From c560164030c0b842ee06f651a2b019c5596624a2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 17 May 2000 03:12:56 +0000 Subject: Fixed bug where mallocd size of prs_struct could be larger than incoming packet. Ensure new alloced memory is zeroed before use. Jeremy. (This used to be commit 1c3193aa1c1137734dc34ef2e6d62abb0609c30e) --- source3/rpc_parse/parse_prs.c | 10 +++++++--- source3/rpc_server/srv_pipe.c | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c index fff1bc27b1..4260b1c8d5 100644 --- a/source3/rpc_parse/parse_prs.c +++ b/source3/rpc_parse/parse_prs.c @@ -209,6 +209,8 @@ BOOL prs_grow(prs_struct *ps, uint32 extra_space) (unsigned int)new_size)); return False; } + + memset(&new_data[ps->buffer_size], '\0', new_size - ps->buffer_size); } ps->buffer_size = new_size; ps->data_p = new_data; @@ -239,6 +241,8 @@ BOOL prs_force_grow(prs_struct *ps, uint32 extra_space) return False; } + memset(&new_data[ps->buffer_size], '\0', new_size - ps->buffer_size); + ps->buffer_size = new_size; ps->data_p = new_data; @@ -296,7 +300,7 @@ BOOL prs_set_offset(prs_struct *ps, uint32 offset) BOOL prs_append_prs_data(prs_struct *dst, prs_struct *src) { - if(!prs_grow(dst, prs_offset(src))) + if(!prs_force_grow(dst, prs_offset(src))) return False; memcpy(&dst->data_p[dst->data_offset], prs_data_p(src), (size_t)prs_offset(src)); @@ -311,7 +315,7 @@ BOOL prs_append_prs_data(prs_struct *dst, prs_struct *src) BOOL prs_append_some_prs_data(prs_struct *dst, prs_struct *src, int32 start, uint32 len) { - if(!prs_grow(dst, len)) + if(!prs_force_grow(dst, len)) return False; memcpy(&dst->data_p[dst->data_offset], prs_data_p(src)+start, (size_t)len); @@ -326,7 +330,7 @@ BOOL prs_append_some_prs_data(prs_struct *dst, prs_struct *src, int32 start, uin BOOL prs_append_data(prs_struct *dst, char *src, uint32 len) { - if(!prs_grow(dst, len)) + if(!prs_force_grow(dst, len)) return False; memcpy(&dst->data_p[dst->data_offset], src, (size_t)len); diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 9ba62ea656..06743d8d16 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -110,7 +110,7 @@ BOOL create_next_pdu(pipes_struct *p) p->hdr.flags = 0; /* - * Work out how much we can fit in a sigle PDU. + * Work out how much we can fit in a single PDU. */ data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN; -- cgit