diff options
| author | Jeremy Allison <jra@samba.org> | 2000-07-27 00:47:19 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2000-07-27 00:47:19 +0000 |
| commit | 5ec1642809d9de83da8c88c65d6595c6eb0270f5 (patch) | |
| tree | f6f4f1e0b3678394fca8b7c37f71084a1b166671 /source3/rpc_parse | |
| parent | 134a4b86548db77cba292c50fbd6b91ecaa69f14 (diff) | |
| download | samba-5ec1642809d9de83da8c88c65d6595c6eb0270f5.tar.gz samba-5ec1642809d9de83da8c88c65d6595c6eb0270f5.tar.bz2 samba-5ec1642809d9de83da8c88c65d6595c6eb0270f5.zip | |
Ok - this is a *BIG* change - but it fixes the problems with static strings
in the RPC code. This change was prompted by trying to save a long (>256)
character comment in the printer properties page.
The new system associates a TALLOC_CTX with the pipe struct, and frees
the pool on return of a complete PDU.
A global TALLOC_CTX is used for the odd buffer allocated in the BUFFERxx
code, and is freed in the main loop.
This code works with insure, and seems to be free of memory leaks and
crashes (so far) but there are probably the occasional problem with
code that uses UNISTRxx structs on the stack and expects them to contain
storage without doing a init_unistrXX().
This means that rpcclient will probably be horribly broken.
A TALLOC_CTX also needed associating with the struct cli_state also,
to make the prs_xx code there work.
The main interface change is the addition of a TALLOC_CTX to the
prs_init calls - used for dynamic allocation in the prs_XXX calls.
Now this is in place it should make dynamic allocation of all RPC
memory on unmarshall *much* easier to fix.
Jeremy.
(This used to be commit 0ff2ce543ee54f7364e6d839db6d06e7ef1edcf4)
Diffstat (limited to 'source3/rpc_parse')
| -rw-r--r-- | source3/rpc_parse/parse_creds.c | 4 | ||||
| -rw-r--r-- | source3/rpc_parse/parse_misc.c | 190 | ||||
| -rw-r--r-- | source3/rpc_parse/parse_prs.c | 101 | ||||
| -rw-r--r-- | source3/rpc_parse/parse_spoolss.c | 64 |
4 files changed, 248 insertions, 111 deletions
diff --git a/source3/rpc_parse/parse_creds.c b/source3/rpc_parse/parse_creds.c index 9ffc5d7a69..c34a7f5ac3 100644 --- a/source3/rpc_parse/parse_creds.c +++ b/source3/rpc_parse/parse_creds.c @@ -597,7 +597,7 @@ BOOL create_ntuser_creds( prs_struct *ps, usr.ptr_ntc = 0; } - prs_init(ps, 1024, 4, False); + prs_init(ps, 1024, 4, NULL, False); ps->data_offset = 4; return creds_io_cmd("creds", &cmd, ps, 0); @@ -623,7 +623,7 @@ BOOL create_user_creds( prs_struct *ps, cmd.ptr_creds = usr != NULL ? 1 : 0; cmd.cred = usr; - prs_init(ps, 1024, 4, False); + prs_init(ps, 1024, 4, NULL, False); ps->data_offset = 4; return creds_io_cmd("creds", &cmd, ps, 0); diff --git a/source3/rpc_parse/parse_misc.c b/source3/rpc_parse/parse_misc.c index fe2778a356..2a642e1cec 100644 --- a/source3/rpc_parse/parse_misc.c +++ b/source3/rpc_parse/parse_misc.c @@ -26,6 +26,20 @@ extern int DEBUGLEVEL; +static TALLOC_CTX *parse_misc_talloc = NULL; + +/******************************************************************* a +free up temporary memory - called from the main loop +********************************************************************/ + +void parse_talloc_free(void) +{ + if (!parse_misc_talloc) + return; + talloc_destroy(parse_misc_talloc); + parse_misc_talloc = NULL; +} + /******************************************************************* Reads or writes a UTIME type. ********************************************************************/ @@ -296,12 +310,6 @@ BOOL smb_io_strhdr(char *desc, STRHDR *hdr, prs_struct *ps, int depth) if(!prs_uint32("buffer ", ps, depth, &hdr->buffer)) return False; - /* oops! XXXX maybe issue a warning that this is happening... */ - if (hdr->str_max_len > MAX_STRINGLEN) - hdr->str_max_len = MAX_STRINGLEN; - if (hdr->str_str_len > MAX_STRINGLEN) - hdr->str_str_len = MAX_STRINGLEN; - return True; } @@ -338,12 +346,6 @@ BOOL smb_io_unihdr(char *desc, UNIHDR *hdr, prs_struct *ps, int depth) if(!prs_uint32("buffer ", ps, depth, &hdr->buffer)) return False; - /* oops! XXXX maybe issue a warning that this is happening... */ - if (hdr->uni_max_len > MAX_UNISTRLEN) - hdr->uni_max_len = MAX_UNISTRLEN; - if (hdr->uni_str_len > MAX_UNISTRLEN) - hdr->uni_str_len = MAX_UNISTRLEN; - return True; } @@ -429,12 +431,6 @@ BOOL smb_io_hdrbuf(char *desc, BUFHDR *hdr, prs_struct *ps, int depth) if(!prs_uint32("buf_len ", ps, depth, &hdr->buf_len)) return False; - /* oops! XXXX maybe issue a warning that this is happening... */ - if (hdr->buf_max_len > MAX_BUFFERLEN) - hdr->buf_max_len = MAX_BUFFERLEN; - if (hdr->buf_len > MAX_BUFFERLEN) - hdr->buf_len = MAX_BUFFERLEN; - return True; } @@ -477,8 +473,21 @@ BOOL smb_io_unihdr2(char *desc, UNIHDR2 *hdr2, prs_struct *ps, int depth) void init_unistr(UNISTR *str, const char *buf) { + size_t len = strlen(buf) + 1; + + if (!parse_misc_talloc) + parse_misc_talloc = talloc_init(); + + if (len < MAX_UNISTRLEN) + len = MAX_UNISTRLEN; + len *= sizeof(uint16); + + str->buffer = (uint16 *)talloc(parse_misc_talloc, len); + if (str->buffer == NULL) + smb_panic("init_unistr2: malloc fail\n"); + /* store the string (null-terminated copy) */ - dos_struni2((char *)str->buffer, buf, sizeof(str->buffer)); + dos_struni2((char *)str->buffer, buf, len); } /******************************************************************* @@ -503,6 +512,24 @@ BOOL smb_io_unistr(char *desc, UNISTR *uni, prs_struct *ps, int depth) } /******************************************************************* + Allocate the BUFFER3 memory. +********************************************************************/ + +static void create_buffer3(BUFFER3 *str, size_t len) +{ + if (!parse_misc_talloc) + parse_misc_talloc = talloc_init(); + + if (len < MAX_BUFFERLEN) + len = MAX_BUFFERLEN; + + str->buffer = talloc(parse_misc_talloc, len); + if (str->buffer == NULL) + smb_panic("create_buffer3: malloc fail\n"); + +} + +/******************************************************************* Inits a BUFFER3 structure from a uint32 ********************************************************************/ @@ -514,6 +541,7 @@ void init_buffer3_uint32(BUFFER3 *str, uint32 val) str->buf_max_len = sizeof(uint32); str->buf_len = sizeof(uint32); + create_buffer3(str, sizeof(uint32)); SIVAL(str->buffer, 0, val); } @@ -529,8 +557,10 @@ void init_buffer3_str(BUFFER3 *str, char *buf, int len) str->buf_max_len = len * 2; str->buf_len = len * 2; + create_buffer3(str, str->buf_max_len); + /* store the string (null-terminated 8 bit chars into 16 bit chars) */ - dos_struni2((char *)str->buffer, buf, sizeof(str->buffer)); + dos_struni2((char *)str->buffer, buf, str->buf_max_len); } /******************************************************************* @@ -540,6 +570,7 @@ void init_buffer3_str(BUFFER3 *str, char *buf, int len) void