summaryrefslogtreecommitdiff
path: root/source3/rpc_parse
diff options
context:
space:
mode:
Diffstat (limited to 'source3/rpc_parse')
-rw-r--r--source3/rpc_parse/parse_creds.c4
-rw-r--r--source3/rpc_parse/parse_misc.c190
-rw-r--r--source3/rpc_parse/parse_prs.c101
-rw-r--r--source3/rpc_parse/parse_spoolss.c64
4 files changed, 248 insertions, 111 deletions
diff --git a/source3/rpc_parse/parse_creds.c b/source3/rpc_parse/parse_creds.c
index 9ffc5d7a69..c34a7f5ac3 100644
--- a/source3/rpc_parse/parse_creds.c
+++ b/source3/rpc_parse/parse_creds.c
@@ -597,7 +597,7 @@ BOOL create_ntuser_creds( prs_struct *ps,
usr.ptr_ntc = 0;
}
- prs_init(ps, 1024, 4, False);
+ prs_init(ps, 1024, 4, NULL, False);
ps->data_offset = 4;
return creds_io_cmd("creds", &cmd, ps, 0);
@@ -623,7 +623,7 @@ BOOL create_user_creds( prs_struct *ps,
cmd.ptr_creds = usr != NULL ? 1 : 0;
cmd.cred = usr;
- prs_init(ps, 1024, 4, False);
+ prs_init(ps, 1024, 4, NULL, False);
ps->data_offset = 4;
return creds_io_cmd("creds", &cmd, ps, 0);
diff --git a/source3/rpc_parse/parse_misc.c b/source3/rpc_parse/parse_misc.c
index fe2778a356..2a642e1cec 100644
--- a/source3/rpc_parse/parse_misc.c
+++ b/source3/rpc_parse/parse_misc.c
@@ -26,6 +26,20 @@
extern int DEBUGLEVEL;
+static TALLOC_CTX *parse_misc_talloc = NULL;
+
+/******************************************************************* a
+free up temporary memory - called from the main loop
+********************************************************************/
+
+void parse_talloc_free(void)
+{
+ if (!parse_misc_talloc)
+ return;
+ talloc_destroy(parse_misc_talloc);
+ parse_misc_talloc = NULL;
+}
+
/*******************************************************************
Reads or writes a UTIME type.
********************************************************************/
@@ -296,12 +310,6 @@ BOOL smb_io_strhdr(char *desc, STRHDR *hdr, prs_struct *ps, int depth)
if(!prs_uint32("buffer ", ps, depth, &hdr->buffer))
return False;
- /* oops! XXXX maybe issue a warning that this is happening... */
- if (hdr->str_max_len > MAX_STRINGLEN)
- hdr->str_max_len = MAX_STRINGLEN;
- if (hdr->str_str_len > MAX_STRINGLEN)
- hdr->str_str_len = MAX_STRINGLEN;
-
return True;
}
@@ -338,12 +346,6 @@ BOOL smb_io_unihdr(char *desc, UNIHDR *hdr, prs_struct *ps, int depth)
if(!prs_uint32("buffer ", ps, depth, &hdr->buffer))
return False;
- /* oops! XXXX maybe issue a warning that this is happening... */
- if (hdr->uni_max_len > MAX_UNISTRLEN)
- hdr->uni_max_len = MAX_UNISTRLEN;
- if (hdr->uni_str_len > MAX_UNISTRLEN)
- hdr->uni_str_len = MAX_UNISTRLEN;
-
return True;
}
@@ -429,12 +431,6 @@ BOOL smb_io_hdrbuf(char *desc, BUFHDR *hdr, prs_struct *ps, int depth)
if(!prs_uint32("buf_len ", ps, depth, &hdr->buf_len))
return False;
- /* oops! XXXX maybe issue a warning that this is happening... */
- if (hdr->buf_max_len > MAX_BUFFERLEN)
- hdr->buf_max_len = MAX_BUFFERLEN;
- if (hdr->buf_len > MAX_BUFFERLEN)
- hdr->buf_len = MAX_BUFFERLEN;
-
return True;
}
@@ -477,8 +473,21 @@ BOOL smb_io_unihdr2(char *desc, UNIHDR2 *hdr2, prs_struct *ps, int depth)
void init_unistr(UNISTR *str, const char *buf)
{
+ size_t len = strlen(buf) + 1;
+
+ if (!parse_misc_talloc)
+ parse_misc_talloc = talloc_init();
+
+ if (len < MAX_UNISTRLEN)
+ len = MAX_UNISTRLEN;
+ len *= sizeof(uint16);
+
+ str->buffer = (uint16 *)talloc(parse_misc_talloc, len);
+ if (str->buffer == NULL)
+ smb_panic("init_unistr2: malloc fail\n");
+
/* store the string (null-terminated copy) */
- dos_struni2((char *)str->buffer, buf, sizeof(str->buffer));
+ dos_struni2((char *)str->buffer, buf, len);
}
/*******************************************************************
@@ -503,6 +512,24 @@ BOOL smb_io_unistr(char *desc, UNISTR *uni, prs_struct *ps, int depth)
}
/*******************************************************************
+ Allocate the BUFFER3 memory.
