From 61dfab9f705cb38e552dcec1822974433997543c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 15 Mar 2005 19:43:44 +0000 Subject: r5805: merging spoolss parsing changes from trunk and cleaning up resulting segvs (This used to be commit 25121547caaaed0d60f4db7458570c14e7d21b2a) --- source3/rpc_parse/parse_buffer.c | 512 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 512 insertions(+) create mode 100644 source3/rpc_parse/parse_buffer.c (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c new file mode 100644 index 0000000000..d3584c3954 --- /dev/null +++ b/source3/rpc_parse/parse_buffer.c @@ -0,0 +1,512 @@ +/* + * Unix SMB/CIFS implementation. + * RPC Pipe client / server routines + * + * Copyright (C) Andrew Tridgell 1992-2000, + * Copyright (C) Luke Kenneth Casson Leighton 1996-2000, + * Copyright (C) Jean François Micouleau 1998-2000, + * Copyright (C) Gerald Carter 2000-2005, + * Copyright (C) Tim Potter 2001-2002. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_RPC_PARSE + +/********************************************************************** + Initialize a new spoolss buff for use by a client rpc +**********************************************************************/ +void rpcbuf_init(RPC_BUFFER *buffer, uint32 size, TALLOC_CTX *ctx) +{ +#if 0 + buffer->ptr = (size != 0); +#endif + buffer->size = size; + buffer->string_at_end = size; + prs_init(&buffer->prs, size, ctx, MARSHALL); + buffer->struct_start = prs_offset(&buffer->prs); +} + +/******************************************************************* + Read/write a RPC_BUFFER struct. +********************************************************************/ + +BOOL prs_rpcbuffer(const char *desc, prs_struct *ps, int depth, RPC_BUFFER *buffer) +{ + prs_debug(ps, depth, desc, "prs_rpcbuffer"); + depth++; + + /* reading */ + if (UNMARSHALLING(ps)) { + buffer->size=0; + buffer->string_at_end=0; + +#if 0 + if (buffer->ptr==0) { + /* + * JRA. I'm not sure if the data in here is in big-endian format if + * the client is big-endian. Leave as default (little endian) for now. + */ + + if (!prs_init(&buffer->prs, 0, prs_get_mem_context(ps), UNMARSHALL)) + return False; + return True; + } +#endif + + if (!prs_uint32("size", ps, depth, &buffer->size)) + return False; + + /* + * JRA. I'm not sure if the data in here is in big-endian format if + * the client is big-endian. Leave as default (little endian) for now. + */ + + if (!prs_init(&buffer->prs, buffer->size, prs_get_mem_context(ps), UNMARSHALL)) + return False; + + if (!prs_append_some_prs_data(&buffer->prs, ps, prs_offset(ps), buffer->size)) + return False; + + if (!prs_set_offset(&buffer->prs, 0)) + return False; + + if (!prs_set_offset(ps, buffer->size+prs_offset(ps))) + return False; + + buffer->string_at_end=buffer->size; + + return True; + } + else { + BOOL ret = False; + +#if 0 + /* writing */ + if (buffer->ptr==0) { + /* We have finished with the data in buffer->prs - free it. */ + prs_mem_free(&buffer->prs); + return True; + } +#endif + + if (!prs_uint32("size", ps, depth, &buffer->size)) + goto out; + + if (!prs_append_some_prs_data(ps, &buffer->prs, 0, buffer->size)) + goto out; + + ret = True; + out: + + /* We have finished with the data in buffer->prs - free it. */ + prs_mem_free(&buffer->prs); + + return ret; + } +} + +/******************************************************************* + Read/write an RPC_BUFFER* struct.(allocate memory if unmarshalling) +********************************************************************/ + +BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **buffer) +{ + uint32 data_p; + + /* caputure the pointer value to stream */ + + data_p = (uint32) *buffer; + + if ( !prs_uint32("ptr", ps, depth, &data_p )) + return False; + + /* we're done if there is no data */ + + if ( !data_p ) + return True; + + if ( UNMARSHALLING(ps) ) { + if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) + return False; + } + + return prs_rpcbuffer( desc, ps, depth, *buffer); +} + +/**************************************************************************** + Allocate more