init_buffer3_hex(BUFFER3 *str, char *buf) { ZERO_STRUCTP(str); + create_buffer3(str, strlen(buf)); str->buf_max_len = str->buf_len = strhex_to_str((char *)str->buffer, sizeof(str->buffer), buf); } @@ -553,8 +584,10 @@ void init_buffer3_bytes(BUFFER3 *str, uint8 *buf, int len) /* max buffer size (allocated size) */ str->buf_max_len = len; - if (buf != NULL) - memcpy(str->buffer, buf, MIN(str->buf_len, sizeof(str->buffer))); + if (buf != NULL) { + create_buffer3(str, len); + memcpy(str->buffer, buf, len); + } str->buf_len = buf != NULL ? len : 0; } @@ -578,16 +611,17 @@ BOOL smb_io_buffer3(char *desc, BUFFER3 *buf3, prs_struct *ps, int depth) if(!prs_uint32("uni_max_len", ps, depth, &buf3->buf_max_len)) return False; - if (buf3->buf_max_len > MAX_UNISTRLEN) - buf3->buf_max_len = MAX_UNISTRLEN; + if (UNMARSHALLING(ps)) { + buf3->buffer = prs_alloc_mem(ps, buf3->buf_max_len); + if (buf3->buffer == NULL) + return False; + } if(!prs_uint8s(True, "buffer ", ps, depth, buf3->buffer, buf3->buf_max_len)) return False; if(!prs_uint32("buf_len ", ps, depth, &buf3->buf_len)) return False; - if (buf3->buf_len > MAX_UNISTRLEN) - buf3->buf_len = MAX_UNISTRLEN; return True; } @@ -607,9 +641,10 @@ BOOL smb_io_buffer5(char *desc, BUFFER5 *buf5, prs_struct *ps, int depth) prs_uint32("buf_len", ps, depth, &(buf5->buf_len)); /* reading: alloc the buffer first */ - if ( ps->io ) - { - buf5->buffer=(uint16 *)malloc( sizeof(uint16)*buf5->buf_len ); + if ( UNMARSHALLING(ps) ) { + buf5->buffer=(uint16 *)prs_alloc_mem(ps, sizeof(uint16)*buf5->buf_len ); + if (buf5->buffer == NULL) + return False; } prs_uint16s(True, "buffer", ps, depth, buf5->buffer, buf5->buf_len); @@ -618,15 +653,6 @@ BOOL smb_io_buffer5(char *desc, BUFFER5 *buf5, prs_struct *ps, int depth) } /******************************************************************* - Frees a BUFFER5 structure (just the malloced part). -********************************************************************/ - -void free_buffer5(BUFFER5 *buf5) -{ - safe_free(buf5->buffer); -} - -/******************************************************************* Inits a BUFFER2 structure. ********************************************************************/ @@ -639,8 +665,17 @@ void init_buffer2(BUFFER2 *str, uint8 *buf, int len) str->undoc = 0; str->buf_len = buf != NULL ? len : 0; - if (buf != NULL) - memcpy(str->buffer, buf, MIN(str->buf_len, sizeof(str->buffer))); + if (buf != NULL) { + if (!parse_misc_talloc) + parse_misc_talloc = talloc_init(); + + if (len < MAX_BUFFERLEN) + len = MAX_BUFFERLEN; + str->buffer = talloc(parse_misc_talloc, len); + if (str->buffer == NULL) + smb_panic("init_buffer2: malloc fail\n"); + memcpy(str->buffer, buf, MIN(str->buf_len, len)); + } } /******************************************************************* @@ -669,12 +704,6 @@ BOOL smb_io_buffer2(char *desc, BUFFER2 *buf2, uint32 buffer, prs_struct *ps, in if(!prs_uint32("buf_len ", ps, depth, &buf2->buf_len)) return False; - /* oops! XXXX maybe issue a warning that this is happening... */ - if (buf2->buf_max_len > MAX_UNISTRLEN) - buf2->buf_max_len = MAX_UNISTRLEN; - if (buf2->buf_len > MAX_UNISTRLEN) - buf2->buf_len = MAX_UNISTRLEN; - /* buffer advanced by indicated length of string NOT by searching for null-termination */ @@ -721,6 +750,21 @@ void copy_unistr2(UNISTR2 *str, UNISTR2 *from) str->undoc = from->undoc; str->uni_str_len = from->uni_str_len; + if (str->buffer == NULL) { + size_t len = from->uni_max_len * 2; + + if (!parse_misc_talloc) + parse_misc_talloc = talloc_init(); + + if (len < MAX_UNISTRLEN) + len = MAX_UNISTRLEN; + len *= sizeof(uint16); + + str->buffer = (uint16 *)talloc(parse_misc_talloc, len); + if (str->buffer == NULL) + smb_panic("copy_unistr2: malloc fail\n"); + } + /* copy the string */ memcpy(str->buffer, from->buffer, sizeof(from->buffer)); } @@ -731,14 +775,23 @@ void copy_unistr2(UNISTR2 *str, UNISTR2 *from) void init_string2(STRING2 *str, char *buf, int len) { - /* set up string lengths. */ - str->str_max_len = len; - str->undoc = 0; - str->str_str_len = len; - - /* store the string */ - if(len != 0) - memcpy(str->buffer, buf, len); + /* set up string lengths. */ + str->str_max_len = len; + str->undoc = 0; + str->str_str_len = len; + + /* store the string */ + if(len != 0) { + if (!parse_misc_talloc) + parse_misc_talloc = talloc_init(); + + if (len < MAX_STRINGLEN) + len = MAX_STRINGLEN; + str->buffer = talloc(parse_misc_talloc, len); + if (str->buffer == NULL) + smb_panic("init_string2: malloc fail\n"); + memcpy(str->buffer, buf, len); + } } /******************************************************************* @@ -768,12 +821,6 @@ BOOL smb_io_string2(char *desc, STRING2 *str2, uint32 buffer, prs_struct *ps, in if(!prs_uint32("str_str_len", ps, depth, &str2->str_str_len)) return False; - /* oops! XXXX maybe issue a warning that this is happening... */ - if (str2->str_max_len > MAX_STRINGLEN) - str2->str_max_len = MAX_STRINGLEN; - if (str2->str_str_len > MAX_STRINGLEN) - str2->str_str_len = MAX_STRINGLEN; - /* buffer advanced by indicated length of string NOT by searching for null-termination */ if(!prs_string2(True, "buffer ", ps, depth, str2)) @@ -803,8 +850,19 @@ void init_unistr2(UNISTR2 *str, const char *buf, size_t len) str->undoc = 0; str->uni_str_len = (uint32)len; + if (!parse_misc_talloc) + parse_misc_talloc = talloc_init(); + + if (len < MAX_UNISTRLEN) + len = MAX_UNISTRLEN; + len *= sizeof(uint16); + + str->buffer = (uint16 *)talloc(parse_misc_talloc, len); + if (str->buffer == NULL) + smb_panic("init_unistr2: malloc fail\n"); + /* store the string (null-terminated 8 bit chars into 16 bit chars) */ - dos_struni2((char *)str->buffer, buf, sizeof(str->buffer)); + dos_struni2((char *)str->buffer, buf, len); } /******************************************************************* @@ -834,12 +892,6 @@ BOOL smb_io_unistr2(char *desc, UNISTR2 *uni2, uint32 buffer, prs_struct *ps, in if(!prs_uint32("uni_str_len", ps, depth, &uni2->uni_str_len)) return False; - /* oops! XXXX maybe issue a warning that this is happening... */ - if (uni2->uni_max_len > MAX_UNISTRLEN) - uni2->uni_max_len = MAX_UNISTRLEN; - if (uni2->uni_str_len > MAX_UNISTRLEN) - uni2->uni_str_len = MAX_UNISTRLEN; - /* buffer advanced by indicated length of string NOT by searching for null-termination */ if(!prs_unistr2(True, "buffer ", ps, depth, uni2)) @@ -957,14 +1009,14 @@ static void init_clnt_srv(DOM_CLNT_SRV *log, char *logon_srv, char *comp_name) if (logon_srv != NULL) { log->undoc_buffer = 1; - init_unistr2(&(log->uni_logon_srv), logon_srv, strlen(logon_srv)+1); + init_unistr2(&log->uni_logon_srv, logon_srv, strlen(logon_srv)+1); } else { log->undoc_buffer = 0; } if (comp_name != NULL) { log->undoc_buffer2 = 