+********************************************************************/
+
+static void create_buffer3(BUFFER3 *str, size_t len)
+{
+ if (!parse_misc_talloc)
+ parse_misc_talloc = talloc_init();
+
+ if (len < MAX_BUFFERLEN)
+ len = MAX_BUFFERLEN;
+
+ str->buffer = talloc(parse_misc_talloc, len);
+ if (str->buffer == NULL)
+ smb_panic("create_buffer3: malloc fail\n");
+
+}
+
+/*******************************************************************
Inits a BUFFER3 structure from a uint32
********************************************************************/
@@ -514,6 +541,7 @@ void init_buffer3_uint32(BUFFER3 *str, uint32 val)
str->buf_max_len = sizeof(uint32);
str->buf_len = sizeof(uint32);
+ create_buffer3(str, sizeof(uint32));
SIVAL(str->buffer, 0, val);
}
@@ -529,8 +557,10 @@ void init_buffer3_str(BUFFER3 *str, char *buf, int len)
str->buf_max_len = len * 2;
str->buf_len = len * 2;
+ create_buffer3(str, str->buf_max_len);
+
/* store the string (null-terminated 8 bit chars into 16 bit chars) */
- dos_struni2((char *)str->buffer, buf, sizeof(str->buffer));
+ dos_struni2((char *)str->buffer, buf, str->buf_max_len);
}
/*******************************************************************
@@ -540,6 +570,7 @@ void init_buffer3_str(BUFFER3 *str, char *buf, int len)
void init_buffer3_hex(BUFFER3 *str, char *buf)
{
ZERO_STRUCTP(str);
+ create_buffer3(str, strlen(buf));
str->buf_max_len = str->buf_len = strhex_to_str((char *)str->buffer, sizeof(str->buffer), buf);
}
@@ -553,8 +584,10 @@ void init_buffer3_bytes(BUFFER3 *str, uint8 *buf, int len)
/* max buffer size (allocated size) */
str->buf_max_len = len;
- if (buf != NULL)
- memcpy(str->buffer, buf, MIN(str->buf_len, sizeof(str->buffer)));
+ if (buf != NULL) {
+ create_buffer3(str, len);
+ memcpy(str->buffer, buf, len);
+ }
str->buf_len = buf != NULL ? len : 0;
}
@@ -578,16 +611,17 @@ BOOL smb_io_buffer3(char *desc, BUFFER3 *buf3, prs_struct *ps, int depth)
if(!prs_uint32("uni_max_len", ps, depth, &buf3->buf_max_len))
return False;
- if (buf3->buf_max_len > MAX_UNISTRLEN)
- buf3->buf_max_len = MAX_UNISTRLEN;
+ if (UNMARSHALLING(ps)) {
+ buf3->buffer = prs_alloc_mem(ps, buf3->buf_max_len);
+ if (buf3->buffer == NULL)
+ return False;
+ }
if(!prs_uint8s(True, "buffer ", ps, depth, buf3->buffer, buf3->buf_max_len))
return False;
if(!prs_uint32("buf_len ", ps, depth, &buf3->buf_len))
return False;
- if (buf3->buf_len > MAX_UNISTRLEN)
- buf3->buf_len = MAX_UNISTRLEN;
return True;
}
@@ -607,9 +641,10 @@ BOOL smb_io_buffer5(char *desc, BUFFER5 *buf5, prs_struct *ps, int depth)
prs_uint32("buf_len", ps, depth, &(buf5->buf_len));
/* reading: alloc the buffer first */
- if ( ps->io )
- {
- buf5->buffer=(uint16 *)malloc( sizeof(uint16)*buf5->buf_len );
+ if ( UNMARSHALLING(ps) ) {
+ buf5->buffer=(uint16 *)prs_alloc_mem(ps, sizeof(uint16)*buf5->buf_len );
+ if (buf5->buffer == NULL)
+ return False;
}
prs_uint16s(True, "buffer", ps, depth, buf5->buffer, buf5->buf_len);
@@ -618,15 +653,6 @@ BOOL smb_io_buffer5(char *desc, BUFFER5 *buf5, prs_struct *ps, int depth)
}
/*******************************************************************
- Frees a BUFFER5 structure (just the malloced part).
