summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorMatthew Chapman <matty@samba.org>1999-03-23 02:31:34 +0000
committerMatthew Chapman <matty@samba.org>1999-03-23 02:31:34 +0000
commit5380636c4e29268adf214634ed8f36cef6f1a35b (patch)
tree298cf2e0bfab17f86cdaa93c006a8bbbd576fe0b /source3
parenta4bc522a7292f3bb87740e87df8449ba0ea6be10 (diff)
downloadsamba-5380636c4e29268adf214634ed8f36cef6f1a35b.tar.gz
samba-5380636c4e29268adf214634ed8f36cef6f1a35b.tar.bz2
samba-5380636c4e29268adf214634ed8f36cef6f1a35b.zip
If a buffer pointer is NULL then its length_is() attribute should not be
transmitted. Such a problem was crashing Server Manager. (This used to be commit 402ed18188dd058ebed2ffc2af9840c04533dc8f)
Diffstat (limited to 'source3')
-rw-r--r--source3/rpc_parse/parse_samr.c23
1 files changed, 19 insertions, 4 deletions
diff --git a/source3/rpc_parse/parse_samr.c b/source3/rpc_parse/parse_samr.c
index f85dd418ad..f4447c7dc9 100644
--- a/source3/rpc_parse/parse_samr.c
+++ b/source3/rpc_parse/parse_samr.c
@@ -1615,6 +1615,7 @@ void samr_io_r_query_dispinfo(char *desc, SAMR_R_QUERY_DISPINFO *r_u, prs_struct
}
prs_align(ps);
+ prs_align(ps);
prs_uint32("status", ps, depth, &(r_u->status));
}
@@ -3688,10 +3689,17 @@ void samr_io_r_lookup_names(char *desc, SAMR_R_LOOKUP_NAMES *r_u, prs_struct *p
prs_uint32("num_rids1", ps, depth, &(r_u->num_rids1));
prs_uint32("ptr_rids ", ps, depth, &(r_u->ptr_rids ));
- prs_uint32("num_rids2", ps, depth, &(r_u->num_rids2));
- if (r_u->ptr_rids != 0 && r_u->num_rids1 != 0)
+ if (r_u->ptr_rids != 0)
{
+ prs_uint32("num_rids2", ps, depth, &(r_u->num_rids2));
+
+ if (r_u->num_rids2 != r_u->num_rids1)
+ {
+ /* RPC fault */
+ return;
+ }
+
for (i = 0; i < r_u->num_rids2; i++)
{
prs_grow(ps);
@@ -3702,10 +3710,17 @@ void samr_io_r_lookup_names(char *desc, SAMR_R_LOOKUP_NAMES *r_u, prs_struct *p
prs_uint32("num_types1", ps, depth, &(r_u->num_types1));
prs_uint32("ptr_types ", ps, depth, &(r_u->ptr_types ));
- prs_uint32("num_types2", ps, depth, &(r_u->num_types2));
- if (r_u->ptr_types != 0 && r_u->num_types1 != 0)
+ if (r_u->ptr_types != 0)
{
+ prs_uint32("num_types2", ps, depth, &(r_u->num_types2));
+
+ if (r_u->num_types2 != r_u->num_types1)
+ {
+ /* RPC fault */
+ return;
+ }
+
for (i = 0; i < r_u->num_types2; i++)
{
prs_grow(ps);