_save_handle_0; + if (flags & NDR_IN) { + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -3243,10 +3284,11 @@ + NDR_CHECK(ndr_pull_winreg_String(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.name)); + NDR_CHECK(ndr_pull_winreg_Type(ndr, NDR_SCALARS, &r->in.type)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.data)); ++ size_data_1 = ndr_get_array_size(ndr, &r->in.data); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.data, ndr_get_array_size(ndr, &r->in.data)); ++ NDR_PULL_ALLOC_N(ndr, r->in.data, size_data_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, ndr_get_array_size(ndr, &r->in.data))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.data, size_data_1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.size)); + if (r->in.data) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.data, r->in.size)); +@@ -3851,9 +3893,15 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_winreg_QueryMultipleValues(struct ndr_pull *ndr, int flags, struct winreg_QueryMultipleValues *r) + { ++ uint32_t size_values_in_1 = 0; ++ uint32_t length_values_in_1 = 0; + uint32_t cntr_values_in_1; ++ uint32_t size_values_out_1 = 0; ++ uint32_t length_values_out_1 = 0; + uint32_t cntr_values_out_1; + uint32_t _ptr_buffer; ++ uint32_t size_buffer_1 = 0; ++ uint32_t length_buffer_1 = 0; + TALLOC_CTX *_mem_save_key_handle_0; + TALLOC_CTX *_mem_save_values_in_1; + TALLOC_CTX *_mem_save_values_out_1; +@@ -3871,18 +3919,20 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.values_in)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.values_in)); +- if (ndr_get_array_length(ndr, &r->in.values_in) > ndr_get_array_size(ndr, &r->in.values_in)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.values_in), ndr_get_array_length(ndr, &r->in.values_in)); ++ size_values_in_1 = ndr_get_array_size(ndr, &r->in.values_in); ++ length_values_in_1 = ndr_get_array_length(ndr, &r->in.values_in); ++ if (length_values_in_1 > size_values_in_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_values_in_1, length_values_in_1); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.values_in, ndr_get_array_size(ndr, &r->in.values_in)); ++ NDR_PULL_ALLOC_N(ndr, r->in.values_in, size_values_in_1); + } + _mem_save_values_in_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.values_in, 0); +- for (cntr_values_in_1 = 0; cntr_values_in_1 < ndr_get_array_length(ndr, &r->in.values_in); cntr_values_in_1++) { ++ for (cntr_values_in_1 = 0; cntr_values_in_1 < length_values_in_1; cntr_values_in_1++) { + NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_SCALARS, &r->in.values_in[cntr_values_in_1])); + } +- for (cntr_values_in_1 = 0; cntr_values_in_1 < ndr_get_array_length(ndr, &r->in.values_in); cntr_values_in_1++) { ++ for (cntr_values_in_1 = 0; cntr_values_in_1 < length_values_in_1; cntr_values_in_1++) { + NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_BUFFERS, &r->in.values_in[cntr_values_in_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_values_in_1, 0); +@@ -3898,11 +3948,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.buffer)); +- if (ndr_get_array_length(ndr, &r->in.buffer) > ndr_get_array_size(ndr, &r->in.buffer)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.buffer), ndr_get_array_length(ndr, &r->in.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); ++ length_buffer_1 = ndr_get_array_length(ndr, &r->in.buffer); ++ if (length_buffer_1 > size_buffer_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); + } +- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_length(ndr, &r->in.buffer))); ++ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, length_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -3932,18 +3984,20 @@ + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.values_out)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.values_out)); +- if (ndr_get_array_length(ndr, &r->out.values_out) > ndr_get_array_size(ndr, &r->out.values_out)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.values_out), ndr_get_array_length(ndr, &r->out.values_out)); ++ size_values_out_1 = ndr_get_array_size(ndr, &r->out.values_out); ++ length_values_out_1 = ndr_get_array_length(ndr, &r->out.values_out); ++ if (length_values_out_1 > size_values_out_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_values_out_1, length_values_out_1); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.values_out, ndr_get_array_size(ndr, &r->out.values_out)); ++ NDR_PULL_ALLOC_N(ndr, r->out.values_out, size_values_out_1); + } + _mem_save_values_out_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.values_out, 0); +- for (cntr_values_out_1 = 0; cntr_values_out_1 < ndr_get_array_length(ndr, &r->out.values_out); cntr_values_out_1++) { ++ for (cntr_values_out_1 = 0; cntr_values_out_1 < length_values_out_1; cntr_values_out_1++) { + NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_SCALARS, &r->out.values_out[cntr_values_out_1])); + } +- for (cntr_values_out_1 = 0; cntr_values_out_1 < ndr_get_array_length(ndr, &r->out.values_out); cntr_values_out_1++) { ++ for (cntr_values_out_1 = 0; cntr_values_out_1 < length_values_out_1; cntr_values_out_1++) { + NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_BUFFERS, &r->out.values_out[cntr_values_out_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_values_out_1, 0); +@@ -3958,11 +4012,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->out.buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer)); +- if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); ++ length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer); ++ if (length_buffer_1 > size_buffer_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); + } +- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_length(ndr, &r->out.buffer))); ++ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, length_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -4502,9 +4558,15 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_winreg_QueryMultipleValues2(struct ndr_pull *ndr, int flags, struct winreg_QueryMultipleValues2 *r) + { ++ uint32_t size_values_in_1 = 0; ++ uint32_t length_values_in_1 = 0; + uint32_t cntr_values_in_1; ++ uint32_t size_values_out_1 = 0; ++ uint32_t length_values_out_1 = 0; + uint32_t cntr_values_out_1; + uint32_t _ptr_buffer; ++ uint32_t size_buffer_1 = 0; ++ uint32_t length_buffer_1 = 0; + TALLOC_CTX *_mem_save_key_handle_0; + TALLOC_CTX *_mem_save_values_in_1; + TALLOC_CTX *_mem_save_values_out_1; +@@ -4523,18 +4585,20 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_key_handle_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.values_in)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.values_in)); +- if (ndr_get_array_length(ndr, &r->in.values_in) > ndr_get_array_size(ndr, &r->in.values_in)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.values_in), ndr_get_array_length(ndr, &r->in.values_in)); ++ size_values_in_1 = ndr_get_array_size(ndr, &r->in.values_in); ++ length_values_in_1 = ndr_get_array_length(ndr, &r->in.values_in); ++ if (length_values_in_1 > size_values_in_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_values_in_1, length_values_in_1); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.values_in, ndr_get_array_size(ndr, &r->in.values_in)); ++ NDR_PULL_ALLOC_N(ndr, r->in.values_in, size_values_in_1); + } + _mem_save_values_in_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.values_in, 0); +- for (cntr_values_in_1 = 0; cntr_values_in_1 < ndr_get_array_length(ndr, &r->in.values_in); cntr_values_in_1++) { ++ for (cntr_values_in_1 = 0; cntr_values_in_1 < length_values_in_1; cntr_values_in_1++) { + NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_SCALARS, &r->in.values_in[cntr_values_in_1])); + } +- for (cntr_values_in_1 = 0; cntr_values_in_1 < ndr_get_array_length(ndr, &r->in.values_in); cntr_values_in_1++) { ++ for (cntr_values_in_1 = 0; cntr_values_in_1 < length_values_in_1; cntr_values_in_1++) { + NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_BUFFERS, &r->in.values_in[cntr_values_in_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_values_in_1, 0); +@@ -4550,11 +4614,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.buffer)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.buffer)); +- if (ndr_get_array_length(ndr, &r->in.buffer) > ndr_get_array_size(ndr, &r->in.buffer)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.buffer), ndr_get_array_length(ndr, &r->in.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->in.buffer); ++ length_buffer_1 = ndr_get_array_length(ndr, &r->in.buffer); ++ if (length_buffer_1 > size_buffer_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); + } +- NDR_PULL_ALLOC_N(ndr, r->in.buffer, ndr_get_array_size(ndr, &r->in.buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, ndr_get_array_length(ndr, &r->in.buffer))); ++ NDR_PULL_ALLOC_N(ndr, r->in.buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.buffer, length_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -4584,18 +4650,20 @@ + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.values_out)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.values_out)); +- if (ndr_get_array_length(ndr, &r->out.values_out) > ndr_get_array_size(ndr, &r->out.values_out)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.values_out), ndr_get_array_length(ndr, &r->out.values_out)); ++ size_values_out_1 = ndr_get_array_size(ndr, &r->out.values_out); ++ length_values_out_1 = ndr_get_array_length(ndr, &r->out.values_out); ++ if (length_values_out_1 > size_values_out_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_values_out_1, length_values_out_1); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.values_out, ndr_get_array_size(ndr, &r->out.values_out)); ++ NDR_PULL_ALLOC_N(ndr, r->out.values_out, size_values_out_1); + } + _mem_save_values_out_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.values_out, 0); +- for (cntr_values_out_1 = 0; cntr_values_out_1 < ndr_get_array_length(ndr, &r->out.values_out); cntr_values_out_1++) { ++ for (cntr_values_out_1 = 0; cntr_values_out_1 < length_values_out_1; cntr_values_out_1++) { + NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_SCALARS, &r->out.values_out[cntr_values_out_1])); + } +- for (cntr_values_out_1 = 0; cntr_values_out_1 < ndr_get_array_length(ndr, &r->out.values_out); cntr_values_out_1++) { ++ for (cntr_values_out_1 = 0; cntr_values_out_1 < length_values_out_1; cntr_values_out_1++) { + NDR_CHECK(ndr_pull_QueryMultipleValue(ndr, NDR_BUFFERS, &r->out.values_out[cntr_values_out_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_values_out_1, 0); +@@ -4610,11 +4678,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->out.buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.buffer)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.buffer)); +- if (ndr_get_array_length(ndr, &r->out.buffer) > ndr_get_array_size(ndr, &r->out.buffer)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.buffer), ndr_get_array_length(ndr, &r->out.buffer)); ++ size_buffer_1 = ndr_get_array_size(ndr, &r->out.buffer); ++ length_buffer_1 = ndr_get_array_length(ndr, &r->out.buffer); ++ if (length_buffer_1 > size_buffer_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_buffer_1, length_buffer_1); + } +- NDR_PULL_ALLOC_N(ndr, r->out.buffer, ndr_get_array_size(ndr, &r->out.buffer)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, ndr_get_array_length(ndr, &r->out.buffer))); ++ NDR_PULL_ALLOC_N(ndr, r->out.buffer, size_buffer_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.buffer, length_buffer_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_buffer_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_wkssvc.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_wkssvc.c 2012-04-12 12:09:52.031287487 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_wkssvc.c 2012-04-12 12:19:21.011301010 -0500 +@@ -36,8 +36,12 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo100(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaInfo100 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + TALLOC_CTX *_mem_save_domain_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -64,11 +68,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); +- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (r->domain_name) { +@@ -76,11 +82,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); +- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); + } + } +@@ -148,10 +156,16 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo101(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaInfo101 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + TALLOC_CTX *_mem_save_domain_name_0; + uint32_t _ptr_lan_root; ++ uint32_t size_lan_root_1 = 0; ++ uint32_t length_lan_root_1 = 0; + TALLOC_CTX *_mem_save_lan_root_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -184,11 +198,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); +- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (r->domain_name) { +@@ -196,11 +212,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); +- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); + } + if (r->lan_root) { +@@ -208,11 +226,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->lan_root, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->lan_root)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->lan_root)); +- if (ndr_get_array_length(ndr, &r->lan_root) > ndr_get_array_size(ndr, &r->lan_root)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->lan_root), ndr_get_array_length(ndr, &r->lan_root)); ++ size_lan_root_1 = ndr_get_array_size(ndr, &r->lan_root); ++ length_lan_root_1 = ndr_get_array_length(ndr, &r->lan_root); ++ if (length_lan_root_1 > size_lan_root_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_lan_root_1, length_lan_root_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->lan_root), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lan_root, ndr_get_array_length(ndr, &r->lan_root), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_lan_root_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lan_root, length_lan_root_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_lan_root_0, 0); + } + } +@@ -287,10 +307,16 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaInfo102(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaInfo102 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + TALLOC_CTX *_mem_save_domain_name_0; + uint32_t _ptr_lan_root; ++ uint32_t size_lan_root_1 = 0; ++ uint32_t length_lan_root_1 = 0; + TALLOC_CTX *_mem_save_lan_root_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -324,11 +350,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name)); +- if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (r->domain_name) { +@@ -336,11 +364,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); +- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); + } + if (r->lan_root) { +@@ -348,11 +378,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->lan_root, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->lan_root)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->lan_root)); +- if (ndr_get_array_length(ndr, &r->lan_root) > ndr_get_array_size(ndr, &r->lan_root)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->lan_root), ndr_get_array_length(ndr, &r->lan_root)); ++ size_lan_root_1 = ndr_get_array_size(ndr, &r->lan_root); ++ length_lan_root_1 = ndr_get_array_length(ndr, &r->lan_root); ++ if (length_lan_root_1 > size_lan_root_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_lan_root_1, length_lan_root_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->lan_root), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lan_root, ndr_get_array_length(ndr, &r->lan_root), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_lan_root_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->lan_root, length_lan_root_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_lan_root_0, 0); + } + } +@@ -1969,41 +2001,77 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info100_0; ++ uint32_t _ptr_info100; + TALLOC_CTX *_mem_save_info101_0; ++ uint32_t _ptr_info101; + TALLOC_CTX *_mem_save_info102_0; ++ uint32_t _ptr_info102; + TALLOC_CTX *_mem_save_info502_0; ++ uint32_t _ptr_info502; + TALLOC_CTX *_mem_save_info1010_0; ++ uint32_t _ptr_info1010; + TALLOC_CTX *_mem_save_info1011_0; ++ uint32_t _ptr_info1011; + TALLOC_CTX *_mem_save_info1012_0; ++ uint32_t _ptr_info1012; + TALLOC_CTX *_mem_save_info1013_0; ++ uint32_t _ptr_info1013; + TALLOC_CTX *_mem_save_info1018_0; ++ uint32_t _ptr_info1018; + TALLOC_CTX *_mem_save_info1023_0; ++ uint32_t _ptr_info1023; + TALLOC_CTX *_mem_save_info1027_0; ++ uint32_t _ptr_info1027; + TALLOC_CTX *_mem_save_info1028_0; ++ uint32_t _ptr_info1028; + TALLOC_CTX *_mem_save_info1032_0; ++ uint32_t _ptr_info1032; + TALLOC_CTX *_mem_save_info1033_0; ++ uint32_t _ptr_info1033; + TALLOC_CTX *_mem_save_info1041_0; ++ uint32_t _ptr_info1041; + TALLOC_CTX *_mem_save_info1042_0; ++ uint32_t _ptr_info1042; + TALLOC_CTX *_mem_save_info1043_0; ++ uint32_t _ptr_info1043; + TALLOC_CTX *_mem_save_info1044_0; ++ uint32_t _ptr_info1044; + TALLOC_CTX *_mem_save_info1045_0; ++ uint32_t _ptr_info1045; + TALLOC_CTX *_mem_save_info1046_0; ++ uint32_t _ptr_info1046; + TALLOC_CTX *_mem_save_info1047_0; ++ uint32_t _ptr_info1047; + TALLOC_CTX *_mem_save_info1048_0; ++ uint32_t _ptr_info1048; + TALLOC_CTX *_mem_save_info1049_0; ++ uint32_t _ptr_info1049; + TALLOC_CTX *_mem_save_info1050_0; ++ uint32_t _ptr_info1050; + TALLOC_CTX *_mem_save_info1051_0; ++ uint32_t _ptr_info1051; + TALLOC_CTX *_mem_save_info1052_0; ++ uint32_t _ptr_info1052; + TALLOC_CTX *_mem_save_info1053_0; ++ uint32_t _ptr_info1053; + TALLOC_CTX *_mem_save_info1054_0; ++ uint32_t _ptr_info1054; + TALLOC_CTX *_mem_save_info1055_0; ++ uint32_t _ptr_info1055; + TALLOC_CTX *_mem_save_info1056_0; ++ uint32_t _ptr_info1056; + TALLOC_CTX *_mem_save_info1057_0; ++ uint32_t _ptr_info1057; + TALLOC_CTX *_mem_save_info1058_0; ++ uint32_t _ptr_info1058; + TALLOC_CTX *_mem_save_info1059_0; ++ uint32_t _ptr_info1059; + TALLOC_CTX *_mem_save_info1060_0; ++ uint32_t _ptr_info1060; + TALLOC_CTX *_mem_save_info1061_0; ++ uint32_t _ptr_info1061; + TALLOC_CTX *_mem_save_info1062_0; ++ uint32_t _ptr_info1062; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -2014,7 +2082,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 100: { +- uint32_t _ptr_info100; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info100)); + if (_ptr_info100) { + NDR_PULL_ALLOC(ndr, r->info100); +@@ -2024,7 +2091,6 @@ + break; } + + case 101: { +- uint32_t _ptr_info101; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info101)); + if (_ptr_info101) { + NDR_PULL_ALLOC(ndr, r->info101); +@@ -2034,7 +2100,6 @@ + break; } + + case 102: { +- uint32_t _ptr_info102; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info102)); + if (_ptr_info102) { + NDR_PULL_ALLOC(ndr, r->info102); +@@ -2044,7 +2109,6 @@ + break; } + + case 502: { +- uint32_t _ptr_info502; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info502)); + if (_ptr_info502) { + NDR_PULL_ALLOC(ndr, r->info502); +@@ -2054,7 +2118,6 @@ + break; } + + case 1010: { +- uint32_t _ptr_info1010; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1010)); + if (_ptr_info1010) { + NDR_PULL_ALLOC(ndr, r->info1010); +@@ -2064,7 +2127,6 @@ + break; } + + case 1011: { +- uint32_t _ptr_info1011; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1011)); + if (_ptr_info1011) { + NDR_PULL_ALLOC(ndr, r->info1011); +@@ -2074,7 +2136,6 @@ + break; } + + case 1012: { +- uint32_t _ptr_info1012; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1012)); + if (_ptr_info1012) { + NDR_PULL_ALLOC(ndr, r->info1012); +@@ -2084,7 +2145,6 @@ + break; } + + case 1013: { +- uint32_t _ptr_info1013; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1013)); + if (_ptr_info1013) { + NDR_PULL_ALLOC(ndr, r->info1013); +@@ -2094,7 +2154,6 @@ + break; } + + case 1018: { +- uint32_t _ptr_info1018; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1018)); + if (_ptr_info1018) { + NDR_PULL_ALLOC(ndr, r->info1018); +@@ -2104,7 +2163,6 @@ + break; } + + case 1023: { +- uint32_t _ptr_info1023; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1023)); + if (_ptr_info1023) { + NDR_PULL_ALLOC(ndr, r->info1023); +@@ -2114,7 +2172,6 @@ + break; } + + case 1027: { +- uint32_t _ptr_info1027; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1027)); + if (_ptr_info1027) { + NDR_PULL_ALLOC(ndr, r->info1027); +@@ -2124,7 +2181,6 @@ + break; } + + case 1028: { +- uint32_t _ptr_info1028; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1028)); + if (_ptr_info1028) { + NDR_PULL_ALLOC(ndr, r->info1028); +@@ -2134,7 +2190,6 @@ + break; } + + case 1032: { +- uint32_t _ptr_info1032; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1032)); + if (_ptr_info1032) { + NDR_PULL_ALLOC(ndr, r->info1032); +@@ -2144,7 +2199,6 @@ + break; } + + case 1033: { +- uint32_t _ptr_info1033; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1033)); + if (_ptr_info1033) { + NDR_PULL_ALLOC(ndr, r->info1033); +@@ -2154,7 +2208,6 @@ + break; } + + case 1041: { +- uint32_t _ptr_info1041; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1041)); + if (_ptr_info1041) { + NDR_PULL_ALLOC(ndr, r->info1041); +@@ -2164,7 +2217,6 @@ + break; } + + case 1042: { +- uint32_t _ptr_info1042; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1042)); + if (_ptr_info1042) { + NDR_PULL_ALLOC(ndr, r->info1042); +@@ -2174,7 +2226,6 @@ + break; } + + case 1043: { +- uint32_t _ptr_info1043; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1043)); + if (_ptr_info1043) { + NDR_PULL_ALLOC(ndr, r->info1043); +@@ -2184,7 +2235,6 @@ + break; } + + case 1044: { +- uint32_t _ptr_info1044; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1044)); + if (_ptr_info1044) { + NDR_PULL_ALLOC(ndr, r->info1044); +@@ -2194,7 +2244,6 @@ + break; } + + case 1045: { +- uint32_t _ptr_info1045; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1045)); + if (_ptr_info1045) { + NDR_PULL_ALLOC(ndr, r->info1045); +@@ -2204,7 +2253,6 @@ + break; } + + case 1046: { +- uint32_t _ptr_info1046; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1046)); + if (_ptr_info1046) { + NDR_PULL_ALLOC(ndr, r->info1046); +@@ -2214,7 +2262,6 @@ + break; } + + case 1047: { +- uint32_t _ptr_info1047; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1047)); + if (_ptr_info1047) { + NDR_PULL_ALLOC(ndr, r->info1047); +@@ -2224,7 +2271,6 @@ + break; } + + case 1048: { +- uint32_t _ptr_info1048; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1048)); + if (_ptr_info1048) { + NDR_PULL_ALLOC(ndr, r->info1048); +@@ -2234,7 +2280,6 @@ + break; } + + case 1049: { +- uint32_t _ptr_info1049; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1049)); + if (_ptr_info1049) { + NDR_PULL_ALLOC(ndr, r->info1049); +@@ -2244,7 +2289,6 @@ + break; } + + case 1050: { +- uint32_t _ptr_info1050; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1050)); + if (_ptr_info1050) { + NDR_PULL_ALLOC(ndr, r->info1050); +@@ -2254,7 +2298,6 @@ + break; } + + case 1051: { +- uint32_t _ptr_info1051; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1051)); + if (_ptr_info1051) { + NDR_PULL_ALLOC(ndr, r->info1051); +@@ -2264,7 +2307,6 @@ + break; } + + case 1052: { +- uint32_t _ptr_info1052; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1052)); + if (_ptr_info1052) { + NDR_PULL_ALLOC(ndr, r->info1052); +@@ -2274,7 +2316,6 @@ + break; } + + case 1053: { +- uint32_t _ptr_info1053; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1053)); + if (_ptr_info1053) { + NDR_PULL_ALLOC(ndr, r->info1053); +@@ -2284,7 +2325,6 @@ + break; } + + case 1054: { +- uint32_t _ptr_info1054; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1054)); + if (_ptr_info1054) { + NDR_PULL_ALLOC(ndr, r->info1054); +@@ -2294,7 +2334,6 @@ + break; } + + case 1055: { +- uint32_t _ptr_info1055; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1055)); + if (_ptr_info1055) { + NDR_PULL_ALLOC(ndr, r->info1055); +@@ -2304,7 +2343,6 @@ + break; } + + case 1056: { +- uint32_t _ptr_info1056; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1056)); + if (_ptr_info1056) { + NDR_PULL_ALLOC(ndr, r->info1056); +@@ -2314,7 +2352,6 @@ + break; } + + case 1057: { +- uint32_t _ptr_info1057; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1057)); + if (_ptr_info1057) { + NDR_PULL_ALLOC(ndr, r->info1057); +@@ -2324,7 +2361,6 @@ + break; } + + case 1058: { +- uint32_t _ptr_info1058; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1058)); + if (_ptr_info1058) { + NDR_PULL_ALLOC(ndr, r->info1058); +@@ -2334,7 +2370,6 @@ + break; } + + case 1059: { +- uint32_t _ptr_info1059; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1059)); + if (_ptr_info1059) { + NDR_PULL_ALLOC(ndr, r->info1059); +@@ -2344,7 +2379,6 @@ + break; } + + case 1060: { +- uint32_t _ptr_info1060; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1060)); + if (_ptr_info1060) { + NDR_PULL_ALLOC(ndr, r->info1060); +@@ -2354,7 +2388,6 @@ + break; } + + case 1061: { +- uint32_t _ptr_info1061; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1061)); + if (_ptr_info1061) { + NDR_PULL_ALLOC(ndr, r->info1061); +@@ -2364,7 +2397,6 @@ + break; } + + case 1062: { +- uint32_t _ptr_info1062; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1062)); + if (_ptr_info1062) { + NDR_PULL_ALLOC(ndr, r->info1062); +@@ -3069,6 +3101,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrWkstaUserInfo0 *r) + { + uint32_t _ptr_user_name; ++ uint32_t size_user_name_1 = 0; ++ uint32_t length_user_name_1 = 0; + TALLOC_CTX *_mem_save_user_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3086,11 +3120,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); +- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); ++ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); ++ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); ++ if (length_user_name_1 > size_user_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); + } + } +@@ -3137,6 +3173,7 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsersCtr0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaEnumUsersCtr0 *r) + { + uint32_t _ptr_user0; ++ uint32_t size_user0_1 = 0; + uint32_t cntr_user0_1; + TALLOC_CTX *_mem_save_user0_0; + TALLOC_CTX *_mem_save_user0_1; +@@ -3156,13 +3193,14 @@ + _mem_save_user0_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->user0, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user0)); +- NDR_PULL_ALLOC_N(ndr, r->user0, ndr_get_array_size(ndr, &r->user0)); ++ size_user0_1 = ndr_get_array_size(ndr, &r->user0); ++ NDR_PULL_ALLOC_N(ndr, r->user0, size_user0_1); + _mem_save_user0_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->user0, 0); +- for (cntr_user0_1 = 0; cntr_user0_1 < r->entries_read; cntr_user0_1++) { ++ for (cntr_user0_1 = 0; cntr_user0_1 < size_user0_1; cntr_user0_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetrWkstaUserInfo0(ndr, NDR_SCALARS, &r->user0[cntr_user0_1])); + } +- for (cntr_user0_1 = 0; cntr_user0_1 < r->entries_read; cntr_user0_1++) { ++ for (cntr_user0_1 = 0; cntr_user0_1 < size_user0_1; cntr_user0_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetrWkstaUserInfo0(ndr, NDR_BUFFERS, &r->user0[cntr_user0_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user0_1, 0); +@@ -3238,12 +3276,20 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo1(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrWkstaUserInfo1 *r) + { + uint32_t _ptr_user_name; ++ uint32_t size_user_name_1 = 0; ++ uint32_t length_user_name_1 = 0; + TALLOC_CTX *_mem_save_user_name_0; + uint32_t _ptr_logon_domain; ++ uint32_t size_logon_domain_1 = 0; ++ uint32_t length_logon_domain_1 = 0; + TALLOC_CTX *_mem_save_logon_domain_0; + uint32_t _ptr_other_domains; ++ uint32_t size_other_domains_1 = 0; ++ uint32_t length_other_domains_1 = 0; + TALLOC_CTX *_mem_save_other_domains_0; + uint32_t _ptr_logon_server; ++ uint32_t size_logon_server_1 = 0; ++ uint32_t length_logon_server_1 = 0; + TALLOC_CTX *_mem_save_logon_server_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3279,11 +3325,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); +- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); ++ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); ++ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); ++ if (length_user_name_1 > size_user_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); + } + if (r->logon_domain) { +@@ -3291,11 +3339,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->logon_domain, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->logon_domain)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->logon_domain)); +- if (ndr_get_array_length(ndr, &r->logon_domain) > ndr_get_array_size(ndr, &r->logon_domain)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->logon_domain), ndr_get_array_length(ndr, &r->logon_domain)); ++ size_logon_domain_1 = ndr_get_array_size(ndr, &r->logon_domain); ++ length_logon_domain_1 = ndr_get_array_length(ndr, &r->logon_domain); ++ if (length_logon_domain_1 > size_logon_domain_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_domain_1, length_logon_domain_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->logon_domain), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->logon_domain, ndr_get_array_length(ndr, &r->logon_domain), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_domain_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->logon_domain, length_logon_domain_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_domain_0, 0); + } + if (r->other_domains) { +@@ -3303,11 +3353,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->other_domains, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->other_domains)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->other_domains)); +- if (ndr_get_array_length(ndr, &r->other_domains) > ndr_get_array_size(ndr, &r->other_domains)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->other_domains), ndr_get_array_length(ndr, &r->other_domains)); ++ size_other_domains_1 = ndr_get_array_size(ndr, &r->other_domains); ++ length_other_domains_1 = ndr_get_array_length(ndr, &r->other_domains); ++ if (length_other_domains_1 > size_other_domains_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_other_domains_1, length_other_domains_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->other_domains), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->other_domains, ndr_get_array_length(ndr, &r->other_domains), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_other_domains_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->other_domains, length_other_domains_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_other_domains_0, 0); + } + if (r->logon_server) { +@@ -3315,11 +3367,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->logon_server, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->logon_server)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->logon_server)); +- if (ndr_get_array_length(ndr, &r->logon_server) > ndr_get_array_size(ndr, &r->logon_server)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->logon_server), ndr_get_array_length(ndr, &r->logon_server)); ++ size_logon_server_1 = ndr_get_array_size(ndr, &r->logon_server); ++ length_logon_server_1 = ndr_get_array_length(ndr, &r->logon_server); ++ if (length_logon_server_1 > size_logon_server_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_logon_server_1, length_logon_server_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->logon_server), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->logon_server, ndr_get_array_length(ndr, &r->logon_server), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_logon_server_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->logon_server, length_logon_server_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_logon_server_0, 0); + } + } +@@ -3384,6 +3438,7 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsersCtr1(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaEnumUsersCtr1 *r) + { + uint32_t _ptr_user1; ++ uint32_t size_user1_1 = 0; + uint32_t cntr_user1_1; + TALLOC_CTX *_mem_save_user1_0; + TALLOC_CTX *_mem_save_user1_1; +@@ -3403,13 +3458,14 @@ + _mem_save_user1_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->user1, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user1)); +- NDR_PULL_ALLOC_N(ndr, r->user1, ndr_get_array_size(ndr, &r->user1)); ++ size_user1_1 = ndr_get_array_size(ndr, &r->user1); ++ NDR_PULL_ALLOC_N(ndr, r->user1, size_user1_1); + _mem_save_user1_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->user1, 0); +- for (cntr_user1_1 = 0; cntr_user1_1 < r->entries_read; cntr_user1_1++) { ++ for (cntr_user1_1 = 0; cntr_user1_1 < size_user1_1; cntr_user1_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetrWkstaUserInfo1(ndr, NDR_SCALARS, &r->user1[cntr_user1_1])); + } +- for (cntr_user1_1 = 0; cntr_user1_1 < r->entries_read; cntr_user1_1++) { ++ for (cntr_user1_1 = 0; cntr_user1_1 < size_user1_1; cntr_user1_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetrWkstaUserInfo1(ndr, NDR_BUFFERS, &r->user1[cntr_user1_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user1_1, 0); +@@ -3490,7 +3546,9 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_user0_0; ++ uint32_t _ptr_user0; + TALLOC_CTX *_mem_save_user1_0; ++ uint32_t _ptr_user1; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -3501,7 +3559,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_user0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user0)); + if (_ptr_user0) { + NDR_PULL_ALLOC(ndr, r->user0); +@@ -3511,7 +3568,6 @@ + break; } + + case 1: { +- uint32_t _ptr_user1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_user1)); + if (_ptr_user1) { + NDR_PULL_ALLOC(ndr, r->user1); +@@ -3642,6 +3698,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserInfo1101(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrWkstaUserInfo1101 *r) + { + uint32_t _ptr_other_domains; ++ uint32_t size_other_domains_1 = 0; ++ uint32_t length_other_domains_1 = 0; + TALLOC_CTX *_mem_save_other_domains_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3659,11 +3717,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->other_domains, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->other_domains)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->other_domains)); +- if (ndr_get_array_length(ndr, &r->other_domains) > ndr_get_array_size(ndr, &r->other_domains)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->other_domains), ndr_get_array_length(ndr, &r->other_domains)); ++ size_other_domains_1 = ndr_get_array_size(ndr, &r->other_domains); ++ length_other_domains_1 = ndr_get_array_length(ndr, &r->other_domains); ++ if (length_other_domains_1 > size_other_domains_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_other_domains_1, length_other_domains_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->other_domains), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->other_domains, ndr_get_array_length(ndr, &r->other_domains), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_other_domains_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->other_domains, length_other_domains_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_other_domains_0, 0); + } + } +@@ -3741,8 +3801,11 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info0_0; ++ uint32_t _ptr_info0; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + TALLOC_CTX *_mem_save_info1101_0; ++ uint32_t _ptr_info1101; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -3753,7 +3816,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_info0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); + if (_ptr_info0) { + NDR_PULL_ALLOC(ndr, r->info0); +@@ -3763,7 +3825,6 @@ + break; } + + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -3773,7 +3834,6 @@ + break; } + + case 1101: { +- uint32_t _ptr_info1101; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1101)); + if (_ptr_info1101) { + NDR_PULL_ALLOC(ndr, r->info1101); +@@ -3891,8 +3951,12 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportInfo0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaTransportInfo0 *r) + { + uint32_t _ptr_name; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + TALLOC_CTX *_mem_save_name_0; + uint32_t _ptr_address; ++ uint32_t size_address_1 = 0; ++ uint32_t length_address_1 = 0; + TALLOC_CTX *_mem_save_address_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -3919,11 +3983,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->name)); +- if (ndr_get_array_length(ndr, &r->name) > ndr_get_array_size(ndr, &r->name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->name), ndr_get_array_length(ndr, &r->name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->name); ++ length_name_1 = ndr_get_array_length(ndr, &r->name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, ndr_get_array_length(ndr, &r->name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_0, 0); + } + if (r->address) { +@@ -3931,11 +3997,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->address, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->address)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->address)); +- if (ndr_get_array_length(ndr, &r->address) > ndr_get_array_size(ndr, &r->address)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->address), ndr_get_array_length(ndr, &r->address)); ++ size_address_1 = ndr_get_array_size(ndr, &r->address); ++ length_address_1 = ndr_get_array_length(ndr, &r->address); ++ if (length_address_1 > size_address_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_address_1, length_address_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->address), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->address, ndr_get_array_length(ndr, &r->address), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_address_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->address, length_address_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_address_0, 0); + } + } +@@ -3991,6 +4059,7 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportCtr0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetWkstaTransportCtr0 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -4010,13 +4079,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetWkstaTransportInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetWkstaTransportInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -4087,6 +4157,7 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_ctr0_0; ++ uint32_t _ptr_ctr0; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -4097,7 +4168,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_ctr0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); + if (_ptr_ctr0) { + NDR_PULL_ALLOC(ndr, r->ctr0); +@@ -4217,8 +4287,12 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo3(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseInfo3 *r) + { + uint32_t _ptr_unknown1; ++ uint32_t size_unknown1_1 = 0; ++ uint32_t length_unknown1_1 = 0; + TALLOC_CTX *_mem_save_unknown1_0; + uint32_t _ptr_unknown2; ++ uint32_t size_unknown2_1 = 0; ++ uint32_t length_unknown2_1 = 0; + TALLOC_CTX *_mem_save_unknown2_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4242,11 +4316,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->unknown1, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown1)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown1)); +- if (ndr_get_array_length(ndr, &r->unknown1) > ndr_get_array_size(ndr, &r->unknown1)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown1), ndr_get_array_length(ndr, &r->unknown1)); ++ size_unknown1_1 = ndr_get_array_size(ndr, &r->unknown1); ++ length_unknown1_1 = ndr_get_array_length(ndr, &r->unknown1); ++ if (length_unknown1_1 > size_unknown1_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown1_1, length_unknown1_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown1), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown1, ndr_get_array_length(ndr, &r->unknown1), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown1_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown1, length_unknown1_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown1_0, 0); + } + if (r->unknown2) { +@@ -4254,11 +4330,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->unknown2, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->unknown2)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->unknown2)); +- if (ndr_get_array_length(ndr, &r->unknown2) > ndr_get_array_size(ndr, &r->unknown2)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->unknown2), ndr_get_array_length(ndr, &r->unknown2)); ++ size_unknown2_1 = ndr_get_array_size(ndr, &r->unknown2); ++ length_unknown2_1 = ndr_get_array_length(ndr, &r->unknown2); ++ if (length_unknown2_1 > size_unknown2_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown2_1, length_unknown2_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, ndr_get_array_length(ndr, &r->unknown2), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown2_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->unknown2, length_unknown2_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown2_0, 0); + } + } +@@ -4338,14 +4416,24 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo2(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseInfo2 *r) + { + uint32_t _ptr_local; ++ uint32_t size_local_1 = 0; ++ uint32_t length_local_1 = 0; + TALLOC_CTX *_mem_save_local_0; + uint32_t _ptr_remote; ++ uint32_t size_remote_1 = 0; ++ uint32_t length_remote_1 = 0; + TALLOC_CTX *_mem_save_remote_0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; ++ uint32_t length_password_1 = 0; + TALLOC_CTX *_mem_save_password_0; + uint32_t _ptr_user_name; ++ uint32_t size_user_name_1 = 0; ++ uint32_t length_user_name_1 = 0; + TALLOC_CTX *_mem_save_user_name_0; + uint32_t _ptr_domain_name; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + TALLOC_CTX *_mem_save_domain_name_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4391,11 +4479,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->local, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->local)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->local)); +- if (ndr_get_array_length(ndr, &r->local) > ndr_get_array_size(ndr, &r->local)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->local), ndr_get_array_length(ndr, &r->local)); ++ size_local_1 = ndr_get_array_size(ndr, &r->local); ++ length_local_1 = ndr_get_array_length(ndr, &r->local); ++ if (length_local_1 > size_local_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_local_1, length_local_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_local_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, length_local_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_local_0, 0); + } + if (r->remote) { +@@ -4403,11 +4493,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->remote, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->remote)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->remote)); +- if (ndr_get_array_length(ndr, &r->remote) > ndr_get_array_size(ndr, &r->remote)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote), ndr_get_array_length(ndr, &r->remote)); ++ size_remote_1 = ndr_get_array_size(ndr, &r->remote); ++ length_remote_1 = ndr_get_array_length(ndr, &r->remote); ++ if (length_remote_1 > size_remote_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_1, length_remote_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, length_remote_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_0, 0); + } + if (r->password) { +@@ -4415,11 +4507,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->password)); +- if (ndr_get_array_length(ndr, &r->password) > ndr_get_array_size(ndr, &r->password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->password), ndr_get_array_length(ndr, &r->password)); ++ size_password_1 = ndr_get_array_size(ndr, &r->password); ++ length_password_1 = ndr_get_array_length(ndr, &r->password); ++ if (length_password_1 > size_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, length_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + if (r->user_name) { +@@ -4427,11 +4521,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->user_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->user_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->user_name)); +- if (ndr_get_array_length(ndr, &r->user_name) > ndr_get_array_size(ndr, &r->user_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->user_name), ndr_get_array_length(ndr, &r->user_name)); ++ size_user_name_1 = ndr_get_array_size(ndr, &r->user_name); ++ length_user_name_1 = ndr_get_array_length(ndr, &r->user_name); ++ if (length_user_name_1 > size_user_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_user_name_1, length_user_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, ndr_get_array_length(ndr, &r->user_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_user_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->user_name, length_user_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user_name_0, 0); + } + if (r->domain_name) { +@@ -4439,11 +4535,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->domain_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->domain_name)); +- if (ndr_get_array_length(ndr, &r->domain_name) > ndr_get_array_size(ndr, &r->domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->domain_name), ndr_get_array_length(ndr, &r->domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, ndr_get_array_length(ndr, &r->domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_domain_name_0, 0); + } + } +@@ -4531,10 +4629,16 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo1(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseInfo1 *r) + { + uint32_t _ptr_local; ++ uint32_t size_local_1 = 0; ++ uint32_t length_local_1 = 0; + TALLOC_CTX *_mem_save_local_0; + uint32_t _ptr_remote; ++ uint32_t size_remote_1 = 0; ++ uint32_t length_remote_1 = 0; + TALLOC_CTX *_mem_save_remote_0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; ++ uint32_t length_password_1 = 0; + TALLOC_CTX *_mem_save_password_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4568,11 +4672,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->local, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->local)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->local)); +- if (ndr_get_array_length(ndr, &r->local) > ndr_get_array_size(ndr, &r->local)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->local), ndr_get_array_length(ndr, &r->local)); ++ size_local_1 = ndr_get_array_size(ndr, &r->local); ++ length_local_1 = ndr_get_array_length(ndr, &r->local); ++ if (length_local_1 > size_local_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_local_1, length_local_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_local_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, length_local_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_local_0, 0); + } + if (r->remote) { +@@ -4580,11 +4686,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->remote, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->remote)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->remote)); +- if (ndr_get_array_length(ndr, &r->remote) > ndr_get_array_size(ndr, &r->remote)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote), ndr_get_array_length(ndr, &r->remote)); ++ size_remote_1 = ndr_get_array_size(ndr, &r->remote); ++ length_remote_1 = ndr_get_array_length(ndr, &r->remote); ++ if (length_remote_1 > size_remote_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_1, length_remote_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, length_remote_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_0, 0); + } + if (r->password) { +@@ -4592,11 +4700,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->password)); +- if (ndr_get_array_length(ndr, &r->password) > ndr_get_array_size(ndr, &r->password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->password), ndr_get_array_length(ndr, &r->password)); ++ size_password_1 = ndr_get_array_size(ndr, &r->password); ++ length_password_1 = ndr_get_array_length(ndr, &r->password); ++ if (length_password_1 > size_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, ndr_get_array_length(ndr, &r->password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->password, length_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + } +@@ -4661,8 +4771,12 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseInfo0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseInfo0 *r) + { + uint32_t _ptr_local; ++ uint32_t size_local_1 = 0; ++ uint32_t length_local_1 = 0; + TALLOC_CTX *_mem_save_local_0; + uint32_t _ptr_remote; ++ uint32_t size_remote_1 = 0; ++ uint32_t length_remote_1 = 0; + TALLOC_CTX *_mem_save_remote_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); +@@ -4686,11 +4800,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->local, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->local)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->local)); +- if (ndr_get_array_length(ndr, &r->local) > ndr_get_array_size(ndr, &r->local)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->local), ndr_get_array_length(ndr, &r->local)); ++ size_local_1 = ndr_get_array_size(ndr, &r->local); ++ length_local_1 = ndr_get_array_length(ndr, &r->local); ++ if (length_local_1 > size_local_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_local_1, length_local_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, ndr_get_array_length(ndr, &r->local), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_local_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->local, length_local_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_local_0, 0); + } + if (r->remote) { +@@ -4698,11 +4814,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->remote, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->remote)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->remote)); +- if (ndr_get_array_length(ndr, &r->remote) > ndr_get_array_size(ndr, &r->remote)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->remote), ndr_get_array_length(ndr, &r->remote)); ++ size_remote_1 = ndr_get_array_size(ndr, &r->remote); ++ length_remote_1 = ndr_get_array_length(ndr, &r->remote); ++ if (length_remote_1 > size_remote_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_remote_1, length_remote_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, ndr_get_array_length(ndr, &r->remote), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_remote_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->remote, length_remote_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_remote_0, 0); + } + } +@@ -4796,9 +4914,13 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_info0_0; ++ uint32_t _ptr_info0; + TALLOC_CTX *_mem_save_info1_0; ++ uint32_t _ptr_info1; + TALLOC_CTX *_mem_save_info2_0; ++ uint32_t _ptr_info2; + TALLOC_CTX *_mem_save_info3_0; ++ uint32_t _ptr_info3; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -4809,7 +4931,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_info0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info0)); + if (_ptr_info0) { + NDR_PULL_ALLOC(ndr, r->info0); +@@ -4819,7 +4940,6 @@ + break; } + + case 1: { +- uint32_t _ptr_info1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info1)); + if (_ptr_info1) { + NDR_PULL_ALLOC(ndr, r->info1); +@@ -4829,7 +4949,6 @@ + break; } + + case 2: { +- uint32_t _ptr_info2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info2)); + if (_ptr_info2) { + NDR_PULL_ALLOC(ndr, r->info2); +@@ -4839,7 +4958,6 @@ + break; } + + case 3: { +- uint32_t _ptr_info3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_info3)); + if (_ptr_info3) { + NDR_PULL_ALLOC(ndr, r->info3); +@@ -4970,6 +5088,7 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr2(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseEnumCtr2 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -4989,13 +5108,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo2(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo2(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -5055,6 +5175,7 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr1(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseEnumCtr1 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -5074,13 +5195,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo1(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo1(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -5140,6 +5262,7 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnumCtr0(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_NetrUseEnumCtr0 *r) + { + uint32_t _ptr_array; ++ uint32_t size_array_1 = 0; + uint32_t cntr_array_1; + TALLOC_CTX *_mem_save_array_0; + TALLOC_CTX *_mem_save_array_1; +@@ -5159,13 +5282,14 @@ + _mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->array)); +- NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array)); ++ size_array_1 = ndr_get_array_size(ndr, &r->array); ++ NDR_PULL_ALLOC_N(ndr, r->array, size_array_1); + _mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->array, 0); +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1])); + } +- for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) { ++ for (cntr_array_1 = 0; cntr_array_1 < size_array_1; cntr_array_1++) { + NDR_CHECK(ndr_pull_wkssvc_NetrUseInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0); +@@ -5256,8 +5380,11 @@ + uint32_t level; + uint32_t _level; + TALLOC_CTX *_mem_save_ctr0_0; ++ uint32_t _ptr_ctr0; + TALLOC_CTX *_mem_save_ctr1_0; ++ uint32_t _ptr_ctr1; + TALLOC_CTX *_mem_save_ctr2_0; ++ uint32_t _ptr_ctr2; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -5268,7 +5395,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 0: { +- uint32_t _ptr_ctr0; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0)); + if (_ptr_ctr0) { + NDR_PULL_ALLOC(ndr, r->ctr0); +@@ -5278,7 +5404,6 @@ + break; } + + case 1: { +- uint32_t _ptr_ctr1; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr1)); + if (_ptr_ctr1) { + NDR_PULL_ALLOC(ndr, r->ctr1); +@@ -5288,7 +5413,6 @@ + break; } + + case 2: { +- uint32_t _ptr_ctr2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr2)); + if (_ptr_ctr2) { + NDR_PULL_ALLOC(ndr, r->ctr2); +@@ -5663,12 +5787,14 @@ + + static enum ndr_err_code ndr_pull_wkssvc_PasswordBuffer(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_PasswordBuffer *r) + { ++ uint32_t size_data_0 = 0; + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 1)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, 524)); ++ size_data_0 = 524; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->data, size_data_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 1)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -5777,6 +5903,7 @@ + static enum ndr_err_code ndr_pull_wkssvc_ComputerNamesCtr(struct ndr_pull *ndr, int ndr_flags, struct wkssvc_ComputerNamesCtr *r) + { + uint32_t _ptr_computer_name; ++ uint32_t size_computer_name_1 = 0; + uint32_t cntr_computer_name_1; + TALLOC_CTX *_mem_save_computer_name_0; + TALLOC_CTX *_mem_save_computer_name_1; +@@ -5796,13 +5923,14 @@ + _mem_save_computer_name_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->computer_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->computer_name)); +- NDR_PULL_ALLOC_N(ndr, r->computer_name, ndr_get_array_size(ndr, &r->computer_name)); ++ size_computer_name_1 = ndr_get_array_size(ndr, &r->computer_name); ++ NDR_PULL_ALLOC_N(ndr, r->computer_name, size_computer_name_1); + _mem_save_computer_name_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->computer_name, 0); +- for (cntr_computer_name_1 = 0; cntr_computer_name_1 < r->count; cntr_computer_name_1++) { ++ for (cntr_computer_name_1 = 0; cntr_computer_name_1 < size_computer_name_1; cntr_computer_name_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_SCALARS, &r->computer_name[cntr_computer_name_1])); + } +- for (cntr_computer_name_1 = 0; cntr_computer_name_1 < r->count; cntr_computer_name_1++) { ++ for (cntr_computer_name_1 = 0; cntr_computer_name_1 < size_computer_name_1; cntr_computer_name_1++) { + NDR_CHECK(ndr_pull_lsa_String(ndr, NDR_BUFFERS, &r->computer_name[cntr_computer_name_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_computer_name_1, 0); +@@ -5862,6 +5990,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaGetInfo(struct ndr_pull *ndr, int flags, struct wkssvc_NetWkstaGetInfo *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -5878,11 +6008,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -5971,6 +6103,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaSetInfo(struct ndr_pull *ndr, int flags, struct wkssvc_NetWkstaSetInfo *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_info_0; + TALLOC_CTX *_mem_save_parm_error_0; +@@ -5988,11 +6122,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -6110,6 +6246,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaEnumUsers(struct ndr_pull *ndr, int flags, struct wkssvc_NetWkstaEnumUsers *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_info_0; +@@ -6129,11 +6267,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -6272,6 +6412,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserGetInfo(struct ndr_pull *ndr, int flags, struct wkssvc_NetrWkstaUserGetInfo *r) + { + uint32_t _ptr_unknown; ++ uint32_t size_unknown_1 = 0; ++ uint32_t length_unknown_1 = 0; + TALLOC_CTX *_mem_save_unknown_0; + TALLOC_CTX *_mem_save_info_0; + if (flags & NDR_IN) { +@@ -6288,11 +6430,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown)); +- if (ndr_get_array_length(ndr, &r->in.unknown) > ndr_get_array_size(ndr, &r->in.unknown)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown), ndr_get_array_length(ndr, &r->in.unknown)); ++ size_unknown_1 = ndr_get_array_size(ndr, &r->in.unknown); ++ length_unknown_1 = ndr_get_array_length(ndr, &r->in.unknown); ++ if (length_unknown_1 > size_unknown_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown_1, length_unknown_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, length_unknown_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -6381,6 +6525,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaUserSetInfo(struct ndr_pull *ndr, int flags, struct wkssvc_NetrWkstaUserSetInfo *r) + { + uint32_t _ptr_unknown; ++ uint32_t size_unknown_1 = 0; ++ uint32_t length_unknown_1 = 0; + uint32_t _ptr_parm_err; + TALLOC_CTX *_mem_save_unknown_0; + TALLOC_CTX *_mem_save_info_0; +@@ -6399,11 +6545,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown)); +- if (ndr_get_array_length(ndr, &r->in.unknown) > ndr_get_array_size(ndr, &r->in.unknown)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown), ndr_get_array_length(ndr, &r->in.unknown)); ++ size_unknown_1 = ndr_get_array_size(ndr, &r->in.unknown); ++ length_unknown_1 = ndr_get_array_length(ndr, &r->in.unknown); ++ if (length_unknown_1 > size_unknown_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown_1, length_unknown_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, length_unknown_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -6533,6 +6681,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetWkstaTransportEnum(struct ndr_pull *ndr, int flags, struct wkssvc_NetWkstaTransportEnum *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_info_0; +@@ -6552,11 +6702,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -6702,6 +6854,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaTransportAdd(struct ndr_pull *ndr, int flags, struct wkssvc_NetrWkstaTransportAdd *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_parm_err; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_info0_0; +@@ -6720,11 +6874,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -6839,7 +6995,11 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrWkstaTransportDel(struct ndr_pull *ndr, int flags, struct wkssvc_NetrWkstaTransportDel *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_transport_name; ++ uint32_t size_transport_name_1 = 0; ++ uint32_t length_transport_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_transport_name_0; + if (flags & NDR_IN) { +@@ -6854,11 +7014,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_transport_name)); +@@ -6872,11 +7034,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.transport_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.transport_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.transport_name)); +- if (ndr_get_array_length(ndr, &r->in.transport_name) > ndr_get_array_size(ndr, &r->in.transport_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.transport_name), ndr_get_array_length(ndr, &r->in.transport_name)); ++ size_transport_name_1 = ndr_get_array_size(ndr, &r->in.transport_name); ++ length_transport_name_1 = ndr_get_array_length(ndr, &r->in.transport_name); ++ if (length_transport_name_1 > size_transport_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_transport_name_1, length_transport_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.transport_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport_name, ndr_get_array_length(ndr, &r->in.transport_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_transport_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.transport_name, length_transport_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_transport_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown3)); +@@ -6956,6 +7120,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseAdd(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUseAdd *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_parm_err; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_ctr_0; +@@ -6974,11 +7140,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); +@@ -7100,6 +7268,10 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseGetInfo(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUseGetInfo *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_use_name_1 = 0; ++ uint32_t length_use_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_ctr_0; + if (flags & NDR_IN) { +@@ -7116,20 +7288,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.use_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.use_name)); +- if (ndr_get_array_length(ndr, &r->in.use_name) > ndr_get_array_size(ndr, &r->in.use_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.use_name), ndr_get_array_length(ndr, &r->in.use_name)); ++ size_use_name_1 = ndr_get_array_size(ndr, &r->in.use_name); ++ length_use_name_1 = ndr_get_array_length(ndr, &r->in.use_name); ++ if (length_use_name_1 > size_use_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_use_name_1, length_use_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.use_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.use_name, ndr_get_array_length(ndr, &r->in.use_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_use_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.use_name, length_use_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.level)); + NDR_PULL_ALLOC(ndr, r->out.ctr); + ZERO_STRUCTP(r->out.ctr); +@@ -7214,6 +7390,10 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseDel(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUseDel *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_use_name_1 = 0; ++ uint32_t length_use_name_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_name)); +@@ -7227,20 +7407,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.use_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.use_name)); +- if (ndr_get_array_length(ndr, &r->in.use_name) > ndr_get_array_size(ndr, &r->in.use_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.use_name), ndr_get_array_length(ndr, &r->in.use_name)); ++ size_use_name_1 = ndr_get_array_size(ndr, &r->in.use_name); ++ length_use_name_1 = ndr_get_array_length(ndr, &r->in.use_name); ++ if (length_use_name_1 > size_use_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_use_name_1, length_use_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.use_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.use_name, ndr_get_array_length(ndr, &r->in.use_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_use_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.use_name, length_use_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.force_cond)); + } + if (flags & NDR_OUT) { +@@ -7323,6 +7507,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUseEnum(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUseEnum *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_resume_handle; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_info_0; +@@ -7342,11 +7528,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -7499,7 +7687,14 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrMessageBufferSend(struct ndr_pull *ndr, int flags, struct wkssvc_NetrMessageBufferSend *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_message_name_1 = 0; ++ uint32_t length_message_name_1 = 0; + uint32_t _ptr_message_sender_name; ++ uint32_t size_message_sender_name_1 = 0; ++ uint32_t length_message_sender_name_1 = 0; ++ uint32_t size_message_buffer_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_message_sender_name_0; + if (flags & NDR_IN) { +@@ -7514,20 +7709,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.message_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.message_name)); +- if (ndr_get_array_length(ndr, &r->in.message_name) > ndr_get_array_size(ndr, &r->in.message_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.message_name), ndr_get_array_length(ndr, &r->in.message_name)); ++ size_message_name_1 = ndr_get_array_size(ndr, &r->in.message_name); ++ length_message_name_1 = ndr_get_array_length(ndr, &r->in.message_name); ++ if (length_message_name_1 > size_message_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_message_name_1, length_message_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.message_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.message_name, ndr_get_array_length(ndr, &r->in.message_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_message_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.message_name, length_message_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_message_sender_name)); + if (_ptr_message_sender_name) { + NDR_PULL_ALLOC(ndr, r->in.message_sender_name); +@@ -7539,18 +7738,21 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.message_sender_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.message_sender_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.message_sender_name)); +- if (ndr_get_array_length(ndr, &r->in.message_sender_name) > ndr_get_array_size(ndr, &r->in.message_sender_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.message_sender_name), ndr_get_array_length(ndr, &r->in.message_sender_name)); ++ size_message_sender_name_1 = ndr_get_array_size(ndr, &r->in.message_sender_name); ++ length_message_sender_name_1 = ndr_get_array_length(ndr, &r->in.message_sender_name); ++ if (length_message_sender_name_1 > size_message_sender_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_message_sender_name_1, length_message_sender_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.message_sender_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.message_sender_name, ndr_get_array_length(ndr, &r->in.message_sender_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_message_sender_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.message_sender_name, length_message_sender_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_message_sender_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.message_buffer)); ++ size_message_buffer_1 = ndr_get_array_size(ndr, &r->in.message_buffer); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.message_buffer, ndr_get_array_size(ndr, &r->in.message_buffer)); ++ NDR_PULL_ALLOC_N(ndr, r->in.message_buffer, size_message_buffer_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.message_buffer, ndr_get_array_size(ndr, &r->in.message_buffer))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.message_buffer, size_message_buffer_1)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.message_size)); + if (r->in.message_buffer) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->in.message_buffer, r->in.message_size)); +@@ -7641,7 +7843,11 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrWorkstationStatisticsGet(struct ndr_pull *ndr, int flags, struct wkssvc_NetrWorkstationStatisticsGet *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_unknown2; ++ uint32_t size_unknown2_1 = 0; ++ uint32_t length_unknown2_1 = 0; + uint32_t _ptr_info; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_unknown2_0; +@@ -7661,11 +7867,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown2)); +@@ -7679,11 +7887,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown2, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown2)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown2)); +- if (ndr_get_array_length(ndr, &r->in.unknown2) > ndr_get_array_size(ndr, &r->in.unknown2)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown2), ndr_get_array_length(ndr, &r->in.unknown2)); ++ size_unknown2_1 = ndr_get_array_size(ndr, &r->in.unknown2); ++ length_unknown2_1 = ndr_get_array_length(ndr, &r->in.unknown2); ++ if (length_unknown2_1 > size_unknown2_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown2_1, length_unknown2_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown2), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown2, ndr_get_array_length(ndr, &r->in.unknown2), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown2_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown2, length_unknown2_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown2_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.unknown3)); +@@ -7779,14 +7989,18 @@ + + static enum ndr_err_code ndr_pull_wkssvc_NetrLogonDomainNameAdd(struct ndr_pull *ndr, int flags, struct wkssvc_NetrLogonDomainNameAdd *r) + { ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -7839,14 +8053,18 @@ + + static enum ndr_err_code ndr_pull_wkssvc_NetrLogonDomainNameDel(struct ndr_pull *ndr, int flags, struct wkssvc_NetrLogonDomainNameDel *r) + { ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + if (flags & NDR_IN) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); +@@ -7929,9 +8147,19 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain(struct ndr_pull *ndr, int flags, struct wkssvc_NetrJoinDomain *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + uint32_t _ptr_account_ou; ++ uint32_t size_account_ou_1 = 0; ++ uint32_t length_account_ou_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; ++ uint32_t length_password_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_account_ou_0; + TALLOC_CTX *_mem_save_Account_0; +@@ -7948,20 +8176,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_account_ou)); + if (_ptr_account_ou) { + NDR_PULL_ALLOC(ndr, r->in.account_ou); +@@ -7973,11 +8205,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.account_ou, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_ou)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_ou)); +- if (ndr_get_array_length(ndr, &r->in.account_ou) > ndr_get_array_size(ndr, &r->in.account_ou)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_ou), ndr_get_array_length(ndr, &r->in.account_ou)); ++ size_account_ou_1 = ndr_get_array_size(ndr, &r->in.account_ou); ++ length_account_ou_1 = ndr_get_array_length(ndr, &r->in.account_ou); ++ if (length_account_ou_1 > size_account_ou_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_ou_1, length_account_ou_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_ou), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_ou, ndr_get_array_length(ndr, &r->in.account_ou), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_ou_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_ou, length_account_ou_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_ou_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); +@@ -7991,11 +8225,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); +@@ -8009,11 +8245,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); +- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); ++ size_password_1 = ndr_get_array_size(ndr, &r->in.password); ++ length_password_1 = ndr_get_array_length(ndr, &r->in.password); ++ if (length_password_1 > size_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + NDR_CHECK(ndr_pull_wkssvc_joinflags(ndr, NDR_SCALARS, &r->in.join_flags)); +@@ -8110,8 +8348,14 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUnjoinDomain(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUnjoinDomain *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; ++ uint32_t length_password_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_Account_0; + TALLOC_CTX *_mem_save_password_0; +@@ -8127,11 +8371,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); +@@ -8145,11 +8391,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); +@@ -8163,11 +8411,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); +- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); ++ size_password_1 = ndr_get_array_size(ndr, &r->in.password); ++ length_password_1 = ndr_get_array_length(ndr, &r->in.password); ++ if (length_password_1 > size_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + NDR_CHECK(ndr_pull_wkssvc_joinflags(ndr, NDR_SCALARS, &r->in.unjoin_flags)); +@@ -8261,9 +8511,17 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain(struct ndr_pull *ndr, int flags, struct wkssvc_NetrRenameMachineInDomain *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_NewMachineName; ++ uint32_t size_NewMachineName_1 = 0; ++ uint32_t length_NewMachineName_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_password; ++ uint32_t size_password_1 = 0; ++ uint32_t length_password_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_NewMachineName_0; + TALLOC_CTX *_mem_save_Account_0; +@@ -8280,11 +8538,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_NewMachineName)); +@@ -8298,11 +8558,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.NewMachineName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.NewMachineName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.NewMachineName)); +- if (ndr_get_array_length(ndr, &r->in.NewMachineName) > ndr_get_array_size(ndr, &r->in.NewMachineName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.NewMachineName), ndr_get_array_length(ndr, &r->in.NewMachineName)); ++ size_NewMachineName_1 = ndr_get_array_size(ndr, &r->in.NewMachineName); ++ length_NewMachineName_1 = ndr_get_array_length(ndr, &r->in.NewMachineName); ++ if (length_NewMachineName_1 > size_NewMachineName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_NewMachineName_1, length_NewMachineName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.NewMachineName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewMachineName, ndr_get_array_length(ndr, &r->in.NewMachineName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_NewMachineName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewMachineName, length_NewMachineName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_NewMachineName_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); +@@ -8316,11 +8578,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_password)); +@@ -8334,11 +8598,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.password)); +- if (ndr_get_array_length(ndr, &r->in.password) > ndr_get_array_size(ndr, &r->in.password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.password), ndr_get_array_length(ndr, &r->in.password)); ++ size_password_1 = ndr_get_array_size(ndr, &r->in.password); ++ length_password_1 = ndr_get_array_length(ndr, &r->in.password); ++ if (length_password_1 > size_password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_password_1, length_password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, ndr_get_array_length(ndr, &r->in.password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.password, length_password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_password_0, 0); + } + NDR_CHECK(ndr_pull_wkssvc_renameflags(ndr, NDR_SCALARS, &r->in.RenameOptions)); +@@ -8438,8 +8704,16 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrValidateName(struct ndr_pull *ndr, int flags, struct wkssvc_NetrValidateName *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_Password; ++ uint32_t size_Password_1 = 0; ++ uint32_t length_Password_1 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_Account_0; + TALLOC_CTX *_mem_save_Password_0; +@@ -8455,20 +8729,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name)); +- if (ndr_get_array_length(ndr, &r->in.name) > ndr_get_array_size(ndr, &r->in.name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name), ndr_get_array_length(ndr, &r->in.name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->in.name); ++ length_name_1 = ndr_get_array_length(ndr, &r->in.name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); + if (_ptr_Account) { + NDR_PULL_ALLOC(ndr, r->in.Account); +@@ -8480,11 +8758,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Password)); +@@ -8498,11 +8778,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Password, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Password)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Password)); +- if (ndr_get_array_length(ndr, &r->in.Password) > ndr_get_array_size(ndr, &r->in.Password)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Password), ndr_get_array_length(ndr, &r->in.Password)); ++ size_Password_1 = ndr_get_array_size(ndr, &r->in.Password); ++ length_Password_1 = ndr_get_array_length(ndr, &r->in.Password); ++ if (length_Password_1 > size_Password_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Password_1, length_Password_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Password), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Password, ndr_get_array_length(ndr, &r->in.Password), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Password_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Password, length_Password_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Password_0, 0); + } + NDR_CHECK(ndr_pull_wkssvc_NetValidateNameType(ndr, NDR_SCALARS, &r->in.name_type)); +@@ -8602,7 +8884,11 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinInformation(struct ndr_pull *ndr, int flags, struct wkssvc_NetrGetJoinInformation *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_name_buffer; ++ uint32_t size_name_buffer_2 = 0; ++ uint32_t length_name_buffer_2 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_name_buffer_0; + TALLOC_CTX *_mem_save_name_buffer_1; +@@ -8621,11 +8907,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -8644,11 +8932,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->in.name_buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->in.name_buffer)); + NDR_CHECK(ndr_pull_array_length(ndr, r->in.name_buffer)); +- if (ndr_get_array_length(ndr, r->in.name_buffer) > ndr_get_array_size(ndr, r->in.name_buffer)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->in.name_buffer), ndr_get_array_length(ndr, r->in.name_buffer)); ++ size_name_buffer_2 = ndr_get_array_size(ndr, r->in.name_buffer); ++ length_name_buffer_2 = ndr_get_array_length(ndr, r->in.name_buffer); ++ if (length_name_buffer_2 > size_name_buffer_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_buffer_2, length_name_buffer_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->in.name_buffer), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.name_buffer, ndr_get_array_length(ndr, r->in.name_buffer), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_buffer_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->in.name_buffer, length_name_buffer_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_buffer_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_buffer_0, LIBNDR_FLAG_REF_ALLOC); +@@ -8674,11 +8964,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, *r->out.name_buffer, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.name_buffer)); + NDR_CHECK(ndr_pull_array_length(ndr, r->out.name_buffer)); +- if (ndr_get_array_length(ndr, r->out.name_buffer) > ndr_get_array_size(ndr, r->out.name_buffer)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.name_buffer), ndr_get_array_length(ndr, r->out.name_buffer)); ++ size_name_buffer_2 = ndr_get_array_size(ndr, r->out.name_buffer); ++ length_name_buffer_2 = ndr_get_array_length(ndr, r->out.name_buffer); ++ if (length_name_buffer_2 > size_name_buffer_2) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_buffer_2, length_name_buffer_2); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.name_buffer), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.name_buffer, ndr_get_array_length(ndr, r->out.name_buffer), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_buffer_2, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.name_buffer, length_name_buffer_2, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_buffer_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_name_buffer_0, LIBNDR_FLAG_REF_ALLOC); +@@ -8812,10 +9104,21 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus(struct ndr_pull *ndr, int flags, struct wkssvc_NetrGetJoinableOus *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_unknown; ++ uint32_t size_unknown_1 = 0; ++ uint32_t length_unknown_1 = 0; + uint32_t _ptr_ous; ++ uint32_t size_ous_2 = 0; + uint32_t cntr_ous_2; ++ uint32_t size_ous_4 = 0; ++ uint32_t length_ous_4 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_Account_0; + TALLOC_CTX *_mem_save_unknown_0; +@@ -8838,20 +9141,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); + if (_ptr_Account) { + NDR_PULL_ALLOC(ndr, r->in.Account); +@@ -8863,11 +9170,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_unknown)); +@@ -8881,11 +9190,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.unknown, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.unknown)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.unknown)); +- if (ndr_get_array_length(ndr, &r->in.unknown) > ndr_get_array_size(ndr, &r->in.unknown)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.unknown), ndr_get_array_length(ndr, &r->in.unknown)); ++ size_unknown_1 = ndr_get_array_size(ndr, &r->in.unknown); ++ length_unknown_1 = ndr_get_array_length(ndr, &r->in.unknown); ++ if (length_unknown_1 > size_unknown_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_unknown_1, length_unknown_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, ndr_get_array_length(ndr, &r->in.unknown), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_unknown_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.unknown, length_unknown_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_unknown_0, 0); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +@@ -8923,10 +9234,11 @@ + _mem_save_ous_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.ous, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.ous)); +- NDR_PULL_ALLOC_N(ndr, *r->out.ous, ndr_get_array_size(ndr, r->out.ous)); ++ size_ous_2 = ndr_get_array_size(ndr, r->out.ous); ++ NDR_PULL_ALLOC_N(ndr, *r->out.ous, size_ous_2); + _mem_save_ous_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.ous, 0); +- for (cntr_ous_2 = 0; cntr_ous_2 < *r->out.num_ous; cntr_ous_2++) { ++ for (cntr_ous_2 = 0; cntr_ous_2 < size_ous_2; cntr_ous_2++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ous)); + if (_ptr_ous) { + NDR_PULL_ALLOC(ndr, (*r->out.ous)[cntr_ous_2]); +@@ -8934,17 +9246,19 @@ + (*r->out.ous)[cntr_ous_2] = NULL; + } + } +- for (cntr_ous_2 = 0; cntr_ous_2 < *r->out.num_ous; cntr_ous_2++) { ++ for (cntr_ous_2 = 0; cntr_ous_2 < size_ous_2; cntr_ous_2++) { + if ((*r->out.ous)[cntr_ous_2]) { + _mem_save_ous_3 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, (*r->out.ous)[cntr_ous_2], 0); + NDR_CHECK(ndr_pull_array_size(ndr, &(*r->out.ous)[cntr_ous_2])); + NDR_CHECK(ndr_pull_array_length(ndr, &(*r->out.ous)[cntr_ous_2])); +- if (ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]) > ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2])) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2]), ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2])); ++ size_ous_4 = ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2]); ++ length_ous_4 = ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]); ++ if (length_ous_4 > size_ous_4) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ous_4, length_ous_4); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.ous)[cntr_ous_2], ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_ous_4, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.ous)[cntr_ous_2], length_ous_4, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ous_3, 0); + } + } +@@ -9078,8 +9392,16 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrJoinDomain2(struct ndr_pull *ndr, int flags, struct wkssvc_NetrJoinDomain2 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + uint32_t _ptr_account_ou; ++ uint32_t size_account_ou_1 = 0; ++ uint32_t length_account_ou_1 = 0; + uint32_t _ptr_admin_account; ++ uint32_t size_admin_account_1 = 0; ++ uint32_t length_admin_account_1 = 0; + uint32_t _ptr_encrypted_password; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_account_ou_0; +@@ -9097,20 +9419,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_account_ou)); + if (_ptr_account_ou) { + NDR_PULL_ALLOC(ndr, r->in.account_ou); +@@ -9122,11 +9448,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.account_ou, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account_ou)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account_ou)); +- if (ndr_get_array_length(ndr, &r->in.account_ou) > ndr_get_array_size(ndr, &r->in.account_ou)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account_ou), ndr_get_array_length(ndr, &r->in.account_ou)); ++ size_account_ou_1 = ndr_get_array_size(ndr, &r->in.account_ou); ++ length_account_ou_1 = ndr_get_array_length(ndr, &r->in.account_ou); ++ if (length_account_ou_1 > size_account_ou_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_ou_1, length_account_ou_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account_ou), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_ou, ndr_get_array_length(ndr, &r->in.account_ou), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_ou_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account_ou, length_account_ou_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_ou_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_admin_account)); +@@ -9140,11 +9468,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.admin_account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.admin_account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.admin_account)); +- if (ndr_get_array_length(ndr, &r->in.admin_account) > ndr_get_array_size(ndr, &r->in.admin_account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.admin_account), ndr_get_array_length(ndr, &r->in.admin_account)); ++ size_admin_account_1 = ndr_get_array_size(ndr, &r->in.admin_account); ++ length_admin_account_1 = ndr_get_array_length(ndr, &r->in.admin_account); ++ if (length_admin_account_1 > size_admin_account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_admin_account_1, length_admin_account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.admin_account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.admin_account, ndr_get_array_length(ndr, &r->in.admin_account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_admin_account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.admin_account, length_admin_account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_admin_account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_encrypted_password)); +@@ -9250,7 +9580,11 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrUnjoinDomain2(struct ndr_pull *ndr, int flags, struct wkssvc_NetrUnjoinDomain2 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_account; ++ uint32_t size_account_1 = 0; ++ uint32_t length_account_1 = 0; + uint32_t _ptr_encrypted_password; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_account_0; +@@ -9267,11 +9601,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_account)); +@@ -9285,11 +9621,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.account)); +- if (ndr_get_array_length(ndr, &r->in.account) > ndr_get_array_size(ndr, &r->in.account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.account), ndr_get_array_length(ndr, &r->in.account)); ++ size_account_1 = ndr_get_array_size(ndr, &r->in.account); ++ length_account_1 = ndr_get_array_length(ndr, &r->in.account); ++ if (length_account_1 > size_account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_account_1, length_account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account, ndr_get_array_length(ndr, &r->in.account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.account, length_account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_encrypted_password)); +@@ -9392,8 +9730,14 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrRenameMachineInDomain2(struct ndr_pull *ndr, int flags, struct wkssvc_NetrRenameMachineInDomain2 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_NewMachineName; ++ uint32_t size_NewMachineName_1 = 0; ++ uint32_t length_NewMachineName_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_EncryptedPassword; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_NewMachineName_0; +@@ -9411,11 +9755,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_NewMachineName)); +@@ -9429,11 +9775,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.NewMachineName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.NewMachineName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.NewMachineName)); +- if (ndr_get_array_length(ndr, &r->in.NewMachineName) > ndr_get_array_size(ndr, &r->in.NewMachineName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.NewMachineName), ndr_get_array_length(ndr, &r->in.NewMachineName)); ++ size_NewMachineName_1 = ndr_get_array_size(ndr, &r->in.NewMachineName); ++ length_NewMachineName_1 = ndr_get_array_length(ndr, &r->in.NewMachineName); ++ if (length_NewMachineName_1 > size_NewMachineName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_NewMachineName_1, length_NewMachineName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.NewMachineName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewMachineName, ndr_get_array_length(ndr, &r->in.NewMachineName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_NewMachineName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewMachineName, length_NewMachineName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_NewMachineName_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); +@@ -9447,11 +9795,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); +@@ -9560,7 +9910,13 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrValidateName2(struct ndr_pull *ndr, int flags, struct wkssvc_NetrValidateName2 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_name_1 = 0; ++ uint32_t length_name_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_EncryptedPassword; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_Account_0; +@@ -9577,20 +9933,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.name)); +- if (ndr_get_array_length(ndr, &r->in.name) > ndr_get_array_size(ndr, &r->in.name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.name), ndr_get_array_length(ndr, &r->in.name)); ++ size_name_1 = ndr_get_array_size(ndr, &r->in.name); ++ length_name_1 = ndr_get_array_length(ndr, &r->in.name); ++ if (length_name_1 > size_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_name_1, length_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, ndr_get_array_length(ndr, &r->in.name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.name, length_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); + if (_ptr_Account) { + NDR_PULL_ALLOC(ndr, r->in.Account); +@@ -9602,11 +9962,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); +@@ -9739,10 +10101,19 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrGetJoinableOus2(struct ndr_pull *ndr, int flags, struct wkssvc_NetrGetJoinableOus2 *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; ++ uint32_t size_domain_name_1 = 0; ++ uint32_t length_domain_name_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_EncryptedPassword; + uint32_t _ptr_ous; ++ uint32_t size_ous_2 = 0; + uint32_t cntr_ous_2; ++ uint32_t size_ous_4 = 0; ++ uint32_t length_ous_4 = 0; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_Account_0; + TALLOC_CTX *_mem_save_EncryptedPassword_0; +@@ -9765,20 +10136,24 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.domain_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.domain_name)); +- if (ndr_get_array_length(ndr, &r->in.domain_name) > ndr_get_array_size(ndr, &r->in.domain_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.domain_name), ndr_get_array_length(ndr, &r->in.domain_name)); ++ size_domain_name_1 = ndr_get_array_size(ndr, &r->in.domain_name); ++ length_domain_name_1 = ndr_get_array_length(ndr, &r->in.domain_name); ++ if (length_domain_name_1 > size_domain_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_domain_name_1, length_domain_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, ndr_get_array_length(ndr, &r->in.domain_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_domain_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.domain_name, length_domain_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); + if (_ptr_Account) { + NDR_PULL_ALLOC(ndr, r->in.Account); +@@ -9790,11 +10165,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); +@@ -9844,10 +10221,11 @@ + _mem_save_ous_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.ous, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.ous)); +- NDR_PULL_ALLOC_N(ndr, *r->out.ous, ndr_get_array_size(ndr, r->out.ous)); ++ size_ous_2 = ndr_get_array_size(ndr, r->out.ous); ++ NDR_PULL_ALLOC_N(ndr, *r->out.ous, size_ous_2); + _mem_save_ous_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.ous, 0); +- for (cntr_ous_2 = 0; cntr_ous_2 < *r->out.num_ous; cntr_ous_2++) { ++ for (cntr_ous_2 = 0; cntr_ous_2 < size_ous_2; cntr_ous_2++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ous)); + if (_ptr_ous) { + NDR_PULL_ALLOC(ndr, (*r->out.ous)[cntr_ous_2]); +@@ -9855,17 +10233,19 @@ + (*r->out.ous)[cntr_ous_2] = NULL; + } + } +- for (cntr_ous_2 = 0; cntr_ous_2 < *r->out.num_ous; cntr_ous_2++) { ++ for (cntr_ous_2 = 0; cntr_ous_2 < size_ous_2; cntr_ous_2++) { + if ((*r->out.ous)[cntr_ous_2]) { + _mem_save_ous_3 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, (*r->out.ous)[cntr_ous_2], 0); + NDR_CHECK(ndr_pull_array_size(ndr, &(*r->out.ous)[cntr_ous_2])); + NDR_CHECK(ndr_pull_array_length(ndr, &(*r->out.ous)[cntr_ous_2])); +- if (ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]) > ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2])) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2]), ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2])); ++ size_ous_4 = ndr_get_array_size(ndr, &(*r->out.ous)[cntr_ous_2]); ++ length_ous_4 = ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]); ++ if (length_ous_4 > size_ous_4) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_ous_4, length_ous_4); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.ous)[cntr_ous_2], ndr_get_array_length(ndr, &(*r->out.ous)[cntr_ous_2]), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_ous_4, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &(*r->out.ous)[cntr_ous_2], length_ous_4, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ous_3, 0); + } + } +@@ -9992,8 +10372,14 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrAddAlternateComputerName(struct ndr_pull *ndr, int flags, struct wkssvc_NetrAddAlternateComputerName *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_NewAlternateMachineName; ++ uint32_t size_NewAlternateMachineName_1 = 0; ++ uint32_t length_NewAlternateMachineName_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_EncryptedPassword; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_NewAlternateMachineName_0; +@@ -10011,11 +10397,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_NewAlternateMachineName)); +@@ -10029,11 +10417,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.NewAlternateMachineName, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.NewAlternateMachineName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.NewAlternateMachineName)); +- if (ndr_get_array_length(ndr, &r->in.NewAlternateMachineName) > ndr_get_array_size(ndr, &r->in.NewAlternateMachineName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.NewAlternateMachineName), ndr_get_array_length(ndr, &r->in.NewAlternateMachineName)); ++ size_NewAlternateMachineName_1 = ndr_get_array_size(ndr, &r->in.NewAlternateMachineName); ++ length_NewAlternateMachineName_1 = ndr_get_array_length(ndr, &r->in.NewAlternateMachineName); ++ if (length_NewAlternateMachineName_1 > size_NewAlternateMachineName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_NewAlternateMachineName_1, length_NewAlternateMachineName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.NewAlternateMachineName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewAlternateMachineName, ndr_get_array_length(ndr, &r->in.NewAlternateMachineName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_NewAlternateMachineName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.NewAlternateMachineName, length_NewAlternateMachineName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_NewAlternateMachineName_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); +@@ -10047,11 +10437,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); +@@ -10160,8 +10552,14 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrRemoveAlternateComputerName(struct ndr_pull *ndr, int flags, struct wkssvc_NetrRemoveAlternateComputerName *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_AlternateMachineNameToRemove; ++ uint32_t size_AlternateMachineNameToRemove_1 = 0; ++ uint32_t length_AlternateMachineNameToRemove_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_EncryptedPassword; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_AlternateMachineNameToRemove_0; +@@ -10179,11 +10577,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_AlternateMachineNameToRemove)); +@@ -10197,11 +10597,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.AlternateMachineNameToRemove, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.AlternateMachineNameToRemove)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.AlternateMachineNameToRemove)); +- if (ndr_get_array_length(ndr, &r->in.AlternateMachineNameToRemove) > ndr_get_array_size(ndr, &r->in.AlternateMachineNameToRemove)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.AlternateMachineNameToRemove), ndr_get_array_length(ndr, &r->in.AlternateMachineNameToRemove)); ++ size_AlternateMachineNameToRemove_1 = ndr_get_array_size(ndr, &r->in.AlternateMachineNameToRemove); ++ length_AlternateMachineNameToRemove_1 = ndr_get_array_length(ndr, &r->in.AlternateMachineNameToRemove); ++ if (length_AlternateMachineNameToRemove_1 > size_AlternateMachineNameToRemove_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_AlternateMachineNameToRemove_1, length_AlternateMachineNameToRemove_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.AlternateMachineNameToRemove), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.AlternateMachineNameToRemove, ndr_get_array_length(ndr, &r->in.AlternateMachineNameToRemove), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_AlternateMachineNameToRemove_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.AlternateMachineNameToRemove, length_AlternateMachineNameToRemove_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_AlternateMachineNameToRemove_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); +@@ -10215,11 +10617,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); +@@ -10328,8 +10732,14 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrSetPrimaryComputername(struct ndr_pull *ndr, int flags, struct wkssvc_NetrSetPrimaryComputername *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_primary_name; ++ uint32_t size_primary_name_1 = 0; ++ uint32_t length_primary_name_1 = 0; + uint32_t _ptr_Account; ++ uint32_t size_Account_1 = 0; ++ uint32_t length_Account_1 = 0; + uint32_t _ptr_EncryptedPassword; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_primary_name_0; +@@ -10347,11 +10757,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_primary_name)); +@@ -10365,11 +10777,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.primary_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.primary_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.primary_name)); +- if (ndr_get_array_length(ndr, &r->in.primary_name) > ndr_get_array_size(ndr, &r->in.primary_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.primary_name), ndr_get_array_length(ndr, &r->in.primary_name)); ++ size_primary_name_1 = ndr_get_array_size(ndr, &r->in.primary_name); ++ length_primary_name_1 = ndr_get_array_length(ndr, &r->in.primary_name); ++ if (length_primary_name_1 > size_primary_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_primary_name_1, length_primary_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.primary_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.primary_name, ndr_get_array_length(ndr, &r->in.primary_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_primary_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.primary_name, length_primary_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_primary_name_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_Account)); +@@ -10383,11 +10797,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.Account, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.Account)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.Account)); +- if (ndr_get_array_length(ndr, &r->in.Account) > ndr_get_array_size(ndr, &r->in.Account)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.Account), ndr_get_array_length(ndr, &r->in.Account)); ++ size_Account_1 = ndr_get_array_size(ndr, &r->in.Account); ++ length_Account_1 = ndr_get_array_length(ndr, &r->in.Account); ++ if (length_Account_1 > size_Account_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Account_1, length_Account_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, ndr_get_array_length(ndr, &r->in.Account), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_Account_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.Account, length_Account_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_Account_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_EncryptedPassword)); +@@ -10486,6 +10902,8 @@ + static enum ndr_err_code ndr_pull_wkssvc_NetrEnumerateComputerNames(struct ndr_pull *ndr, int flags, struct wkssvc_NetrEnumerateComputerNames *r) + { + uint32_t _ptr_server_name; ++ uint32_t size_server_name_1 = 0; ++ uint32_t length_server_name_1 = 0; + uint32_t _ptr_ctr; + TALLOC_CTX *_mem_save_server_name_0; + TALLOC_CTX *_mem_save_ctr_0; +@@ -10504,11 +10922,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.server_name, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.server_name)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.server_name)); +- if (ndr_get_array_length(ndr, &r->in.server_name) > ndr_get_array_size(ndr, &r->in.server_name)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.server_name), ndr_get_array_length(ndr, &r->in.server_name)); ++ size_server_name_1 = ndr_get_array_size(ndr, &r->in.server_name); ++ length_server_name_1 = ndr_get_array_length(ndr, &r->in.server_name); ++ if (length_server_name_1 > size_server_name_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_server_name_1, length_server_name_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, ndr_get_array_length(ndr, &r->in.server_name), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_server_name_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.server_name, length_server_name_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0); + } + NDR_CHECK(ndr_pull_wkssvc_ComputerNameType(ndr, NDR_SCALARS, &r->in.name_type)); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_wmi.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_wmi.c 2012-04-12 12:09:52.023287487 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_wmi.c 2012-04-12 12:19:21.023301010 -0500 +@@ -25,16 +25,20 @@ + + static enum ndr_err_code ndr_pull_BSTR(struct ndr_pull *ndr, int ndr_flags, struct BSTR *r) + { ++ uint32_t size_data_0 = 0; ++ uint32_t length_data_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_array_size(ndr, &r->data)); + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->flags)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->data)); +- if (ndr_get_array_length(ndr, &r->data) > ndr_get_array_size(ndr, &r->data)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->data), ndr_get_array_length(ndr, &r->data)); ++ size_data_0 = ndr_get_array_size(ndr, &r->data); ++ length_data_0 = ndr_get_array_length(ndr, &r->data); ++ if (length_data_0 > size_data_0) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_data_0, length_data_0); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->data), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data, ndr_get_array_length(ndr, &r->data), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_data_0, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->data, length_data_0, sizeof(uint16_t), CH_UTF16)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -66,6 +70,8 @@ + + static enum ndr_err_code ndr_pull_Delete(struct ndr_pull *ndr, int flags, struct Delete *r) + { ++ uint32_t size_wszName_1 = 0; ++ uint32_t length_wszName_1 = 0; + TALLOC_CTX *_mem_save_ORPCthat_0; + if (flags & NDR_IN) { + ZERO_STRUCT(r->out); +@@ -73,11 +79,13 @@ + NDR_CHECK(ndr_pull_ORPCTHIS(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.ORPCthis)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.wszName)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.wszName)); +- if (ndr_get_array_length(ndr, &r->in.wszName) > ndr_get_array_size(ndr, &r->in.wszName)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.wszName), ndr_get_array_length(ndr, &r->in.wszName)); ++ size_wszName_1 = ndr_get_array_size(ndr, &r->in.wszName); ++ length_wszName_1 = ndr_get_array_length(ndr, &r->in.wszName); ++ if (length_wszName_1 > size_wszName_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_wszName_1, length_wszName_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.wszName), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszName, ndr_get_array_length(ndr, &r->in.wszName), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_wszName_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszName, length_wszName_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_ALLOC(ndr, r->out.ORPCthat); + ZERO_STRUCTP(r->out.ORPCthat); + } +@@ -4038,6 +4046,8 @@ + static enum ndr_err_code ndr_pull_IEnumWbemClassObject_Next(struct ndr_pull *ndr, int flags, struct IEnumWbemClassObject_Next *r) + { + uint32_t _ptr_apObjects; ++ uint32_t size_apObjects_1 = 0; ++ uint32_t length_apObjects_1 = 0; + uint32_t cntr_apObjects_1; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_apObjects_1; +@@ -4066,15 +4076,17 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ORPCthat_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.apObjects)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.apObjects)); +- if (ndr_get_array_length(ndr, &r->out.apObjects) > ndr_get_array_size(ndr, &r->out.apObjects)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.apObjects), ndr_get_array_length(ndr, &r->out.apObjects)); ++ size_apObjects_1 = ndr_get_array_size(ndr, &r->out.apObjects); ++ length_apObjects_1 = ndr_get_array_length(ndr, &r->out.apObjects); ++ if (length_apObjects_1 > size_apObjects_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_apObjects_1, length_apObjects_1); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.apObjects, ndr_get_array_size(ndr, &r->out.apObjects)); ++ NDR_PULL_ALLOC_N(ndr, r->out.apObjects, size_apObjects_1); + } + _mem_save_apObjects_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.apObjects, 0); +- for (cntr_apObjects_1 = 0; cntr_apObjects_1 < ndr_get_array_length(ndr, &r->out.apObjects); cntr_apObjects_1++) { ++ for (cntr_apObjects_1 = 0; cntr_apObjects_1 < length_apObjects_1; cntr_apObjects_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_apObjects)); + if (_ptr_apObjects) { + NDR_PULL_ALLOC(ndr, r->out.apObjects[cntr_apObjects_1]); +@@ -4082,7 +4094,7 @@ + r->out.apObjects[cntr_apObjects_1] = NULL; + } + } +- for (cntr_apObjects_1 = 0; cntr_apObjects_1 < ndr_get_array_length(ndr, &r->out.apObjects); cntr_apObjects_1++) { ++ for (cntr_apObjects_1 = 0; cntr_apObjects_1 < length_apObjects_1; cntr_apObjects_1++) { + if (r->out.apObjects[cntr_apObjects_1]) { + _mem_save_apObjects_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->out.apObjects[cntr_apObjects_1], 0); +@@ -5273,6 +5285,8 @@ + static enum ndr_err_code ndr_pull_EstablishPosition(struct ndr_pull *ndr, int flags, struct EstablishPosition *r) + { + uint32_t _ptr_wszLocaleList; ++ uint32_t size_wszLocaleList_1 = 0; ++ uint32_t length_wszLocaleList_1 = 0; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_wszLocaleList_0; + TALLOC_CTX *_mem_save_reserved_0; +@@ -5291,11 +5305,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.wszLocaleList, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.wszLocaleList)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.wszLocaleList)); +- if (ndr_get_array_length(ndr, &r->in.wszLocaleList) > ndr_get_array_size(ndr, &r->in.wszLocaleList)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.wszLocaleList), ndr_get_array_length(ndr, &r->in.wszLocaleList)); ++ size_wszLocaleList_1 = ndr_get_array_size(ndr, &r->in.wszLocaleList); ++ length_wszLocaleList_1 = ndr_get_array_length(ndr, &r->in.wszLocaleList); ++ if (length_wszLocaleList_1 > size_wszLocaleList_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_wszLocaleList_1, length_wszLocaleList_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.wszLocaleList), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszLocaleList, ndr_get_array_length(ndr, &r->in.wszLocaleList), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_wszLocaleList_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszLocaleList, length_wszLocaleList_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_wszLocaleList_0, 0); + } + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.dwNumLocales)); +@@ -5401,7 +5417,13 @@ + static enum ndr_err_code ndr_pull_RequestChallenge(struct ndr_pull *ndr, int flags, struct RequestChallenge *r) + { + uint32_t _ptr_wszNetworkResource; ++ uint32_t size_wszNetworkResource_1 = 0; ++ uint32_t length_wszNetworkResource_1 = 0; + uint32_t _ptr_wszUser; ++ uint32_t size_wszUser_1 = 0; ++ uint32_t length_wszUser_1 = 0; ++ uint32_t size_Nonce_1 = 0; ++ uint32_t length_Nonce_1 = 0; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_wszNetworkResource_0; + TALLOC_CTX *_mem_save_wszUser_0; +@@ -5420,11 +5442,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.wszNetworkResource, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.wszNetworkResource)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.wszNetworkResource)); +- if (ndr_get_array_length(ndr, &r->in.wszNetworkResource) > ndr_get_array_size(ndr, &r->in.wszNetworkResource)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.wszNetworkResource), ndr_get_array_length(ndr, &r->in.wszNetworkResource)); ++ size_wszNetworkResource_1 = ndr_get_array_size(ndr, &r->in.wszNetworkResource); ++ length_wszNetworkResource_1 = ndr_get_array_length(ndr, &r->in.wszNetworkResource); ++ if (length_wszNetworkResource_1 > size_wszNetworkResource_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_wszNetworkResource_1, length_wszNetworkResource_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.wszNetworkResource), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszNetworkResource, ndr_get_array_length(ndr, &r->in.wszNetworkResource), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_wszNetworkResource_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszNetworkResource, length_wszNetworkResource_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_wszNetworkResource_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_wszUser)); +@@ -5438,11 +5462,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.wszUser, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.wszUser)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.wszUser)); +- if (ndr_get_array_length(ndr, &r->in.wszUser) > ndr_get_array_size(ndr, &r->in.wszUser)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.wszUser), ndr_get_array_length(ndr, &r->in.wszUser)); ++ size_wszUser_1 = ndr_get_array_size(ndr, &r->in.wszUser); ++ length_wszUser_1 = ndr_get_array_length(ndr, &r->in.wszUser); ++ if (length_wszUser_1 > size_wszUser_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_wszUser_1, length_wszUser_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.wszUser), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszUser, ndr_get_array_length(ndr, &r->in.wszUser), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_wszUser_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszUser, length_wszUser_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_wszUser_0, 0); + } + NDR_PULL_ALLOC(ndr, r->out.ORPCthat); +@@ -5460,13 +5486,15 @@ + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_ORPCthat_0, LIBNDR_FLAG_REF_ALLOC); + NDR_CHECK(ndr_pull_array_size(ndr, &r->out.Nonce)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->out.Nonce)); +- if (ndr_get_array_length(ndr, &r->out.Nonce) > ndr_get_array_size(ndr, &r->out.Nonce)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.Nonce), ndr_get_array_length(ndr, &r->out.Nonce)); ++ size_Nonce_1 = ndr_get_array_size(ndr, &r->out.Nonce); ++ length_Nonce_1 = ndr_get_array_length(ndr, &r->out.Nonce); ++ if (length_Nonce_1 > size_Nonce_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_Nonce_1, length_Nonce_1); + } + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->out.Nonce, ndr_get_array_size(ndr, &r->out.Nonce)); ++ NDR_PULL_ALLOC_N(ndr, r->out.Nonce, size_Nonce_1); + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.Nonce, ndr_get_array_length(ndr, &r->out.Nonce))); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->out.Nonce, length_Nonce_1)); + NDR_CHECK(ndr_pull_WERROR(ndr, NDR_SCALARS, &r->out.result)); + if (r->out.Nonce) { + NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->out.Nonce, 16)); +@@ -5565,7 +5593,11 @@ + static enum ndr_err_code ndr_pull_WBEMLogin(struct ndr_pull *ndr, int flags, struct WBEMLogin *r) + { + uint32_t _ptr_wszPreferredLocale; ++ uint32_t size_wszPreferredLocale_1 = 0; ++ uint32_t length_wszPreferredLocale_1 = 0; + uint32_t _ptr_AccessToken; ++ uint32_t size_AccessToken_1 = 0; ++ uint32_t length_AccessToken_1 = 0; + uint32_t _ptr_ppNamespace; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_wszPreferredLocale_0; +@@ -5588,11 +5620,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.wszPreferredLocale, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.wszPreferredLocale)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.wszPreferredLocale)); +- if (ndr_get_array_length(ndr, &r->in.wszPreferredLocale) > ndr_get_array_size(ndr, &r->in.wszPreferredLocale)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.wszPreferredLocale), ndr_get_array_length(ndr, &r->in.wszPreferredLocale)); ++ size_wszPreferredLocale_1 = ndr_get_array_size(ndr, &r->in.wszPreferredLocale); ++ length_wszPreferredLocale_1 = ndr_get_array_length(ndr, &r->in.wszPreferredLocale); ++ if (length_wszPreferredLocale_1 > size_wszPreferredLocale_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_wszPreferredLocale_1, length_wszPreferredLocale_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.wszPreferredLocale), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszPreferredLocale, ndr_get_array_length(ndr, &r->in.wszPreferredLocale), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_wszPreferredLocale_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszPreferredLocale, length_wszPreferredLocale_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_wszPreferredLocale_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_AccessToken)); +@@ -5606,11 +5640,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.AccessToken, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.AccessToken)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.AccessToken)); +- if (ndr_get_array_length(ndr, &r->in.AccessToken) > ndr_get_array_size(ndr, &r->in.AccessToken)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.AccessToken), ndr_get_array_length(ndr, &r->in.AccessToken)); ++ size_AccessToken_1 = ndr_get_array_size(ndr, &r->in.AccessToken); ++ length_AccessToken_1 = ndr_get_array_length(ndr, &r->in.AccessToken); ++ if (length_AccessToken_1 > size_AccessToken_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_AccessToken_1, length_AccessToken_1); + } +- NDR_PULL_ALLOC_N(ndr, r->in.AccessToken, ndr_get_array_size(ndr, &r->in.AccessToken)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.AccessToken, ndr_get_array_length(ndr, &r->in.AccessToken))); ++ NDR_PULL_ALLOC_N(ndr, r->in.AccessToken, size_AccessToken_1); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->in.AccessToken, length_AccessToken_1)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_AccessToken_0, 0); + } + NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->in.lFlags)); +@@ -5760,7 +5796,11 @@ + static enum ndr_err_code ndr_pull_NTLMLogin(struct ndr_pull *ndr, int flags, struct NTLMLogin *r) + { + uint32_t _ptr_wszNetworkResource; ++ uint32_t size_wszNetworkResource_1 = 0; ++ uint32_t length_wszNetworkResource_1 = 0; + uint32_t _ptr_wszPreferredLocale; ++ uint32_t size_wszPreferredLocale_1 = 0; ++ uint32_t length_wszPreferredLocale_1 = 0; + uint32_t _ptr_pCtx; + uint32_t _ptr_ppNamespace; + TALLOC_CTX *_mem_save_ORPCthat_0; +@@ -5784,11 +5824,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.wszNetworkResource, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.wszNetworkResource)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.wszNetworkResource)); +- if (ndr_get_array_length(ndr, &r->in.wszNetworkResource) > ndr_get_array_size(ndr, &r->in.wszNetworkResource)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.wszNetworkResource), ndr_get_array_length(ndr, &r->in.wszNetworkResource)); ++ size_wszNetworkResource_1 = ndr_get_array_size(ndr, &r->in.wszNetworkResource); ++ length_wszNetworkResource_1 = ndr_get_array_length(ndr, &r->in.wszNetworkResource); ++ if (length_wszNetworkResource_1 > size_wszNetworkResource_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_wszNetworkResource_1, length_wszNetworkResource_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.wszNetworkResource), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszNetworkResource, ndr_get_array_length(ndr, &r->in.wszNetworkResource), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_wszNetworkResource_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszNetworkResource, length_wszNetworkResource_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_wszNetworkResource_0, 0); + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_wszPreferredLocale)); +@@ -5802,11 +5844,13 @@ + NDR_PULL_SET_MEM_CTX(ndr, r->in.wszPreferredLocale, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.wszPreferredLocale)); + NDR_CHECK(ndr_pull_array_length(ndr, &r->in.wszPreferredLocale)); +- if (ndr_get_array_length(ndr, &r->in.wszPreferredLocale) > ndr_get_array_size(ndr, &r->in.wszPreferredLocale)) { +- return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.wszPreferredLocale), ndr_get_array_length(ndr, &r->in.wszPreferredLocale)); ++ size_wszPreferredLocale_1 = ndr_get_array_size(ndr, &r->in.wszPreferredLocale); ++ length_wszPreferredLocale_1 = ndr_get_array_length(ndr, &r->in.wszPreferredLocale); ++ if (length_wszPreferredLocale_1 > size_wszPreferredLocale_1) { ++ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", size_wszPreferredLocale_1, length_wszPreferredLocale_1); + } +- NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.wszPreferredLocale), sizeof(uint16_t))); +- NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszPreferredLocale, ndr_get_array_length(ndr, &r->in.wszPreferredLocale), sizeof(uint16_t), CH_UTF16)); ++ NDR_CHECK(ndr_check_string_terminator(ndr, length_wszPreferredLocale_1, sizeof(uint16_t))); ++ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.wszPreferredLocale, length_wszPreferredLocale_1, sizeof(uint16_t), CH_UTF16)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_wszPreferredLocale_0, 0); + } + NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->in.lFlags)); +@@ -6031,6 +6075,7 @@ + static enum ndr_err_code ndr_pull_IWbemWCOSmartEnum_Next(struct ndr_pull *ndr, int flags, struct IWbemWCOSmartEnum_Next *r) + { + uint32_t _ptr_pData; ++ uint32_t size_pData_2 = 0; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_gEWCO_0; + TALLOC_CTX *_mem_save_gWCO_0; +@@ -6105,8 +6150,9 @@ + _mem_save_pData_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, *r->out.pData, 0); + NDR_CHECK(ndr_pull_array_size(ndr, r->out.pData)); +- NDR_PULL_ALLOC_N(ndr, *r->out.pData, ndr_get_array_size(ndr, r->out.pData)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.pData, ndr_get_array_size(ndr, r->out.pData))); ++ size_pData_2 = ndr_get_array_size(ndr, r->out.pData); ++ NDR_PULL_ALLOC_N(ndr, *r->out.pData, size_pData_2); ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, *r->out.pData, size_pData_2)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pData_1, 0); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pData_0, LIBNDR_FLAG_REF_ALLOC); +@@ -7063,6 +7109,7 @@ + static enum ndr_err_code ndr_pull_Indicate(struct ndr_pull *ndr, int flags, struct Indicate *r) + { + uint32_t _ptr_apObjArray; ++ uint32_t size_apObjArray_1 = 0; + uint32_t cntr_apObjArray_1; + TALLOC_CTX *_mem_save_ORPCthat_0; + TALLOC_CTX *_mem_save_apObjArray_1; +@@ -7073,12 +7120,13 @@ + NDR_CHECK(ndr_pull_ORPCTHIS(ndr, NDR_SCALARS|NDR_BUFFERS, &r->in.ORPCthis)); + NDR_CHECK(ndr_pull_int32(ndr, NDR_SCALARS, &r->in.lObjectCount)); + NDR_CHECK(ndr_pull_array_size(ndr, &r->in.apObjArray)); ++ size_apObjArray_1 = ndr_get_array_size(ndr, &r->in.apObjArray); + if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) { +- NDR_PULL_ALLOC_N(ndr, r->in.apObjArray, ndr_get_array_size(ndr, &r->in.apObjArray)); ++ NDR_PULL_ALLOC_N(ndr, r->in.apObjArray, size_apObjArray_1); + } + _mem_save_apObjArray_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.apObjArray, 0); +- for (cntr_apObjArray_1 = 0; cntr_apObjArray_1 < r->in.lObjectCount; cntr_apObjArray_1++) { ++ for (cntr_apObjArray_1 = 0; cntr_apObjArray_1 < size_apObjArray_1; cntr_apObjArray_1++) { + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_apObjArray)); + if (_ptr_apObjArray) { + NDR_PULL_ALLOC(ndr, r->in.apObjArray[cntr_apObjArray_1]); +@@ -7086,7 +7134,7 @@ + r->in.apObjArray[cntr_apObjArray_1] = NULL; + } + } +- for (cntr_apObjArray_1 = 0; cntr_apObjArray_1 < r->in.lObjectCount; cntr_apObjArray_1++) { ++ for (cntr_apObjArray_1 = 0; cntr_apObjArray_1 < size_apObjArray_1; cntr_apObjArray_1++) { + if (r->in.apObjArray[cntr_apObjArray_1]) { + _mem_save_apObjArray_2 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->in.apObjArray[cntr_apObjArray_1], 0); +Index: samba-3.6.3/source3/librpc/gen_ndr/ndr_xattr.c +=================================================================== +--- samba-3.6.3.orig/source3/librpc/gen_ndr/ndr_xattr.c 2012-04-12 12:09:51.919287484 -0500 ++++ samba-3.6.3/source3/librpc/gen_ndr/ndr_xattr.c 2012-04-12 12:19:21.031301011 -0500 +@@ -469,6 +469,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_xattr_DosEAs(struct ndr_pull *ndr, int ndr_flags, struct xattr_DosEAs *r) + { + uint32_t _ptr_eas; ++ uint32_t size_eas_1 = 0; + uint32_t cntr_eas_1; + TALLOC_CTX *_mem_save_eas_0; + TALLOC_CTX *_mem_save_eas_1; +@@ -488,10 +489,11 @@ + _mem_save_eas_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->eas, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->eas)); +- NDR_PULL_ALLOC_N(ndr, r->eas, ndr_get_array_size(ndr, &r->eas)); ++ size_eas_1 = ndr_get_array_size(ndr, &r->eas); ++ NDR_PULL_ALLOC_N(ndr, r->eas, size_eas_1); + _mem_save_eas_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->eas, 0); +- for (cntr_eas_1 = 0; cntr_eas_1 < r->num_eas; cntr_eas_1++) { ++ for (cntr_eas_1 = 0; cntr_eas_1 < size_eas_1; cntr_eas_1++) { + NDR_CHECK(ndr_pull_xattr_EA(ndr, NDR_SCALARS, &r->eas[cntr_eas_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eas_1, 0); +@@ -543,15 +545,17 @@ + + _PUBLIC_ enum ndr_err_code ndr_pull_tdb_xattrs(struct ndr_pull *ndr, int ndr_flags, struct tdb_xattrs *r) + { ++ uint32_t size_eas_0 = 0; + uint32_t cntr_eas_0; + TALLOC_CTX *_mem_save_eas_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_eas)); +- NDR_PULL_ALLOC_N(ndr, r->eas, r->num_eas); ++ size_eas_0 = r->num_eas; ++ NDR_PULL_ALLOC_N(ndr, r->eas, size_eas_0); + _mem_save_eas_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->eas, 0); +- for (cntr_eas_0 = 0; cntr_eas_0 < r->num_eas; cntr_eas_0++) { ++ for (cntr_eas_0 = 0; cntr_eas_0 < size_eas_0; cntr_eas_0++) { + NDR_CHECK(ndr_pull_xattr_EA(ndr, NDR_SCALARS, &r->eas[cntr_eas_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_eas_0, 0); +@@ -653,6 +657,7 @@ + _PUBLIC_ enum ndr_err_code ndr_pull_xattr_DosStreams(struct ndr_pull *ndr, int ndr_flags, struct xattr_DosStreams *r) + { + uint32_t _ptr_streams; ++ uint32_t size_streams_1 = 0; + uint32_t cntr_streams_1; + TALLOC_CTX *_mem_save_streams_0; + TALLOC_CTX *_mem_save_streams_1; +@@ -672,10 +677,11 @@ + _mem_save_streams_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->streams, 0); + NDR_CHECK(ndr_pull_array_size(ndr, &r->streams)); +- NDR_PULL_ALLOC_N(ndr, r->streams, ndr_get_array_size(ndr, &r->streams)); ++ size_streams_1 = ndr_get_array_size(ndr, &r->streams); ++ NDR_PULL_ALLOC_N(ndr, r->streams, size_streams_1); + _mem_save_streams_1 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->streams, 0); +- for (cntr_streams_1 = 0; cntr_streams_1 < r->num_streams; cntr_streams_1++) { ++ for (cntr_streams_1 = 0; cntr_streams_1 < size_streams_1; cntr_streams_1++) { + NDR_CHECK(ndr_pull_xattr_DosStream(ndr, NDR_SCALARS, &r->streams[cntr_streams_1])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_streams_1, 0); +@@ -729,6 +735,7 @@ + { + uint32_t _ptr_sd; + TALLOC_CTX *_mem_save_sd_0; ++ uint32_t size_hash_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd)); +@@ -737,7 +744,8 @@ + } else { + r->sd = NULL; + } +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); ++ size_hash_0 = 16; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -787,6 +795,7 @@ + { + uint32_t _ptr_sd; + TALLOC_CTX *_mem_save_sd_0; ++ uint32_t size_hash_0 = 0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd)); +@@ -796,7 +805,8 @@ + r->sd = NULL; + } + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->hash_type)); +- NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 64)); ++ size_hash_0 = 64; ++ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, size_hash_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { +@@ -883,8 +893,11 @@ + uint32_t level; + uint16_t _level; + TALLOC_CTX *_mem_save_sd_0; ++ uint32_t _ptr_sd; + TALLOC_CTX *_mem_save_sd_hs2_0; ++ uint32_t _ptr_sd_hs2; + TALLOC_CTX *_mem_save_sd_hs3_0; ++ uint32_t _ptr_sd_hs3; + level = ndr_pull_get_switch_value(ndr, r); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 5)); +@@ -895,7 +908,6 @@ + NDR_CHECK(ndr_pull_union_align(ndr, 5)); + switch (level) { + case 1: { +- uint32_t _ptr_sd; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd)); + if (_ptr_sd) { + NDR_PULL_ALLOC(ndr, r->sd); +@@ -905,7 +917,6 @@ + break; } + + case 2: { +- uint32_t _ptr_sd_hs2; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_hs2)); + if (_ptr_sd_hs2) { + NDR_PULL_ALLOC(ndr, r->sd_hs2); +@@ -915,7 +926,6 @@ + break; } + + case 3: { +- uint32_t _ptr_sd_hs3; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_hs3)); + if (_ptr_sd_hs3) { + NDR_PULL_ALLOC(ndr, r->sd_hs3); diff -Nru samba-3.6.3/debian/patches/series samba-3.6.3/debian/patches/series --- samba-3.6.3/debian/patches/series 2012-03-08 14:53:06.000000000 -0600 +++ samba-3.6.3/debian/patches/series 2012-04-12 12:19:16.000000000 -0500 @@ -14,3 +14,5 @@ bug_221618_precise-64bit-prototype.patch initialize_password_db-null-deref fix-samba.ldip-syntax.patch +CVE-2012-1182-1.patch +CVE-2012-1182-2.patch