-********************************************************************/
-
-void free_buffer5(BUFFER5 *buf5)
-{
- safe_free(buf5->buffer);
-}
-
-/*******************************************************************
Inits a BUFFER2 structure.
********************************************************************/
@@ -639,8 +665,17 @@ void init_buffer2(BUFFER2 *str, uint8 *buf, int len)
str->undoc = 0;
str->buf_len = buf != NULL ? len : 0;
- if (buf != NULL)
- memcpy(str->buffer, buf, MIN(str->buf_len, sizeof(str->buffer)));
+ if (buf != NULL) {
+ if (!parse_misc_talloc)
+ parse_misc_talloc = talloc_init();
+
+ if (len < MAX_BUFFERLEN)
+ len = MAX_BUFFERLEN;
+ str->buffer = talloc(parse_misc_talloc, len);
+ if (str->buffer == NULL)
+ smb_panic("init_buffer2: malloc fail\n");
+ memcpy(str->buffer, buf, MIN(str->buf_len, len));
+ }
}
/*******************************************************************
@@ -669,12 +704,6 @@ BOOL smb_io_buffer2(char *desc, BUFFER2 *buf2, uint32 buffer, prs_struct *ps, in
if(!prs_uint32("buf_len ", ps, depth, &buf2->buf_len))
return False;
- /* oops! XXXX maybe issue a warning that this is happening... */
- if (buf2->buf_max_len > MAX_UNISTRLEN)
- buf2->buf_max_len = MAX_UNISTRLEN;
- if (buf2->buf_len > MAX_UNISTRLEN)
- buf2->buf_len = MAX_UNISTRLEN;
-
/* buffer advanced by indicated length of string
NOT by searching for null-termination */
@@ -721,6 +750,21 @@ void copy_unistr2(UNISTR2 *str, UNISTR2 *from)
str->undoc = from->undoc;
str->uni_str_len = from->uni_str_len;
+ if (str->buffer == NULL) {
+ size_t len = from->uni_max_len * 2;
+
+ if (!parse_misc_talloc)
+ parse_misc_talloc = talloc_init();
+
+ if (len < MAX_UNISTRLEN)
+ len = MAX_UNISTRLEN;
+ len *= sizeof(uint16);
+
+ str->buffer = (uint16 *)talloc(parse_misc_talloc, len);
+ if (str->buffer == NULL)
+ smb_panic("copy_unistr2: malloc fail\n");
+ }
+
/* copy the string */
memcpy(str->buffer, from->buffer, sizeof(from->buffer));
}
@@ -731,14 +775,23 @@ void copy_unistr2(UNISTR2 *str, UNISTR2 *from)
void init_string2(STRING2 *str, char *buf, int len)
{
- /* set up string lengths. */
- str->str_max_len = len;
- str->undoc = 0;
- str->str_str_len = len;
-
- /* store the string */
- if(len != 0)
- memcpy(str->buffer, buf, len);
+ /* set up string lengths. */
+ str->str_max_len = len;
+ str->undoc = 0;
+ str->str_str_len = len;
+
+ /* store the string */
+ if(len != 0) {
+ if (!parse_misc_talloc)
+ parse_misc_talloc = talloc_init();
+
+ if (len < MAX_STRINGLEN)
+ len = MAX_STRINGLEN;
+ str->buffer = talloc(parse_misc_talloc, len);
+ if (str->buffer == NULL)
+ smb_panic("init_string2: malloc fail\n");
+ memcpy(str->buffer, buf, len);
+ }
}
/*******************************************************************
