diff options
| author | Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> | 2008-09-15 19:21:38 +0200 |
|---|---|---|
| committer | Jelmer Vernooij <jelmer@samba.org> | 2008-10-21 14:40:41 +0200 |
| commit | f10227958bef70df7609aeec5dcc834a601bd945 (patch) | |
| tree | e03f9e700da9b1c8ac61b6a8f34e63bd3b8818e1 | |
| parent | f9d7af8569eb7163ab9fe301d759c0c35e68a9bc (diff) | |
| download | samba-f10227958bef70df7609aeec5dcc834a601bd945.tar.gz samba-f10227958bef70df7609aeec5dcc834a601bd945.tar.bz2 samba-f10227958bef70df7609aeec5dcc834a601bd945.zip | |
Registry server: Fixes up the patch with "type" != NULL (used in "EnumValue" and "QueryValue")
This prevents the server to segfault if the input data type is NULL.
| -rw-r--r-- | source4/lib/registry/ldb.c | 5 | ||||
| -rw-r--r-- | source4/rpc_server/winreg/rpc_winreg.c | 9 |
2 files changed, 9 insertions, 5 deletions
diff --git a/source4/lib/registry/ldb.c b/source4/lib/registry/ldb.c index 95851dace0..8d02b3ce02 100644 --- a/source4/lib/registry/ldb.c +++ b/source4/lib/registry/ldb.c @@ -289,7 +289,7 @@ static WERROR ldb_get_subkey_by_id(TALLOC_CTX *mem_ctx, } static WERROR ldb_get_default_value(TALLOC_CTX *mem_ctx, struct hive_key *k, - const char** name, uint32_t *data_type, + const char **name, uint32_t *data_type, DATA_BLOB *data) { struct ldb_key_data *kd = talloc_get_type(k, struct ldb_key_data); @@ -797,11 +797,12 @@ static WERROR ldb_get_key_info(TALLOC_CTX *mem_ctx, } if (max_valbufsize != NULL) { + uint32_t data_type; DATA_BLOB data; reg_ldb_unpack_value(mem_ctx, lp_iconv_convenience(global_loadparm), kd->values[i], NULL, - NULL, &data); + &data_type, &data); *max_valbufsize = MAX(*max_valbufsize, data.length); talloc_free(data.data); } diff --git a/source4/rpc_server/winreg/rpc_winreg.c b/source4/rpc_server/winreg/rpc_winreg.c index 5cabae53a2..69631b3a66 100644 --- a/source4/rpc_server/winreg/rpc_winreg.c +++ b/source4/rpc_server/winreg/rpc_winreg.c @@ -278,7 +278,7 @@ static WERROR dcesrv_winreg_EnumValue(struct dcesrv_call_state *dce_call, data.length = *r->in.length; } - /* and enough room for the name */ + /* check if there is enough room for the name */ if (r->in.name->size < 2*strlen_m_term(data_name)) { return WERR_MORE_DATA; } @@ -293,7 +293,11 @@ static WERROR dcesrv_winreg_EnumValue(struct dcesrv_call_state *dce_call, } r->out.name->size = r->in.name->size; - *r->out.value = data_type; + r->out.type = talloc(mem_ctx, uint32_t); + if (!r->out.type) { + return WERR_NOMEM; + } + *r->out.type = data_type; /* check the client has enough room for the value */ if (r->in.value != NULL && @@ -484,7 +488,6 @@ static WERROR dcesrv_winreg_QueryValue(struct dcesrv_call_state *dce_call, value_data.length = *r->in.length; } - /* Just asking for the size of the buffer */ r->out.type = talloc(mem_ctx, uint32_t); if (!r->out.type) { return WERR_NOMEM; |