Fixed bug where mallocd size of prs_struct could be larger than

incoming packet. Ensure new alloced memory is zeroed before use.
Jeremy.
(This used to be commit 1c3193aa1c1137734dc34ef2e6d62abb0609c30e)

1 files changed, 7 insertions, 3 deletions

diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c
index fff1bc27b1..4260b1c8d5 100644
--- a/source3/rpc_parse/parse_prs.c
+++ b/source3/rpc_parse/parse_prs.c
@@ -209,6 +209,8 @@ BOOL prs_grow(prs_struct *ps, uint32 extra_space)
 				(unsigned int)new_size));
 			return False;
 		}
+
+		memset(&new_data[ps->buffer_size], '\0', new_size - ps->buffer_size);
 	}
 	ps->buffer_size = new_size;
 	ps->data_p = new_data;
@@ -239,6 +241,8 @@ BOOL prs_force_grow(prs_struct *ps, uint32 extra_space)
 		return False;
 	}
 
+	memset(&new_data[ps->buffer_size], '\0', new_size - ps->buffer_size);
+
 	ps->buffer_size = new_size;
 	ps->data_p = new_data;
 
@@ -296,7 +300,7 @@ BOOL prs_set_offset(prs_struct *ps, uint32 offset)
 
 BOOL prs_append_prs_data(prs_struct *dst, prs_struct *src)
 {
-	if(!prs_grow(dst, prs_offset(src)))
+	if(!prs_force_grow(dst, prs_offset(src)))
 		return False;
 
 	memcpy(&dst->data_p[dst->data_offset], prs_data_p(src), (size_t)prs_offset(src));
@@ -311,7 +315,7 @@ BOOL prs_append_prs_data(prs_struct *dst, prs_struct *src)
 
 BOOL prs_append_some_prs_data(prs_struct *dst, prs_struct *src, int32 start, uint32 len)
 {	
-	if(!prs_grow(dst, len))
+	if(!prs_force_grow(dst, len))
 		return False;
 	
 	memcpy(&dst->data_p[dst->data_offset], prs_data_p(src)+start, (size_t)len);
@@ -326,7 +330,7 @@ BOOL prs_append_some_prs_data(prs_struct *dst, prs_struct *src, int32 start, uin
 
 BOOL prs_append_data(prs_struct *dst, char *src, uint32 len)
 {
-	if(!prs_grow(dst, len))
+	if(!prs_force_grow(dst, len))
 		return False;
 
 	memcpy(&dst->data_p[dst->data_offset], src, (size_t)len);