@@ -768,12 +821,6 @@ BOOL smb_io_string2(char *desc, STRING2 *str2, uint32 buffer, prs_struct *ps, in
if(!prs_uint32("str_str_len", ps, depth, &str2->str_str_len))
return False;
- /* oops! XXXX maybe issue a warning that this is happening... */
- if (str2->str_max_len > MAX_STRINGLEN)
- str2->str_max_len = MAX_STRINGLEN;
- if (str2->str_str_len > MAX_STRINGLEN)
- str2->str_str_len = MAX_STRINGLEN;
-
/* buffer advanced by indicated length of string
NOT by searching for null-termination */
if(!prs_string2(True, "buffer ", ps, depth, str2))
@@ -803,8 +850,19 @@ void init_unistr2(UNISTR2 *str, const char *buf, size_t len)
str->undoc = 0;
str->uni_str_len = (uint32)len;
+ if (!parse_misc_talloc)
+ parse_misc_talloc = talloc_init();
+
+ if (len < MAX_UNISTRLEN)
+ len = MAX_UNISTRLEN;
+ len *= sizeof(uint16);
+
+ str->buffer = (uint16 *)talloc(parse_misc_talloc, len);
+ if (str->buffer == NULL)
+ smb_panic("init_unistr2: malloc fail\n");
+
/* store the string (null-terminated 8 bit chars into 16 bit chars) */
- dos_struni2((char *)str->buffer, buf, sizeof(str->buffer));
+ dos_struni2((char *)str->buffer, buf, len);
}
/*******************************************************************
@@ -834,12 +892,6 @@ BOOL smb_io_unistr2(char *desc, UNISTR2 *uni2, uint32 buffer, prs_struct *ps, in
if(!prs_uint32("uni_str_len", ps, depth, &uni2->uni_str_len))
return False;
- /* oops! XXXX maybe issue a warning that this is happening... */
- if (uni2->uni_max_len > MAX_UNISTRLEN)
- uni2->uni_max_len = MAX_UNISTRLEN;
- if (uni2->uni_str_len > MAX_UNISTRLEN)
- uni2->uni_str_len = MAX_UNISTRLEN;
-
/* buffer advanced by indicated length of string
NOT by searching for null-termination */
if(!prs_unistr2(True, "buffer ", ps, depth, uni2))
@@ -957,14 +1009,14 @@ static void init_clnt_srv(DOM_CLNT_SRV *log, char *logon_srv, char *comp_name)
if (logon_srv != NULL) {
log->undoc_buffer = 1;
- init_unistr2(&(log->uni_logon_srv), logon_srv, strlen(logon_srv)+1);
+ init_unistr2(&log->uni_logon_srv, logon_srv, strlen(logon_srv)+1);
} else {
log->undoc_buffer = 0;
}
if (comp_name != NULL) {
log->undoc_buffer2 = 1;
- init_unistr2(&(log->uni_comp_name), comp_name, strlen(comp_name)+1);
+ init_unistr2(&log->uni_comp_name, comp_name, strlen(comp_name)+1);
} else {
log->undoc_buffer2 = 0;
}
diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c
index 42a3410752..bf36b5b346 100644
--- a/source3/rpc_parse/parse_prs.c
+++ b/source3/rpc_parse/parse_prs.c
@@ -67,7 +67,7 @@ void prs_debug(prs_struct *ps, int depth, char *desc, char *fn_name)
/*******************************************************************
Initialise a parse structure - malloc the data if requested.
