summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/ipc.c54
-rw-r--r--source3/smbd/trans2.c4
2 files changed, 48 insertions, 10 deletions
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index 22fd318f63..ec126c89ff 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -642,7 +642,13 @@ static void fill_printq_info(connection_struct *conn, int snum, int uLevel,
return;
}
- p=(char *)malloc(8192*sizeof(char));
+ if((p=(char *)malloc(8192*sizeof(char))) == NULL) {
+ DEBUG(0,("fill_printq_info: malloc fail !\n"));
+ desc->errcode=NERR_notsupported;
+ fclose(f);
+ return;
+ }
+
bzero(p, 8192*sizeof(char));
q=p;
@@ -741,7 +747,12 @@ static int get_printerdrivernumber(int snum)
return(0);
}
- p=(char *)malloc(8192*sizeof(char));
+ if((p=(char *)malloc(8192*sizeof(char))) == NULL) {
+ DEBUG(3,("get_printerdrivernumber: malloc fail !\n"));
+ fclose(f);
+ return 0;
+ }
+
q=p; /* need it to free memory because p change ! */
/* lookup the long printer driver name in the file description */
@@ -882,11 +893,20 @@ static BOOL api_DosPrintQEnum(connection_struct *conn, uint16 vuid, char* param,
if (lp_snum_ok(i) && lp_print_ok(i) && lp_browseable(i))
queuecnt++;
if (uLevel > 0) {
- queue = (print_queue_struct**)malloc(queuecnt*sizeof(print_queue_struct*));
+ if((queue = (print_queue_struct**)malloc(queuecnt*sizeof(print_queue_struct*))) == NULL) {
+ DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
+ return False;
+ }
memset(queue,0,queuecnt*sizeof(print_queue_struct*));
- status = (print_status_struct*)malloc(queuecnt*sizeof(print_status_struct));
+ if((status = (print_status_struct*)malloc(queuecnt*sizeof(print_status_struct))) == NULL) {
+ DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
+ return False;
+ }
memset(status,0,queuecnt*sizeof(print_status_struct));
- subcntarr = (int*)malloc(queuecnt*sizeof(int));
+ if((subcntarr = (int*)malloc(queuecnt*sizeof(int))) == NULL) {
+ DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
+ return False;
+ }
subcnt = 0;
n = 0;
for (i = 0; i < services; i++)
@@ -3525,13 +3545,18 @@ static int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data
for (i=0;api_commands[i].name;i++)
if (api_commands[i].id == api_command && api_commands[i].fn)
{
- DEBUG(3,("Doing %s\n",api_commands[i].name));
- break;
+ DEBUG(3,("Doing %s\n",api_commands[i].name));
+ break;
}
rdata = (char *)malloc(1024); if (rdata) bzero(rdata,1024);
rparam = (char *)malloc(1024); if (rparam) bzero(rparam,1024);
+ if(!rdata || !rparam) {
+ DEBUG(0,("api_reply: malloc fail !\n"));
+ return -1;
+ }
+
reply = api_commands[i].fn(conn,vuid,params,data,mdrcnt,mprcnt,
&rdata,&rparam,&rdata_len,&rparam_len);
@@ -3629,18 +3654,27 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
}
if (tdscnt) {
- data = (char *)malloc(tdscnt);
+ if((data = (char *)malloc(tdscnt)) == NULL) {
+ DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt));
+ return(ERROR(ERRDOS,ERRnomem));
+ }
memcpy(data,smb_base(inbuf)+dsoff,dscnt);
}
if (tpscnt) {
- params = (char *)malloc(tpscnt);
+ if((params = (char *)malloc(tpscnt)) == NULL) {
+ DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt));
+ return(ERROR(ERRDOS,ERRnomem));
+ }
memcpy(params,smb_base(inbuf)+psoff,pscnt);
}
if (suwcnt) {
int i;
- setup = (uint16 *)malloc(suwcnt*sizeof(setup[0]));
+ if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) {
+ DEBUG(0,("reply_trans: setup malloc fail for %d bytes !\n", suwcnt * sizeof(uint16)));
+ return(ERROR(ERRDOS,ERRnomem));
+ }
for (i=0;i<suwcnt;i++)
setup[i] = SVAL(inbuf,smb_vwv14+i*SIZEOFWORD);
}
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 70f834af8a..6fd0272a0a 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -1895,6 +1895,10 @@ int reply_trans2(connection_struct *conn,
if ((total_params && !params) || (total_data && !data)) {
DEBUG(2,("Out of memory in reply_trans2\n"));
+ if(params)
+ free(params);
+ if(data)
+ free(data);
return(ERROR(ERRDOS,ERRnomem));
}