From 898fd584a4f96ba40c2692550518856671892add Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Sun, 18 Jul 2010 15:04:20 +0200 Subject: s3-rpc_client: Fixed a segfault in rpccli_samr_chng_pswd_auth_crap(). This fixes the WINBIND-WBCLIENT test. The test set old_lm_hash_enc_blob.length to 0 and we don't check the length here. So the memcpy segfaulted. --- source3/rpc_client/cli_samr.c | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) (limited to 'source3/rpc_client') diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c index 8c92ebb059..8c1011293a 100644 --- a/source3/rpc_client/cli_samr.c +++ b/source3/rpc_client/cli_samr.c @@ -165,10 +165,29 @@ NTSTATUS rpccli_samr_chng_pswd_auth_crap(struct rpc_pipe_client *cli, init_lsa_String(&server, cli->srv_name_slash); init_lsa_String(&account, username); - memcpy(&new_nt_password.data, new_nt_password_blob.data, 516); - memcpy(&new_lm_password.data, new_lm_password_blob.data, 516); - memcpy(&old_nt_hash_enc.hash, old_nt_hash_enc_blob.data, 16); - memcpy(&old_lm_hash_enc.hash, old_lm_hash_enc_blob.data, 16); + if (new_nt_password_blob.length > 0) { + memcpy(&new_nt_password.data, new_nt_password_blob.data, 516); + } else { + ZERO_STRUCT(new_nt_password_blob); + } + + if (new_lm_password_blob.length > 0) { + memcpy(&new_lm_password.data, new_lm_password_blob.data, 516); + } else { + ZERO_STRUCT(new_lm_password); + } + + if (old_nt_hash_enc_blob.length > 0) { + memcpy(&old_nt_hash_enc.hash, old_nt_hash_enc_blob.data, 16); + } else { + ZERO_STRUCT(old_nt_hash_enc); + } + + if (old_lm_hash_enc_blob.length > 0) { + memcpy(&old_lm_hash_enc.hash, old_lm_hash_enc_blob.data, 16); + } else { + ZERO_STRUCT(old_lm_hash_enc); + } result = rpccli_samr_ChangePasswordUser2(cli, mem_ctx, &server, -- cgit