********************************************************************/
-BOOL prs_init(prs_struct *ps, uint32 size, uint8 align, BOOL io)
+BOOL prs_init(prs_struct *ps, uint32 size, uint8 align, TALLOC_CTX *ctx, BOOL io)
{
ZERO_STRUCTP(ps);
ps->io = io;
@@ -77,6 +77,7 @@ BOOL prs_init(prs_struct *ps, uint32 size, uint8 align, BOOL io)
ps->data_offset = 0;
ps->buffer_size = 0;
ps->data_p = NULL;
+ ps->mem_ctx = ctx;
if (size != 0) {
ps->buffer_size = size;
@@ -98,17 +99,12 @@ BOOL prs_read(prs_struct *ps, int fd, size_t len, int timeout)
BOOL ok;
size_t prev_size = ps->buffer_size;
if (!prs_grow(ps, len))
- {
return False;
- }
- if (timeout > 0)
- {
+ if (timeout > 0) {
ok = (read_with_timeout(fd, &ps->data_p[prev_size],
len, len,timeout) == len);
- }
- else
- {
+ } else {
ok = (read_data(fd, &ps->data_p[prev_size], len) == len);
}
return ok;
@@ -129,6 +125,24 @@ void prs_mem_free(prs_struct *ps)
}
/*******************************************************************
+ Allocate memory when unmarshalling...
+ ********************************************************************/
+
+char *prs_alloc_mem(prs_struct *ps, size_t size)
+{
+ return talloc(ps->mem_ctx, size);
+}
+
+/*******************************************************************
+ Return the current talloc context we're using.
+ ********************************************************************/
+
+TALLOC_CTX *prs_get_mem_context(prs_struct *ps)
+{
+ return ps->mem_ctx;
+}
+
+/*******************************************************************
Hand some already allocated memory to a prs_struct.
********************************************************************/
@@ -543,11 +557,19 @@ BOOL prs_uint32s(BOOL charmode, char *name, prs_struct *ps, int depth, uint32 *d
BOOL prs_buffer2(BOOL charmode, char *name, prs_struct *ps, int depth, BUFFER2 *str)
{
- char *p = (char *)str->buffer;
+ char *p;
char *q = prs_mem_get(ps, str->buf_len);
if (q == NULL)
return False;
+ if (UNMARSHALLING(ps)) {
+ str->buffer = (uint16 *)prs_alloc_mem(ps,str->buf_len);
+ if (str->buffer == NULL)
+ return False;
+ }
+
+ p = (char *)str->buffer;
+
/* If we're using big-endian, reverse to get little-endian. */
if(ps->bigendian_data)
DBG_RW_PSVAL(charmode, name, depth, ps->data_offset, ps->io, ps->bigendian_data, q, p, str->buf_len/2)
@@ -569,6 +591,12 @@ BOOL prs_string2(BOOL charmode, char *name, prs_struct *ps, int depth, STRING2 *
if (q == NULL)
return False;
+ if (UNMARSHALLING(ps)) {
+ str->buffer = prs_alloc_mem(ps,str->str_str_len);
+ if (str->buffer == NULL)
+ return False;
+ }
+
DBG_RW_PCVAL(charmode, name, depth, ps->data_offset, ps->io, q, str->buffer, str->str_max_len)
ps->data_offset += (str->str_str_len * sizeof(uint8));
@@ -583,16 +611,24 @@ BOOL prs_string2(BOOL charmode, char *name, prs_struct *ps, int depth, STRING2 *
BOOL prs_unistr2(BOOL charmode, char *name, prs_struct *ps, int depth, UNISTR2 *str)
{
- char *p = (char *)str->buffer;
+ char *p;
char *q = prs_mem_get(ps, str->uni_str_len * sizeof(uint16));
if (q == NULL)
return False;
+ if (UNMARSHALLING(ps)) {
+ str->buffer = (uint16 *)prs_alloc_mem(ps,str->uni_str_len * sizeof(uint16));
+ if (str->buffer == NULL)
+ return False;
+ }
+
+ p = (char *)str->buffer;
+
/* If we're using big-endian, reverse to get little-endian. */
