diff options
| author | Jeremy Allison <jra@samba.org> | 2000-12-15 23:02:01 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2000-12-15 23:02:01 +0000 |
| commit | fb82ab78fe556656eec605d532e0dabb2f815573 (patch) | |
| tree | ba148fd8d255fccc7a1dbfa4c0ebdc7c1f835408 /source3/rpc_server | |
| parent | 99c2693c620cd222da5561d526aa328bec426b77 (diff) | |
| download | samba-fb82ab78fe556656eec605d532e0dabb2f815573.tar.gz samba-fb82ab78fe556656eec605d532e0dabb2f815573.tar.bz2 samba-fb82ab78fe556656eec605d532e0dabb2f815573.zip | |
Never free anything in the rpc_parse/prs_XXX functions. Do it in the enclosing
function.
lib/util_unistr.c: Check lengths *before* reading source - prevent uninitialised
memory reads.
Jeremy.
(This used to be commit ce4f461965c872fbfc9fe5f6b98aed58bb3dd67a)
Diffstat (limited to 'source3/rpc_server')
| -rw-r--r-- | source3/rpc_server/srv_lsa.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c index 5fc40d692c..ed65e787b4 100644 --- a/source3/rpc_server/srv_lsa.c +++ b/source3/rpc_server/srv_lsa.c @@ -276,7 +276,7 @@ static void init_reply_lookup_names(LSA_R_LOOKUP_NAMES *r_l, Init lsa_trans_names. ***************************************************************************/ -static void init_lsa_trans_names(DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *trn, +static void init_lsa_trans_names(TALLOC_CTX *ctx, DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *trn, int num_entries, DOM_SID2 *sid, uint32 *mapped_count) { @@ -286,16 +286,18 @@ static void init_lsa_trans_names(DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *trn, /* Allocate memory for list of names */ - if (!(trn->name = (LSA_TRANS_NAME *)malloc(sizeof(LSA_TRANS_NAME) * - num_entries))) { - DEBUG(0, ("init_lsa_trans_names(): out of memory\n")); - return; - } + if (num_entries > 0) { + if (!(trn->name = (LSA_TRANS_NAME *)talloc(ctx, sizeof(LSA_TRANS_NAME) * + num_entries))) { + DEBUG(0, ("init_lsa_trans_names(): out of memory\n")); + return; + } - if (!(trn->uni_name = (UNISTR2 *)malloc(sizeof(UNISTR2) * - num_entries))) { - DEBUG(0, ("init_lsa_trans_names(): out of memory\n")); - return; + if (!(trn->uni_name = (UNISTR2 *)talloc(ctx, sizeof(UNISTR2) * + num_entries))) { + DEBUG(0, ("init_lsa_trans_names(): out of memory\n")); + return; + } } for (i = 0; i < num_entries; i++) { @@ -375,21 +377,24 @@ static BOOL lsa_reply_lookup_sids(prs_struct *rdata, DOM_SID2 *sid, int num_entr DOM_R_REF ref; LSA_TRANS_NAME_ENUM names; uint32 mapped_count = 0; + TALLOC_CTX *ctx = talloc_init(); ZERO_STRUCT(r_l); ZERO_STRUCT(ref); ZERO_STRUCT(names); /* set up the LSA Lookup SIDs response */ - init_lsa_trans_names(&ref, &names, num_entries, sid, &mapped_count); + init_lsa_trans_names(ctx, &ref, &names, num_entries, sid, &mapped_count); init_reply_lookup_sids(&r_l, &ref, &names, mapped_count); /* store the response in the SMB stream */ if(!lsa_io_r_lookup_sids("", &r_l, rdata, 0)) { DEBUG(0,("lsa_reply_lookup_sids: Failed to marshall LSA_R_LOOKUP_SIDS.\n")); + talloc_destroy(ctx); return False; } + talloc_destroy(ctx); return True; } |