1; - init_unistr2(&(log->uni_comp_name), comp_name, strlen(comp_name)+1); + init_unistr2(&log->uni_comp_name, comp_name, strlen(comp_name)+1); } else { log->undoc_buffer2 = 0; } diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c index 42a3410752..bf36b5b346 100644 --- a/source3/rpc_parse/parse_prs.c +++ b/source3/rpc_parse/parse_prs.c @@ -67,7 +67,7 @@ void prs_debug(prs_struct *ps, int depth, char *desc, char *fn_name) /******************************************************************* Initialise a parse structure - malloc the data if requested. ********************************************************************/ -BOOL prs_init(prs_struct *ps, uint32 size, uint8 align, BOOL io) +BOOL prs_init(prs_struct *ps, uint32 size, uint8 align, TALLOC_CTX *ctx, BOOL io) { ZERO_STRUCTP(ps); ps->io = io; @@ -77,6 +77,7 @@ BOOL prs_init(prs_struct *ps, uint32 size, uint8 align, BOOL io) ps->data_offset = 0; ps->buffer_size = 0; ps->data_p = NULL; + ps->mem_ctx = ctx; if (size != 0) { ps->buffer_size = size; @@ -98,17 +99,12 @@ BOOL prs_read(prs_struct *ps, int fd, size_t len, int timeout) BOOL ok; size_t prev_size = ps->buffer_size; if (!prs_grow(ps, len)) - { return False; - } - if (timeout > 0) - { + if (timeout > 0) { ok = (read_with_timeout(fd, &ps->data_p[prev_size], len, len,timeout) == len); - } - else - { + } else { ok = (read_data(fd, &ps->data_p[prev_size], len) == len); } return ok; @@ -129,6 +125,24 @@ void prs_mem_free(prs_struct *ps) } /******************************************************************* + Allocate memory when unmarshalling... + ********************************************************************/ + +char *prs_alloc_mem(prs_struct *ps, size_t size) +{ + return talloc(ps->mem_ctx, size); +} + +/******************************************************************* + Return the current talloc context we're using. + ********************************************************************/ + +TALLOC_CTX *prs_get_mem_context(prs_struct *ps) +{ + return ps->mem_ctx; +} + +/******************************************************************* Hand some already allocated memory to a prs_struct. ********************************************************************/ @@ -543,11 +557,19 @@ BOOL prs_uint32s(BOOL charmode, char *name, prs_struct *ps, int depth, uint32 *d BOOL prs_buffer2(BOOL charmode, char *name, prs_struct *ps, int depth, BUFFER2 *str) { - char *p = (char *)str->buffer; + char *p; char *q = prs_mem_get(ps, str->buf_len); if (q == NULL) return False; + if (UNMARSHALLING(ps)) { + str->buffer = (uint16 *)prs_alloc_mem(ps,str->buf_len); + if (str->buffer == NULL) + return False; + } + + p = (char *)str->buffer; + /* If we're using big-endian, reverse to get little-endian. */ if(ps->bigendian_data) DBG_RW_PSVAL(charmode, name, depth, ps->data_offset, ps->io, ps->bigendian_data, q, p, str->buf_len/2) @@ -569,6 +591,12 @@ BOOL prs_string2(BOOL charmode, char *name, prs_struct *ps, int depth, STRING2 * if (q == NULL) return False; + if (UNMARSHALLING(ps)) { + str->buffer = prs_alloc_mem(ps,str->str_str_len); + if (str->buffer == NULL) + return False; + } + DBG_RW_PCVAL(charmode, name, depth, ps->data_offset, ps->io, q, str->buffer, str->str_max_len) ps->data_offset += (str->str_str_len * sizeof(uint8)); @@ -583,16 +611,24 @@ BOOL prs_string2(BOOL charmode, char *name, prs_struct *ps, int depth, STRING2 * BOOL prs_unistr2(BOOL charmode, char *name, prs_struct *ps, int depth, UNISTR2 *str) { - char *p = (char *)str->buffer; + char *p; char *q = prs_mem_get(ps, str->uni_str_len * sizeof(uint16)); if (q == NULL) return False; + if (UNMARSHALLING(ps)) { + str->buffer = (uint16 *)prs_alloc_mem(ps,str->uni_str_len * sizeof(uint16)); + if (str->buffer == NULL) + return False; + } + + p = (char *)str->buffer; + /* If we're using big-endian, reverse to get little-endian. */ if(ps->bigendian_data) DBG_RW_PSVAL(charmode, name, depth, ps->data_offset, ps->io, ps->bigendian_data, q, p, str->uni_str_len) else - DBG_RW_PCVAL(charmode, name, depth, ps->data_offset, ps->io, q, p, str->uni_str_len * 2) + DBG_RW_PCVAL(charmode, name, depth, ps->data_offset, ps->io, q, p, str->uni_str_len * sizeof(uint16)) ps->data_offset += (str->uni_str_len * sizeof(uint16)); return True; @@ -608,16 +644,24 @@ BOOL prs_unistr2(BOOL charmode, char *name, prs_struct *ps, int depth, UNISTR2 * BOOL prs_unistr3(BOOL charmode, char *name, UNISTR3 *str, prs_struct *ps, int depth) { - char *p = (char *)str->str.buffer; + char *p; char *q = prs_mem_get(ps, str->uni_str_len * sizeof(uint16)); if (q == NULL) return False; + if (UNMARSHALLING(ps)) { + str->str.buffer = (uint16 *)prs_alloc_mem(ps,str->uni_str_len * sizeof(uint16)); + if (str->str.buffer == NULL) + return False; + } + + p = (char *)str->str.buffer; + /* If we're using big-endian, reverse to get little-endian. */ if(ps->bigendian_data) DBG_RW_PSVAL(charmode, name, depth, ps->data_offset, ps->io, ps->bigendian_data, q, p, str->uni_str_len) else - DBG_RW_PCVAL(charmode, name, depth, ps->data_offset, ps->io, q, p, str->uni_str_len * 2) + DBG_RW_PCVAL(charmode, name, depth, ps->data_offset, ps->io, q, p, str->uni_str_len * sizeof(uint16)) ps->data_offset += (str->uni_str_len * sizeof(uint16)); return True; @@ -638,8 +682,7 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str) if (MARSHALLING(ps)) { - for(len = 0; len < (sizeof(str->buffer) / sizeof(str->buffer[0])) && - str->buffer[len] != 0; len++) + for(len = 0; str->buffer[len] != 0; len++) ; q = prs_mem_get(ps, (len+1)*2); @@ -648,8 +691,7 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str) start = (uint8*)q; - for(len = 0; len < (sizeof(str->buffer) / sizeof(str->buffer[0])) && - str->buffer[len] != 0; len++) + for(len = 0; str->buffer[len] != 0; len++) { if(ps->bigendian_data) { @@ -685,9 +727,27 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str) } else { /* unmarshalling */ + uint32 alloc_len = 0; len = -1; q = prs_data_p(ps) + prs_offset(ps); + /* + * Work out how much space we need and talloc it. + */ + { + uint32 max_len = (ps->buffer_size - ps->data_offset)/sizeof(uint16); + uint16 *ptr; + + for ( ptr = (uint16 *)q; *ptr && (alloc_len <= max_len); alloc_len++) + ; + + str->buffer = (uint16 *)prs_alloc_mem(ps,alloc_len * sizeof(uint16)); + if (str->buffer == NULL) + return False; + + p = (unsigned char *)str->buffer; + } + do { len++; @@ -705,8 +765,7 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str) p++; q++; } - } while (len < (sizeof(str->buffer) / sizeof(str->buffer[0])) && - str->buffer[len] != 0); + } while (len < alloc_len && str->buffer[len] != 0); } ps->data_offset += len*2; @@ -852,7 +911,7 @@ int tdb_prs_store(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps) } /* useful function to fetch a structure into rpc wire format */ -int