From 819c15449882a0c08689a4565bf0b31f756f05bd Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 17 May 2000 19:17:16 +0000
Subject: Fixed bug I introduced last night (sorry). Now truncate incoming
 prs_struct buffer size to exact size of incoming data to prevent read
 overruns into slop space. Jeremy. (This used to be commit
 aa1a4f46da9584240cd6cee6fb652aa73e77015c)

---
 source3/include/proto.h           |  1 +
 source3/rpc_parse/parse_prs.c     | 29 ++++++++++++++++++++++++++---
 source3/rpc_server/srv_pipe_hnd.c |  7 +++++++
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index cf3929f68d..45fd66cd09 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -2064,6 +2064,7 @@ BOOL prs_read(prs_struct *ps, int fd, size_t len, int timeout);
 void prs_mem_free(prs_struct *ps);
 void prs_give_memory(prs_struct *ps, char *buf, uint32 size, BOOL is_dynamic);
 char *prs_take_memory(prs_struct *ps, uint32 *psize);
+BOOL prs_set_buffer_size(prs_struct *ps, uint32 newsize);
 BOOL prs_grow(prs_struct *ps, uint32 extra_space);
 BOOL prs_force_grow(prs_struct *ps, uint32 extra_space);
 char *prs_data_p(prs_struct *ps);
diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c
index 4260b1c8d5..dafff63ad9 100644
--- a/source3/rpc_parse/parse_prs.c
+++ b/source3/rpc_parse/parse_prs.c
@@ -153,6 +153,29 @@ char *prs_take_memory(prs_struct *ps, uint32 *psize)
 	return ret;
 }
 
+/*******************************************************************
+ Set a prs_struct to exactly a given size. Will grow or tuncate if neccessary.
+ ********************************************************************/
+
+BOOL prs_set_buffer_size(prs_struct *ps, uint32 newsize)
+{
+	if (newsize > ps->buffer_size)
+		return prs_force_grow(ps, newsize - ps->buffer_size);
+
+	if (newsize < ps->buffer_size) {
+		char *new_data_p = Realloc(ps->data_p, newsize);
+		if (new_data_p == NULL) {
+			DEBUG(0,("prs_set_buffer_size: Realloc failure for size %u.\n",
+				(unsigned int)newsize));
+			return False;
+		}
+		ps->data_p = new_data_p;
+		ps->buffer_size = newsize;
+	}
+
+	return True;
+}
+
 /*******************************************************************
  Attempt, if needed, to grow a data buffer.
  Also depends on the data stream mode (io).
@@ -300,7 +323,7 @@ BOOL prs_set_offset(prs_struct *ps, uint32 offset)
 
 BOOL prs_append_prs_data(prs_struct *dst, prs_struct *src)
 {
-	if(!prs_force_grow(dst, prs_offset(src)))
+	if(!prs_grow(dst, prs_offset(src)))
 		return False;
 
 	memcpy(&dst->data_p[dst->data_offset], prs_data_p(src), (size_t)prs_offset(src));
@@ -315,7 +338,7 @@ BOOL prs_append_prs_data(prs_struct *dst, prs_struct *src)
 
 BOOL prs_append_some_prs_data(prs_struct *dst, prs_struct *src, int32 start, uint32 len)
 {	
-	if(!prs_force_grow(dst, len))
+	if(!prs_grow(dst, len))
 		return False;
 	
 	memcpy(&dst->data_p[dst->data_offset], prs_data_p(src)+start, (size_t)len);
@@ -330,7 +353,7 @@ BOOL prs_append_some_prs_data(prs_struct *dst, prs_struct *src, int32 start, uin
 
 BOOL prs_append_data(prs_struct *dst, char *src, uint32 len)
 {
-	if(!prs_force_grow(dst, len))
+	if(!prs_grow(dst, len))
 		return False;
 
 	memcpy(&dst->data_p[dst->data_offset], src, (size_t)len);
diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index f19aed1886..a349da839a 100644
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -475,6 +475,13 @@ authentication failed. Denying the request.\n", p->name));
 		 * Call the rpc command to process it.
 		 */
 
+		/*
+		 * Ensure the internal prs buffer size is *exactly* the same
+		 * size as the current offset.
+		 */
+
+		prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data));
+
 		/*
 		 * Set the parse offset to the start of the data and set the
 		 * prs_struct to UNMARSHALL.
-- 
cgit