From f10227958bef70df7609aeec5dcc834a601bd945 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Mon, 15 Sep 2008 19:21:38 +0200 Subject: Registry server: Fixes up the patch with "type" != NULL (used in "EnumValue" and "QueryValue") This prevents the server to segfault if the input data type is NULL. --- source4/lib/registry/ldb.c | 5 +++-- source4/rpc_server/winreg/rpc_winreg.c | 9 ++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/source4/lib/registry/ldb.c b/source4/lib/registry/ldb.c index 95851dace0..8d02b3ce02 100644 --- a/source4/lib/registry/ldb.c +++ b/source4/lib/registry/ldb.c @@ -289,7 +289,7 @@ static WERROR ldb_get_subkey_by_id(TALLOC_CTX *mem_ctx, } static WERROR ldb_get_default_value(TALLOC_CTX *mem_ctx, struct hive_key *k, - const char** name, uint32_t *data_type, + const char **name, uint32_t *data_type, DATA_BLOB *data) { struct ldb_key_data *kd = talloc_get_type(k, struct ldb_key_data); @@ -797,11 +797,12 @@ static WERROR ldb_get_key_info(TALLOC_CTX *mem_ctx, } if (max_valbufsize != NULL) { + uint32_t data_type; DATA_BLOB data; reg_ldb_unpack_value(mem_ctx, lp_iconv_convenience(global_loadparm), kd->values[i], NULL, - NULL, &data); + &data_type, &data); *max_valbufsize = MAX(*max_valbufsize, data.length); talloc_free(data.data); } diff --git a/source4/rpc_server/winreg/rpc_winreg.c b/source4/rpc_server/winreg/rpc_winreg.c index 5cabae53a2..69631b3a66 100644 --- a/source4/rpc_server/winreg/rpc_winreg.c +++ b/source4/rpc_server/winreg/rpc_winreg.c @@ -278,7 +278,7 @@ static WERROR dcesrv_winreg_EnumValue(struct dcesrv_call_state *dce_call, data.length = *r->in.length; } - /* and enough room for the name */ + /* check if there is enough room for the name */ if (r->in.name->size < 2*strlen_m_term(data_name)) { return WERR_MORE_DATA; } @@ -293,7 +293,11 @@ static WERROR dcesrv_winreg_EnumValue(struct dcesrv_call_state *dce_call, } r->out.name->size = r->in.name->size; - *r->out.value = data_type; + r->out.type = talloc(mem_ctx, uint32_t); + if (!r->out.type) { + return WERR_NOMEM; + } + *r->out.type = data_type; /* check the client has enough room for the value */ if (r->in.value != NULL && @@ -484,7 +488,6 @@ static WERROR dcesrv_winreg_QueryValue(struct dcesrv_call_state *dce_call, value_data.length = *r->in.length; } - /* Just asking for the size of the buffer */ r->out.type = talloc(mem_ctx, uint32_t); if (!r->out.type) { return WERR_NOMEM; -- cgit