tdb_prs_fetch(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps) +int tdb_prs_fetch(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps, TALLOC_CTX *mem_ctx) { TDB_DATA kbuf, dbuf; kbuf.dptr = keystr; @@ -862,7 +921,7 @@ int tdb_prs_fetch(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps) if (!dbuf.dptr) return -1; ZERO_STRUCTP(ps); - prs_init(ps, 0, 4, UNMARSHALL); + prs_init(ps, 0, 4, mem_ctx, UNMARSHALL); prs_give_memory(ps, dbuf.dptr, dbuf.dsize, True); return 0; diff --git a/source3/rpc_parse/parse_spoolss.c b/source3/rpc_parse/parse_spoolss.c index bee8bae8cf..9ec796d3e7 100644 --- a/source3/rpc_parse/parse_spoolss.c +++ b/source3/rpc_parse/parse_spoolss.c @@ -503,6 +503,12 @@ static BOOL spoolss_io_devmode(char *desc, prs_struct *ps, int depth, DEVICEMODE prs_debug(ps, depth, desc, "spoolss_io_devmode"); depth++; + if (UNMARSHALLING(ps)) { + devmode->devicename.buffer = prs_alloc_mem(ps, 32 * sizeof(uint16) ); + if (devmode->devicename.buffer == NULL) + return False; + } + if (!prs_uint16s(True,"devicename", ps, depth, devmode->devicename.buffer, 32)) return False; if (!prs_uint16("specversion", ps, depth, &devmode->specversion)) @@ -541,6 +547,13 @@ static BOOL spoolss_io_devmode(char *desc, prs_struct *ps, int depth, DEVICEMODE return False; if (!prs_uint16("collate", ps, depth, &devmode->collate)) return False; + + if (UNMARSHALLING(ps)) { + devmode->formname.buffer = prs_alloc_mem(ps, 32 * sizeof(uint16) ); + if (devmode->formname.buffer == NULL) + return False; + } + if (!prs_uint16s(True, "formname", ps, depth, devmode->formname.buffer, 32)) return False; if (!prs_uint16("logpixels", ps, depth, &devmode->logpixels)) @@ -683,12 +696,12 @@ BOOL make_spoolss_q_open_printer_ex(SPOOL_Q_OPEN_PRINTER_EX *q_u, { DEBUG(5,("make_spoolss_q_open_printer_ex\n")); q_u->printername_ptr = (printername!=NULL)?1:0; - init_unistr2(&(q_u->printername), printername, strlen(printername)); + init_unistr2(&q_u->printername, printername, strlen(printername)); q_u->printer_default.datatype_ptr = 0; /* q_u->printer_default.datatype_ptr = (datatype!=NULL)?1:0; - init_unistr2(&(q_u->printer_default.datatype), datatype, strlen(datatype)); + init_unistr2(&q_u->printer_default.datatype, datatype, strlen(datatype)); */ q_u->printer_default.devmode_cont.size=0; q_u->printer_default.devmode_cont.devmode_ptr=0; @@ -704,8 +717,8 @@ BOOL make_spoolss_q_open_printer_ex(SPOOL_Q_OPEN_PRINTER_EX *q_u, q_u->user_ctr.user1.major=2; q_u->user_ctr.user1.minor=0; q_u->user_ctr.user1.processor=0; - init_unistr2(&(q_u->user_ctr.user1.client_name), clientname, strlen(clientname)); - init_unistr2(&(q_u->user_ctr.user1.user_name), user_name, strlen(user_name)); + init_unistr2(&q_u->user_ctr.user1.client_name, clientname, strlen(clientname)); + init_unistr2(&q_u->user_ctr.user1.user_name, user_name, strlen(user_name)); return True; } @@ -1432,19 +1445,28 @@ static BOOL new_smb_io_relarraystr(char *desc, NEW_BUFFER *buffer, int depth, ui while (*q!