memory for a RPC_BUFFER. +****************************************************************************/ + +BOOL rpcbuf_alloc_size(RPC_BUFFER *buffer, uint32 buffer_size) +{ + prs_struct *ps; + uint32 extra_space; + uint32 old_offset; + + ps= &buffer->prs; + + /* damn, I'm doing the reverse operation of prs_grow() :) */ + if (buffer_size < prs_data_size(ps)) + extra_space=0; + else + extra_space = buffer_size - prs_data_size(ps); + + /* + * save the offset and move to the end of the buffer + * prs_grow() checks the extra_space against the offset + */ + old_offset=prs_offset(ps); + prs_set_offset(ps, prs_data_size(ps)); + + if (!prs_grow(ps, extra_space)) + return False; + + prs_set_offset(ps, old_offset); + + buffer->string_at_end=prs_data_size(ps); + + return True; +} + +/******************************************************************* + move a BUFFER from the query to the reply. + As the data pointers in RPC_BUFFER are malloc'ed, not talloc'ed, + this is ok. This is an OPTIMIZATION and is not strictly neccessary. + Clears the memory to zero also. +********************************************************************/ + +void rpcbuf_move(RPC_BUFFER *src, RPC_BUFFER **dest) +{ + if ( !src ) + return; + + prs_switch_type(&src->prs, MARSHALL); + if(!prs_set_offset(&src->prs, 0)) + return; + prs_force_dynamic(&src->prs); + prs_mem_clear(&src->prs); + *dest=src; +} + +/******************************************************************* + Get the size of a BUFFER struct. +********************************************************************/ + +uint32 rpcbuf_get_size(RPC_BUFFER *buffer) +{ + return (buffer->size); +} + + +/******************************************************************* + * write a UNICODE string and its relative pointer. + * used by all the RPC structs passing a buffer + * + * As I'm a nice guy, I'm forcing myself to explain this code. + * MS did a good job in the overall spoolss code except in some + * functions where they are passing the API buffer directly in the + * RPC request/reply. That's to maintain compatiility at the API level. + * They could have done it the good way the first time. + * + * So what happen is: the strings are written at the buffer's end, + * in the reverse order of the original structure. Some pointers to + * the strings are also in the buffer. Those are relative to the + * buffer's start. + * + * If you don't understand or want to change that function, + * first get in touch with me: jfm@samba.org + * + ********************************************************************/ + +BOOL smb_io_relstr(const char *desc, RPC_BUFFER *buffer, int depth, UNISTR *string) +{ + prs_struct *ps=&buffer->prs; + + if (MARSHALLING(ps)) { + uint32 struct_offset = prs_offset(ps); + uint32 relative_offset; + + buffer->string_at_end -= (size_of_relative_string(string) - 4); + if(!prs_set_offset(ps, buffer->string_at_end)) + return False; +#if 0 /* JERRY */ + /* + * Win2k does not align strings in a buffer + * Tested against WinNT 4.0 SP 6a & 2k SP2 --jerry + */ + if (!prs_align(ps)) + return False; +#endif + buffer->string_at_end = prs_offset(ps); + + /* write the string */ + if (!smb_io_unistr(desc, string, ps, depth)) + return False; + + if(!prs_set_offset(ps, struct_offset)) + return False; + + relative_offset=buffer->string_at_end - buffer->struct_start; + /* write its offset */ + if (!prs_uint32("offset", ps, depth, &relative_offset)) + return False; + } + else { + uint32 old_offset; + + /* read the offset */ + if (!prs_uint32("offset", ps, depth, &(buffer->string_at_end))) + return False; + + if (buffer->string_at_end == 0) + return True; + + old_offset = prs_offset(ps); + if(!prs_set_offset(ps, buffer->string_at_end+buffer->struct_start)) + return False; + + /* read the string */ + if (!smb_io_unistr(desc, string, ps, depth)) + return False; + + if(!prs_set_offset(ps, old_offset)) + return False; + } + return True; +} + +/******************************************************************* + * write a array of UNICODE strings and its relative pointer. + * used by 2 RPC structs + ********************************************************************/ + +BOOL smb_io_relarraystr(const char *desc, RPC_BUFFER *buffer, int depth, uint16 **string) +{ + UNISTR chaine; + + prs_struct *ps=&buffer->prs; + + if (MARSHALLING(ps)) { + uint32 struct_offset = prs_offset(ps); + uint32 relative_offset; + uint16 *p; + uint16 *q; + uint16 zero=0; + p=*string; + q=*string; + + /* first write the last 0 */ + buffer->string_at_end -= 2; + if(!prs_set_offset(ps, buffer->string_at_end)) + return False; + + if(!prs_uint16("leading zero", ps, depth, &zero)) + return False; + + while (p && (*p!=0)) { + while (*q!=0) + q++; + + /* Yes this should be malloc not talloc. Don't change. */ + + chaine.buffer = SMB_MALLOC((q-p+1)*sizeof(uint16)); + if (chaine.buffer == NULL) + return False; + + memcpy(chaine.buffer, p, (q-p+1)*sizeof(uint16)); + + buffer->string_at_end -= (q-p+1)*sizeof(uint16); + + if(!prs_set_offset(ps, buffer->string_at_end)) { + SAFE_FREE(chaine.buffer); + return False; + } + + /* write the string */ + if (!smb_io_unistr(desc, &chaine, ps, depth)) { + SAFE_FREE(chaine.buffer); + return False; + } + q++; + p=q; + + SAFE_FREE(chaine.buffer); + } + + if(!prs_set_offset(ps, struct_offset)) + return False; + + relative_offset=buffer->string_at_end - buffer->struct_start; + /* write its offset */ + if (!prs_uint32("offset", ps, depth, &relative_offset)) + return False; + + } else { + + /* UNMARSHALLING */ + + uint32 old_offset; + uint16 *chaine2=NULL; + int l_chaine=0; + int l_chaine2=0; + size_t realloc_size = 0; + + *string=NULL; + + /* read the offset */ + if (!prs_uint32("offset", ps, depth, &buffer->string_at_end)) + return False; + + old_offset = prs_offset(ps); + if(!prs_set_offset(ps, buffer->string_at_end + buffer->struct_start)) + return False; + + do { + if (!smb_io_unistr(desc, &chaine, ps, depth)) + return False; + + l_chaine=str_len_uni(&chaine); + + /* we're going to add two more bytes here in case this + is the last string in the array and we need to add + an extra NULL for termination */ + if (l_chaine > 0) + { + uint16 *tc2; + + realloc_size = (l_chaine2+l_chaine+2)*sizeof(uint16); + + /* Yes this should be realloc - it's freed below. JRA */ + + if((tc2=(uint16 *)SMB_REALLOC(chaine2, realloc_size)) == NULL) { + SAFE_FREE(chaine2); + return False; + } + else chaine2 = tc2; + memcpy(chaine2+l_chaine2, chaine.buffer, (l_chaine+1)*sizeof(uint16)); + l_chaine2+=l_chaine+1; + } + + } while(l_chaine!=0); + + /* the end should be bould NULL terminated so add + the second one here */ + if (chaine2) + { + chaine2[l_chaine2] = '\0'; + *string=(uint16 *)TALLOC_MEMDUP(prs_get_mem_context(ps),chaine2,realloc_size); + SAFE_FREE(chaine2); + } + + if(!prs_set_offset(ps, old_offset)) + return False; + } + return True; +} + +/******************************************************************* + Parse a DEVMODE structure and its relative pointer. +********************************************************************/ + +BOOL smb_io_relsecdesc(const char *desc, RPC_BUFFER *buffer, int depth, SEC_DESC **secdesc) +{ + prs_struct *ps= &buffer->prs; + + prs_debug(ps, depth, desc, "smb_io_relsecdesc"); + depth++; + + if (MARSHALLING(ps)) { + uint32 struct_offset = prs_offset(ps); + uint32 relative_offset; + + if (! *secdesc) { + relative_offset = 0; + if (!prs_uint32("offset", ps, depth, &relative_offset)) + return False; + return True; + } + + if (*secdesc != NULL) { + buffer->string_at_end -= sec_desc_size(*secdesc); + + if(!prs_set_offset(ps, buffer->string_at_end)) + return False; + /* write the secdesc */ + if (!sec_io_desc(desc, secdesc, ps, depth)) + return False; + + if(!prs_set_offset(ps, struct_offset)) + return False; + } + + relative_offset=buffer->string_at_end - buffer->struct_start; + /* write its offset */ + + if (!prs_uint32("offset", ps, depth, &relative_offset)) + return False; + } else { + uint32 old_offset; + + /* read the offset */ + if (!prs_uint32("offset", ps, depth, &buffer->string_at_end)) + return False; + + old_offset = prs_offset(ps); + if(!prs_set_offset(ps, buffer->string_at_end + buffer->struct_start)) + return