* fixed null terminated string handling

 * fixed nested relative offsets in push functions

the spoolss torture test now passes!
(This used to be commit 60ced76160e4f4e2b511ebbeec31130c8ebcdd22)

2 files changed, 8 insertions, 3 deletions

diff --git a/source4/librpc/ndr/ndr.c b/source4/librpc/ndr/ndr.c
index f22145af97..44472147fd 100644
--- a/source4/librpc/ndr/ndr.c
+++ b/source4/librpc/ndr/ndr.c
@@ -727,7 +727,7 @@ NTSTATUS ndr_push_relative(struct ndr_push *ndr, int ndr_flags, const void *p,
 		NDR_CHECK(ndr_push_align(ndr, 8));
 		ndr_push_save(ndr, &save);
 		ndr->offset = ofs->offset;
-		NDR_CHECK(ndr_push_uint32(ndr, save.offset + ndr->ofs_list->offset));
+		NDR_CHECK(ndr_push_uint32(ndr, save.offset - ndr->ofs_list->offset));
 		ndr_push_restore(ndr, &save);
 		NDR_CHECK(fn(ndr, NDR_SCALARS|NDR_BUFFERS, p));
 	}
diff --git a/source4/librpc/ndr/ndr_basic.c b/source4/librpc/ndr/ndr_basic.c
index a3c4bc0aec..4d0be44a89 100644
--- a/source4/librpc/ndr/ndr_basic.c
+++ b/source4/librpc/ndr/ndr_basic.c
@@ -397,15 +397,20 @@ NTSTATUS ndr_pull_string(struct ndr_pull *ndr, int ndr_flags, const char **s)
 		break;
 
 	case LIBNDR_FLAG_STR_NULLTERM:
+		len1 = strnlen_w(ndr->data+ndr->offset, 
+				 (ndr->data_size - ndr->offset)/2);
+		if (len1*2+2 <= ndr->data_size - ndr->offset) {
+			len1++;
+		}
 		ret = convert_string_talloc(ndr->mem_ctx, CH_UCS2, CH_UNIX, 
 					    ndr->data+ndr->offset, 
-					    ndr->data_size - ndr->offset,
+					    len1*2,
 					    (const void **)s);
 		if (ret == -1) {
 			return ndr_pull_error(ndr, NDR_ERR_CHARCNV, 
 					      "Bad character conversion");
 		}
-		NDR_CHECK(ndr_pull_advance(ndr, ret));
+		NDR_CHECK(ndr_pull_advance(ndr, len1*2));
 		break;
 
 	case LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_LEN4|LIBNDR_FLAG_STR_SIZE4: