diff options
author | Jeremy Allison <jra@samba.org> | 2006-03-07 20:52:43 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:11:03 -0500 |
commit | cd49e2546ecc3d16dc2f89c07d48b98995ec5ff9 (patch) | |
tree | 23b44b812148dd667d338f09bbb32f5ff48b8f52 | |
parent | 03b32953cf74178a8e591d46cbf932828cf9fd55 (diff) | |
download | samba-cd49e2546ecc3d16dc2f89c07d48b98995ec5ff9.tar.gz samba-cd49e2546ecc3d16dc2f89c07d48b98995ec5ff9.tar.bz2 samba-cd49e2546ecc3d16dc2f89c07d48b98995ec5ff9.zip |
r13989: Fix for Coverity bug #45 and associated spoolss RPC_BUFFER
problems. Ensure that if the parse succeeds on UNMARSHALL
we have a valid (although possibly empty) RPC_BUFFER returned.
Jeremy.
(This used to be commit d319cc9c08bfa865a6431a8631a9c609f589be1f)
-rw-r--r-- | source3/rpc_parse/parse_buffer.c | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index b220809654..b8b2c2e9ea 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -108,19 +108,34 @@ BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **b data_p = *buffer ? 0xf000baaa : 0; - if ( !prs_uint32("ptr", ps, depth, &data_p )) + if ( !prs_uint32("ptr", ps, depth, &data_p )) { return False; + } - /* we're done if there is no data */ - - if ( !data_p ) - return True; - + /* We must always return a valid buffer pointer even if the + client didn't send one - just leave it initialized to null. */ if ( UNMARSHALLING(ps) ) { - if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) + if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) { return False; + } } + /* we're done if there is no data */ + + if (!data_p) { + if (UNMARSHALLING(ps)) { + RPC_BUFFER *pbuffer = *buffer; + /* On unmarshalling we must return a valid, + but zero size value RPC_BUFFER. */ + pbuffer->size = 0; + pbuffer->string_at_end = 0; + if (!prs_init(&pbuffer->prs, 0, prs_get_mem_context(ps), UNMARSHALL)) { + return False; + } + } + return True; + } + return prs_rpcbuffer( desc, ps, depth, *buffer); } |