False; + + /* read the sd */ + if (!sec_io_desc(desc, secdesc, ps, depth)) + return False; + + if(!prs_set_offset(ps, old_offset)) + return False; + } + return True; +} + + + +/******************************************************************* + * return the length of a UNICODE string in number of char, includes: + * - the leading zero + * - the relative pointer size + ********************************************************************/ + +uint32 size_of_relative_string(UNISTR *string) +{ + uint32 size=0; + + size=str_len_uni(string); /* the string length */ + size=size+1; /* add the trailing zero */ + size=size*2; /* convert in char */ + size=size+4; /* add the size of the ptr */ + +#if 0 /* JERRY */ + /* + * Do not include alignment as Win2k does not align relative + * strings within a buffer --jerry + */ + /* Ensure size is 4 byte multiple (prs_align is being called...). */ + /* size += ((4 - (size & 3)) & 3); */ +#endif + + return size; +} + -- cgit From 76f3e5a90f768f0d9f88512e47edb7aac321985c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 15 Mar 2005 20:46:26 +0000 Subject: r5808: removing unneeded structure field from RPC_BUFFER (This used to be commit 9b0bfd7e6fd1acc85ec53d2fa32d61cd34aa2345) --- source3/rpc_parse/parse_buffer.c | 25 ------------------------- 1 file changed, 25 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index d3584c3954..41064572d9 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -33,9 +33,6 @@ **********************************************************************/ void rpcbuf_init(RPC_BUFFER *buffer, uint32 size, TALLOC_CTX *ctx) { -#if 0 - buffer->ptr = (size != 0); -#endif buffer->size = size; buffer->string_at_end = size; prs_init(&buffer->prs, size, ctx, MARSHALL); @@ -56,19 +53,6 @@ BOOL prs_rpcbuffer(const char *desc, prs_struct *ps, int depth, RPC_BUFFER *buff buffer->size=0; buffer->string_at_end=0; -#if 0 - if (buffer->ptr==0) { - /* - * JRA. I'm not sure if the data in here is in big-endian format if - * the client is big-endian. Leave as default (little endian) for now. - */ - - if (!prs_init(&buffer->prs, 0, prs_get_mem_context(ps), UNMARSHALL)) - return False; - return True; - } -#endif - if (!prs_uint32("size", ps, depth, &buffer->size)) return False; @@ -96,15 +80,6 @@ BOOL prs_rpcbuffer(const char *desc, prs_struct *ps, int depth, RPC_BUFFER *buff else { BOOL ret = False; -#if 0 - /* writing */ - if (buffer->ptr==0) { - /* We have finished with the data in buffer->prs - free it. */ - prs_mem_free(&buffer->prs); - return True; - } -#endif - if (!prs_uint32("size", ps, depth, &buffer->size)) goto out; -- cgit From c8e02022772c8c29548451dc93c895daa492f100 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 15 Mar 2005 20:51:14 +0000 Subject: r5809: try to catch NULL pointers during developerment for rpcbuf_move() (This used to be commit f9e9a42c0734129100e1cdd4a9ad1539b65ab5bc) --- source3/rpc_parse/parse_buffer.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index 41064572d9..ea72df8db4 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -168,8 +168,7 @@ BOOL rpcbuf_alloc_size(RPC_BUFFER *buffer, uint32 buffer_size) void rpcbuf_move(RPC_BUFFER *src, RPC_BUFFER **dest) { - if ( !src ) - return; + SMB_ASSERT( src != NULL ); prs_switch_type(&src->prs, MARSHALL); if(!prs_set_offset(&src->prs, 0)) -- cgit From b4c720412978c0a49e11846c7cfe553d055cca1f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 5 Apr 2005 17:49:16 +0000 Subject: r6218: * fix a segv in EnumPrinters():rpc_buffer_alloc when the caller does not provide an RPC_BUFFER in the request * add initial (but wire untested) support for RegRestoreKey() (This used to be commit 22855c7aae940cc4082c231a470f612b8fc6fa0d) --- source3/rpc_parse/parse_buffer.