r3073: Fix bug in the handling of null-terminated ASCII strings in RPC.

Because we didn't count the null terminator, we would not move past it
in the packet.

Andrew Bartlett
(This used to be commit 8b38bffc7098610c469ab61b7e0e6884f046f286)

2 files changed, 19 insertions, 1 deletions

diff --git a/source4/lib/util_str.c b/source4/lib/util_str.c
index 03ba1399ef..07a2c1dbd1 100644
--- a/source4/lib/util_str.c
+++ b/source4/lib/util_str.c
@@ -1120,6 +1120,24 @@ int strcmp_safe(const char *s1, const char *s2)
 
 
 /*******************************************************************
+return the number of bytes occupied by a buffer in ASCII format
+the result includes the null termination
+limited by 'n' bytes
+********************************************************************/
+size_t ascii_len_n(const char *src, size_t n)
+{
+	size_t len;
+
+	len = strnlen(src, n);
+	if (len+1 <= n) {
+		len += 1;
+	}
+
+	return len;
+}
+
+
+/*******************************************************************
  Return a string representing a CIFS attribute for a file.
 ********************************************************************/
 char *attrib_string(TALLOC_CTX *mem_ctx, uint32_t attrib)
diff --git a/source4/librpc/ndr/ndr_basic.c b/source4/librpc/ndr/ndr_basic.c
index 5808ae7452..239b28e3e7 100644
--- a/source4/librpc/ndr/ndr_basic.c
+++ b/source4/librpc/ndr/ndr_basic.c
@@ -657,7 +657,7 @@ NTSTATUS ndr_pull_string(struct ndr_pull *ndr, int ndr_flags, const char **s)
 
 	case LIBNDR_FLAG_STR_NULLTERM:
 		if (byte_mul == 1) {
-			len1 = strnlen(ndr->data+ndr->offset, ndr->data_size - ndr->offset);
+			len1 = ascii_len_n(ndr->data+ndr->offset, ndr->data_size - ndr->offset);
 		} else {
 			len1 = utf16_len_n(ndr->data+ndr->offset, ndr->data_size - ndr->offset);
 		}