=0) q++; + chaine.buffer = malloc((q-p+1)*sizeof(uint16)); + if (chaine.buffer == NULL) + return False; + memcpy(chaine.buffer, p, (q-p+1)*sizeof(uint16)); buffer->string_at_end -= (q-p+1)*sizeof(uint16); - if(!prs_set_offset(ps, buffer->string_at_end)) + if(!prs_set_offset(ps, buffer->string_at_end)) { + free(chaine.buffer); return False; + } /* write the string */ - if (!spoolss_smb_io_unistr(desc, &chaine, ps, depth)) + if (!spoolss_smb_io_unistr(desc, &chaine, ps, depth)) { + free(chaine.buffer); return False; + } q++; p=q; + free(chaine.buffer); } if(!prs_set_offset(ps, struct_offset)) @@ -1791,7 +1813,7 @@ BOOL new_smb_io_printer_info_2(char *desc, NEW_BUFFER *buffer, PRINTER_INFO_2 *i if (!new_smb_io_relstr("parameters", buffer, depth, &info->parameters)) return False; -#if 0 /* JFMTEST */ +#if 1 /* JFMTEST */ if (!prs_uint32_pre("secdesc_ptr ", ps, depth, NULL, &sec_offset)) return False; #else @@ -1816,7 +1838,7 @@ BOOL new_smb_io_printer_info_2(char *desc, NEW_BUFFER *buffer, PRINTER_INFO_2 *i if (!prs_uint32("averageppm", ps, depth, &info->averageppm)) return False; -#if 0 /* JFMTEST */ +#if 1 /* JFMTEST */ if (!prs_uint32_post("secdesc_ptr", ps, depth, NULL, sec_offset, info->secdesc ? prs_offset(ps)-buffer->struct_start : 0 )) return False; @@ -2121,7 +2143,7 @@ static BOOL new_spoolss_io_buffer(char *desc, prs_struct *ps, int depth, NEW_BUF buffer->string_at_end=0; if (buffer->ptr==0) { - if (!prs_init(&buffer->prs, 0, 4, UNMARSHALL)) + if (!prs_init(&buffer->prs, 0, 4, prs_get_mem_context(ps), UNMARSHALL)) return False; return True; } @@ -2129,7 +2151,7 @@ static BOOL new_spoolss_io_buffer(char *desc, prs_struct *ps, int depth, NEW_BUF if (!prs_uint32("size", ps, depth, &buffer->size)) return False; - if (!prs_init(&buffer->prs, buffer->size, 4, UNMARSHALL)) + if (!prs_init(&buffer->prs, buffer->size, 4, prs_get_mem_context(ps), UNMARSHALL)) return False; if (!prs_append_some_prs_data(&buffer->prs, ps, prs_offset(ps), buffer->size)) @@ -2804,7 +2826,7 @@ BOOL make_spoolss_q_enumprinters(SPOOL_Q_ENUMPRINTERS *q_u, uint32 flags, q_u->flags=flags; q_u->servername_ptr = (servername != NULL) ? 1 : 0; - init_unistr2(&(q_u->servername), servername, strlen(servername)); + init_unistr2(&q_u->servername, servername, strlen(servername)); q_u->level=level; q_u->buffer=buffer; @@ -3654,8 +3676,11 @@ BOOL spool_io_printer_info_level(char *desc, SPOOL_PRINTER_INFO_LEVEL *il, prs_s return False; ZERO_STRUCTP(il->info_1); } - if (!spool_io_printer_info_level_1("", il->info_1, ps, depth)) + if (!spool_io_printer_info_level_1("", il->info_1, ps, depth)) { + if (UNMARSHALLING(ps)) + safe_free(il->info_1); return False; + } break; } case 2: @@ -3664,8 +3689,11 @@ BOOL spool_io_printer_info_level(char *desc, SPOOL_PRINTER_INFO_LEVEL *il, prs_s return False; ZERO_STRUCTP(il->info_2); } - if (!spool_io_printer_info_level_2("", il->info_2, ps, depth)) + if (!spool_io_printer_info_level_2("", il->info_2, ps, depth)) { + if (UNMARSHALLING(ps)) + safe_free(il->info_2); return False; + } break; case 3: { @@ -3674,8 +3702,11 @@ BOOL spool_io_printer_info_level(char *desc, SPOOL_PRINTER_INFO_LEVEL *il, prs_s return False; ZERO_STRUCTP(il->info_3); } - if (!spool_io_printer_info_level_3("", il->info_3, ps, depth)) + if (!spool_io_printer_info_level_3("", il->info_3, ps, depth)) { + if (UNMARSHALLING(ps)) + safe_free(il->info_3); return False; + } break; } } @@ -3839,8 +3870,6 @@ void free_spool_printer_driver_info_level_3(SPOOL_PRINTER_DRIVER_INFO_LEVEL_3 ** if (il == NULL) return; - free_buffer5(&il->dependentfiles); - safe_free(il); } @@ -3985,9 +4014,6 @@ void free_spool_printer_driver_info_level_6(SPOOL_PRINTER_DRIVER_INFO_LEVEL_6 ** if (il == NULL) return; - free_buffer5(&il->dependentfiles); - free_buffer5(&il->previousnames); - safe_free(il); } |