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index ea72df8db4..a48d5cfa98 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -134,6 +134,11 @@ BOOL rpcbuf_alloc_size(RPC_BUFFER *buffer, uint32 buffer_size) uint32 extra_space; uint32 old_offset; + /* if we don't need anything. don't do anything */ + + if ( buffer_size == 0x0 ) + return True; + ps= &buffer->prs; /* damn, I'm doing the reverse operation of prs_grow() :) */ -- cgit From ef34e3336b6f4a84fb0d0a121c1eb5c54165b457 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Jun 2005 22:13:19 +0000 Subject: r7789: fix overparanoid assert() call when checking spolss buffer pointers (This used to be commit e81e6e653aecdd0e4cfd2ea7ced16070bc376292) --- source3/rpc_parse/parse_buffer.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index a48d5cfa98..ff2a7cc2f6 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -173,14 +173,20 @@ BOOL rpcbuf_alloc_size(RPC_BUFFER *buffer, uint32 buffer_size) void rpcbuf_move(RPC_BUFFER *src, RPC_BUFFER **dest) { - SMB_ASSERT( src != NULL ); + if ( !src ) { + *dest = NULL; + return; + } + + prs_switch_type( &src->prs, MARSHALL ); - prs_switch_type(&src->prs, MARSHALL); - if(!prs_set_offset(&src->prs, 0)) + if ( !prs_set_offset(&src->prs, 0) ) return; - prs_force_dynamic(&src->prs); - prs_mem_clear(&src->prs); - *dest=src; + + prs_force_dynamic( &src->prs ); + prs_mem_clear( &src->prs ); + + *dest = src; } /******************************************************************* -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/rpc_parse/parse_buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index ff2a7cc2f6..36d8eda847 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -106,7 +106,7 @@ BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **b /* caputure the pointer value to stream */ - data_p = (uint32) *buffer; + data_p = *buffer ? 0xf000baaa : 0; if ( !prs_uint32("ptr", ps, depth, &data_p )) return False; -- cgit From 894358a8f3e338b339b6c37233edef794b312087 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Mar 2006 06:31:04 +0000 Subject: r13915: Fixed a very interesting class of realloc() bugs found by Coverity. realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0) --- source3/rpc_parse/parse_buffer.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index 36d8eda847..b220809654 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -371,19 +371,14 @@ BOOL smb_io_relarraystr(const char *desc, RPC_BUFFER *buffer, int depth, uint16 /* we're going to add two more bytes here in case this is the last string in the array and we need to add an extra NULL for termination */ - if (l_chaine > 0) - { - uint16 *tc2; - + if (l_chaine > 0) { realloc_size = (l_chaine2+l_chaine+2)*sizeof(uint16); /* Yes this should be realloc - it's freed below. JRA */ - if((tc2=(uint16 *)SMB_REALLOC(chaine2, realloc_size)) == NULL) { - SAFE_FREE(chaine2); + if((chaine2=(uint16 *)SMB_REALLOC(chaine2, realloc_size)) == NULL) { return False; } - else chaine2 = tc2; memcpy(chaine2+l_chaine2, chaine.buffer, (l_chaine+1)*sizeof(uint16)); l_chaine2+=l_chaine+1; } -- cgit From cd49e2546ecc3d16dc2f89c07d48b98995ec5ff9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Mar 2006 20:52:43 +0000 Subject: r13989: Fix for Coverity bug #45 and associated spoolss RPC_BUFFER problems. Ensure that if the parse succeeds on UNMARSHALL we have a valid (although possibly empty) RPC_BUFFER returned. Jeremy. (This used to be commit d319cc9c08bfa865a6431a8631a9c609f589be1f) --- source3/rpc_parse/parse_buffer.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index b220809654..b8b2c2e9ea 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -108,19 +108,34 @@ BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **b data_p = *buffer ? 0xf000baaa : 0; - if ( !prs_uint32("ptr", ps, depth, &data_p )) + if ( !prs_uint32("ptr", ps, depth, &data_p )) { return False; + } - /* we're done if there is no data */ - - if ( !data_p ) - return True; - + /* We must always return a valid buffer pointer even if the + client didn't send one - just leave it initialized to null. */ if ( UNMARSHALLING(ps) ) { - if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) + if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) { return False; + } } + /* we're done if there is no data */ + + if (!data_p) { + if (UNMARSHALLING(ps)) { + RPC_BUFFER *pbuffer = *buffer; + /* On unmarshalling we must return