if(ps->bigendian_data)
DBG_RW_PSVAL(charmode, name, depth, ps->data_offset, ps->io, ps->bigendian_data, q, p, str->uni_str_len)
else
- DBG_RW_PCVAL(charmode, name, depth, ps->data_offset, ps->io, q, p, str->uni_str_len * 2)
+ DBG_RW_PCVAL(charmode, name, depth, ps->data_offset, ps->io, q, p, str->uni_str_len * sizeof(uint16))
ps->data_offset += (str->uni_str_len * sizeof(uint16));
return True;
@@ -608,16 +644,24 @@ BOOL prs_unistr2(BOOL charmode, char *name, prs_struct *ps, int depth, UNISTR2 *
BOOL prs_unistr3(BOOL charmode, char *name, UNISTR3 *str, prs_struct *ps, int depth)
{
- char *p = (char *)str->str.buffer;
+ char *p;
char *q = prs_mem_get(ps, str->uni_str_len * sizeof(uint16));
if (q == NULL)
return False;
+ if (UNMARSHALLING(ps)) {
+ str->str.buffer = (uint16 *)prs_alloc_mem(ps,str->uni_str_len * sizeof(uint16));
+ if (str->str.buffer == NULL)
+ return False;
+ }
+
+ p = (char *)str->str.buffer;
+
/* If we're using big-endian, reverse to get little-endian. */
if(ps->bigendian_data)
DBG_RW_PSVAL(charmode, name, depth, ps->data_offset, ps->io, ps->bigendian_data, q, p, str->uni_str_len)
else
- DBG_RW_PCVAL(charmode, name, depth, ps->data_offset, ps->io, q, p, str->uni_str_len * 2)
+ DBG_RW_PCVAL(charmode, name, depth, ps->data_offset, ps->io, q, p, str->uni_str_len * sizeof(uint16))
ps->data_offset += (str->uni_str_len * sizeof(uint16));
return True;
@@ -638,8 +682,7 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str)
if (MARSHALLING(ps)) {
- for(len = 0; len < (sizeof(str->buffer) / sizeof(str->buffer[0])) &&
- str->buffer[len] != 0; len++)
+ for(len = 0; str->buffer[len] != 0; len++)
;
q = prs_mem_get(ps, (len+1)*2);
@@ -648,8 +691,7 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str)
start = (uint8*)q;
- for(len = 0; len < (sizeof(str->buffer) / sizeof(str->buffer[0])) &&
- str->buffer[len] != 0; len++)
+ for(len = 0; str->buffer[len] != 0; len++)
{
if(ps->bigendian_data)
{
@@ -685,9 +727,27 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str)
}
else { /* unmarshalling */
+ uint32 alloc_len = 0;
len = -1;
q = prs_data_p(ps) + prs_offset(ps);
+ /*
+ * Work out how much space we need and talloc it.
+ */
+ {
+ uint32 max_len = (ps->buffer_size - ps->data_offset)/sizeof(uint16);
+ uint16 *ptr;
+
+ for ( ptr = (uint16 *)q; *ptr && (alloc_len <= max_len); alloc_len++)
+ ;
+
+ str->buffer = (uint16 *)prs_alloc_mem(ps,alloc_len * sizeof(uint16));
+ if (str->buffer == NULL)
+ return False;
+
+ p = (unsigned char *)str->buffer;
+ }
+
do
{
len++;
@@ -705,8 +765,7 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str)
p++;
q++;
}
- } while (len < (sizeof(str->buffer) / sizeof(str->buffer[0])) &&
- str->buffer[len] != 0);
+ } while (len < alloc_len && str->buffer[len] != 0);
}
ps->data_offset += len*2;
@@ -852,7 +911,7 @@ int tdb_prs_store(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps)
}
/* useful function to fetch a structure into rpc wire format */
-int tdb_prs_fetch(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps)
+int tdb_prs_fetch(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps, TALLOC_CTX *mem_ctx)
{
TDB_DATA kbuf, dbuf;
kbuf.dptr = keystr;
@@ -862,7 +921,7 @@ int tdb_prs_fetch(TDB_CONTEXT *tdb, char *keystr, prs_struct *ps)
if (!dbuf.dptr) return -1;
ZERO_STRUCTP(ps);
- prs_init(ps, 0, 4, UNMARSHALL);
+ prs_init(ps, 0, 4, mem_ctx, UNMARSHALL);
prs_give_memory(ps, dbuf.dptr, dbuf.dsize, True);
return 0;
diff --git a/source3/rpc_parse/parse_spoolss.c b/source3/rpc_parse/parse_spoolss.c
index bee8bae8cf..9ec796d3e7 100644
--- a/source3/rpc_parse/parse_spoolss.c
+++ b/source3/rpc_parse/parse_spoolss.c
@@ -503,6 +503,12 @@ static BOOL spoolss_io_devmode(char *desc, prs_struct *ps, int depth, DEVICEMODE
prs_debug(ps, depth, desc, "spoolss_io_devmode");
depth++;
+ if (UNMARSHALLING(ps)) {
+ devmode->devicename.buffer = prs_alloc_mem(ps, 32 * sizeof(uint16) );
+ if (devmode->devicename.buffer == NULL)
+ return False;
+ }
+
if (!prs_uint16s(True,"devicename", ps, depth, devmode->devicename.buffer, 32))
return False;
if (!prs_uint16("specversion", ps, depth, &devmode->specversion))
@@ -541,6 +547,13 @@ static BOOL spoolss_io_devmode(char *desc, prs_struct *ps, int depth, DEVICEMODE
return False;
if (!prs_uint16("collate", ps, depth, &devmode->collate))
return False;
+
+ if (UNMARSHALLING(ps)) {
+ devmode->formname.buffer = prs_alloc_mem(ps, 32 * sizeof(uint16) );
+ if (devmode->formname.buffer == NULL)
+ return False;
+ }
+
if (!prs_uint16s(True, "formname", ps, depth, devmode->formname.buffer, 32))
return False;
if (!prs_uint16("logpixels", ps, depth, &devmode->logpixels))
@@ -683,12 +696,12 @@ BOOL make_spoolss_q_open_printer_ex(SPOOL_Q_OPEN_PRINTER_EX *q_u,
{
DEBUG(5,("make_spoolss_q_open_printer_ex\n"));
q_u->printername_ptr = (printername!=NULL)?1:0;
- init_unistr2(&(q_u->printername), printername, strlen(printername));
+ init_unistr2(&q_u->printername, printername, strlen(printername));
q_u->printer_default.datatype_ptr = 0;
/*
q_u->printer_default.datatype_ptr = (datatype!=NULL)?1:0;
- init_unistr2(&(q_u->printer_default.datatype), datatype, strlen(datatype));
+ init_unistr2(&q_u->printer_default.datatype, datatype, strlen(datatype));
*/
q_u->printer_default.devmode_cont.size=0;
q_u->printer_default.devmode_cont.devmode_ptr=0;
@@ -704,8 +717,8 @@ BOOL make_spoolss_q_open_printer_ex(SPOOL_Q_OPEN_PRINTER_EX *q_u,
q_u->user_ctr.user1.major=2;
q_u->user_ctr.user1.minor=0;
q_u->user_ctr.user1.processor=0;
- init_unistr2(&(q_u->user_ctr.user1.client_name), clientname, strlen(clientname));
- init_unistr2(&(q_u->user_ctr.user1.user_name), user_name, strlen(user_name));
+ init_unistr2(&q_u->user_ctr.user1.client_name, clientname, strlen(clientname));
+ init_unistr2(&q_u->user_ctr.user1.user_name, user_name, strlen(user_name));
return True;
}
@@ -1432,19 +1445,28 @@ static BOOL new_smb_io_relarraystr(char *desc, NEW_BUFFER *buffer, int depth, ui
while (*q!=0)
q++;
+ chaine.buffer = malloc((q-p+1)*sizeof(uint16));
+ if (chaine.buffer == NULL)
+ return False;
+
memcpy(chaine.buffer, p, (q-p+1)*sizeof(uint16));
buffer->string_at_end -= (q-p+1)*sizeof(uint16);
- if(!prs_set_offset(ps, buffer->string_at_end))
+ if(!prs_set_offset(ps, buffer->string_at_end)) {
+ free(chaine.buffer);
return False;
+ }
/* write the string */
- if (!spoolss_smb_io_unistr(desc, &chaine, ps, depth))
+ if (!spoolss_smb_io_unistr(desc, &chaine, ps, depth)) {
+ free(chaine.buffer);
return False;
+ }
q++;
p=q;
+ free(chaine.buffer);
}
if(!prs_set_offset(ps, struct_offset))
