summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2006-03-07 20:52:43 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:11:03 -0500
commitcd49e2546ecc3d16dc2f89c07d48b98995ec5ff9 (patch)
tree23b44b812148dd667d338f09bbb32f5ff48b8f52
parent03b32953cf74178a8e591d46cbf932828cf9fd55 (diff)
downloadsamba-cd49e2546ecc3d16dc2f89c07d48b98995ec5ff9.tar.gz
samba-cd49e2546ecc3d16dc2f89c07d48b98995ec5ff9.tar.bz2
samba-cd49e2546ecc3d16dc2f89c07d48b98995ec5ff9.zip
r13989: Fix for Coverity bug #45 and associated spoolss RPC_BUFFER
problems. Ensure that if the parse succeeds on UNMARSHALL we have a valid (although possibly empty) RPC_BUFFER returned. Jeremy. (This used to be commit d319cc9c08bfa865a6431a8631a9c609f589be1f)
-rw-r--r--source3/rpc_parse/parse_buffer.c29
1 files changed, 22 insertions, 7 deletions
diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c
index b220809654..b8b2c2e9ea 100644
--- a/source3/rpc_parse/parse_buffer.c
+++ b/source3/rpc_parse/parse_buffer.c
@@ -108,19 +108,34 @@ BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **b
data_p = *buffer ? 0xf000baaa : 0;
- if ( !prs_uint32("ptr", ps, depth, &data_p ))
+ if ( !prs_uint32("ptr", ps, depth, &data_p )) {
return False;
+ }
- /* we're done if there is no data */
-
- if ( !data_p )
- return True;
-
+ /* We must always return a valid buffer pointer even if the
+ client didn't send one - just leave it initialized to null. */
if ( UNMARSHALLING(ps) ) {
- if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) )
+ if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) {
return False;
+ }
}
+ /* we're done if there is no data */
+
+ if (!data_p) {
+ if (UNMARSHALLING(ps)) {
+ RPC_BUFFER *pbuffer = *buffer;
+ /* On unmarshalling we must return a valid,
+ but zero size value RPC_BUFFER. */
+ pbuffer->size = 0;
+ pbuffer->string_at_end = 0;
+ if (!prs_init(&pbuffer->prs, 0, prs_get_mem_context(ps), UNMARSHALL)) {
+ return False;
+ }
+ }
+ return True;
+ }
+
return prs_rpcbuffer( desc, ps, depth, *buffer);
}