@@ -1791,7 +1813,7 @@ BOOL new_smb_io_printer_info_2(char *desc, NEW_BUFFER *buffer, PRINTER_INFO_2 *i
if (!new_smb_io_relstr("parameters", buffer, depth, &info->parameters))
return False;
-#if 0 /* JFMTEST */
+#if 1 /* JFMTEST */
if (!prs_uint32_pre("secdesc_ptr ", ps, depth, NULL, &sec_offset))
return False;
#else
@@ -1816,7 +1838,7 @@ BOOL new_smb_io_printer_info_2(char *desc, NEW_BUFFER *buffer, PRINTER_INFO_2 *i
if (!prs_uint32("averageppm", ps, depth, &info->averageppm))
return False;
-#if 0 /* JFMTEST */
+#if 1 /* JFMTEST */
if (!prs_uint32_post("secdesc_ptr", ps, depth, NULL, sec_offset, info->secdesc ? prs_offset(ps)-buffer->struct_start : 0 ))
return False;
@@ -2121,7 +2143,7 @@ static BOOL new_spoolss_io_buffer(char *desc, prs_struct *ps, int depth, NEW_BUF
buffer->string_at_end=0;
if (buffer->ptr==0) {
- if (!prs_init(&buffer->prs, 0, 4, UNMARSHALL))
+ if (!prs_init(&buffer->prs, 0, 4, prs_get_mem_context(ps), UNMARSHALL))
return False;
return True;
}
@@ -2129,7 +2151,7 @@ static BOOL new_spoolss_io_buffer(char *desc, prs_struct *ps, int depth, NEW_BUF
if (!prs_uint32("size", ps, depth, &buffer->size))
return False;
- if (!prs_init(&buffer->prs, buffer->size, 4, UNMARSHALL))
+ if (!prs_init(&buffer->prs, buffer->size, 4, prs_get_mem_context(ps), UNMARSHALL))
return False;
if (!prs_append_some_prs_data(&buffer->prs, ps, prs_offset(ps), buffer->size))
@@ -2804,7 +2826,7 @@ BOOL make_spoolss_q_enumprinters(SPOOL_Q_ENUMPRINTERS *q_u, uint32 flags,
q_u->flags=flags;
q_u->servername_ptr = (servername != NULL) ? 1 : 0;
- init_unistr2(&(q_u->servername), servername, strlen(servername));
+ init_unistr2(&q_u->servername, servername, strlen(servername));
q_u->level=level;
q_u->buffer=buffer;
@@ -3654,8 +3676,11 @@ BOOL spool_io_printer_info_level(char *desc, SPOOL_PRINTER_INFO_LEVEL *il, prs_s
return False;
ZERO_STRUCTP(il->info_1);
}
- if (!spool_io_printer_info_level_1("", il->info_1, ps, depth))
+ if (!spool_io_printer_info_level_1("", il->info_1, ps, depth)) {
+ if (UNMARSHALLING(ps))
+ safe_free(il->info_1);
return False;
+ }
break;
}
case 2:
@@ -3664,8 +3689,11 @@ BOOL spool_io_printer_info_level(char *desc, SPOOL_PRINTER_INFO_LEVEL *il, prs_s
return False;
ZERO_STRUCTP(il->info_2);
}
- if (!spool_io_printer_info_level_2("", il->info_2, ps, depth))
+ if (!spool_io_printer_info_level_2("", il->info_2, ps, depth)) {
+ if (UNMARSHALLING(ps))
+ safe_free(il->info_2);
return False;
+ }
break;
case 3:
{
@@ -3674,8 +3702,11 @@ BOOL spool_io_printer_info_level(char *desc, SPOOL_PRINTER_INFO_LEVEL *il, prs_s
return False;
ZERO_STRUCTP(il->info_3);
}
- if (!spool_io_printer_info_level_3("", il->info_3, ps, depth))
+ if (!spool_io_printer_info_level_3("", il->info_3, ps, depth)) {
+ if (UNMARSHALLING(ps))
+ safe_free(il->info_3);
return False;
+ }
break;
}
}
@@ -3839,8 +3870,6 @@ void free_spool_printer_driver_info_level_3(SPOOL_PRINTER_DRIVER_INFO_LEVEL_3 **
if (il == NULL)
return;
- free_buffer5(&il->dependentfiles);
-
safe_free(il);
}
@@ -3985,9 +4014,6 @@ void free_spool_printer_driver_info_level_6(SPOOL_PRINTER_DRIVER_INFO_LEVEL_6 **
if (il == NULL)
return;
- free_buffer5(&il->dependentfiles);
- free_buffer5(&il->previousnames);
-
safe_free(il);
}
generated by cgit (git 2.34.1) at 2024-08-12 00:47:27 +0000