a valid, + but zero size value RPC_BUFFER. */ + pbuffer->size = 0; + pbuffer->string_at_end = 0; + if (!prs_init(&pbuffer->prs, 0, prs_get_mem_context(ps), UNMARSHALL)) { + return False; + } + } + return True; + } + return prs_rpcbuffer( desc, ps, depth, *buffer); } -- cgit From a3586ff60ccb2c2bd491dd08a67fb0cc22842f7a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 8 Mar 2006 06:16:54 +0000 Subject: r14014: Coverity paranoia. Shut it up by making the guarentee in the code explicit - but this was a false positive (CID #16). Jeremy. (This used to be commit 43a0e869f2aee9b4e22d0d7fc92051e82f7536ad) --- source3/rpc_parse/parse_buffer.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index b8b2c2e9ea..52117dc44b 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -47,7 +47,7 @@ BOOL prs_rpcbuffer(const char *desc, prs_struct *ps, int depth, RPC_BUFFER *buff { prs_debug(ps, depth, desc, "prs_rpcbuffer"); depth++; - + /* reading */ if (UNMARSHALLING(ps)) { buffer->size=0; @@ -135,7 +135,12 @@ BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **b } return True; } - + + /* Coverity paranoia. Buffer must be valid. */ + if (!*buffer) { + return False; + } + return prs_rpcbuffer( desc, ps, depth, *buffer); } -- cgit From 8d1dd8bb96ea6caec651397400a2cce8f37570e3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 8 Mar 2006 17:50:44 +0000 Subject: r14043: After discussion with Jerry revert part of the Coverity null-ref patch - put prs_rpcbuffer_p back to the way it was (with an additional coverity paranoia check) - move the real test into rpcbuf_alloc_size instead. Jeremy. (This used to be commit f74993e65c01bc0ef73d3e8710bb2f840910161a) --- source3/rpc_parse/parse_buffer.c | 41 +++++++++++++++------------------------- 1 file changed, 15 insertions(+), 26 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index 52117dc44b..21dddfa3cf 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -108,37 +108,22 @@ BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **b data_p = *buffer ? 0xf000baaa : 0; - if ( !prs_uint32("ptr", ps, depth, &data_p )) { + if ( !prs_uint32("ptr", ps, depth, &data_p )) return False; - } - - /* We must always return a valid buffer pointer even if the - client didn't send one - just leave it initialized to null. */ - if ( UNMARSHALLING(ps) ) { - if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) { - return False; - } - } /* we're done if there is no data */ - if (!data_p) { - if (UNMARSHALLING(ps)) { - RPC_BUFFER *pbuffer = *buffer; - /* On unmarshalling we must return a valid, - but zero size value RPC_BUFFER. */ - pbuffer->size = 0; - pbuffer->string_at_end = 0; - if (!prs_init(&pbuffer->prs, 0, prs_get_mem_context(ps), UNMARSHALL)) { - return False; - } - } + if ( !data_p ) return True; - } - /* Coverity paranoia. Buffer must be valid. */ - if (!*buffer) { - return False; + if ( UNMARSHALLING(ps) ) { + if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) + return False; + } else { + /* Marshalling case. - coverity paranoia - should already be ok if data_p != 0 */ + if (!*buffer) { + return True; + } } return prs_rpcbuffer( desc, ps, depth, *buffer); @@ -158,7 +143,11 @@ BOOL rpcbuf_alloc_size(RPC_BUFFER *buffer, uint32 buffer_size) if ( buffer_size == 0x0 ) return True; - + + if (!buffer) { + return False; + } + ps= &buffer->prs; /* damn, I'm doing the reverse operation of prs_grow() :) */ -- cgit From 467ec2a32bac08468855a5a28a7d6e25b26904d5 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 1 Aug 2006 12:45:12 +0000 Subject: r17363: Some C++ warnings (This used to be commit fd82f185a2e0f94bfb75f4eee072556ad94bf27d) --- source3/rpc_parse/parse_buffer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index 21dddfa3cf..5643189afe 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -319,7 +319,8 @@ BOOL smb_io_relarraystr(const char *desc, RPC_BUFFER *buffer, int depth, uint16 /* Yes this should be malloc not talloc. Don't change. */ - chaine.buffer = SMB_MALLOC((q-p+1)*sizeof(uint16)); + chaine.buffer = (uint16 *) + SMB_MALLOC((q-p+1)*sizeof(uint16)); if (chaine.buffer == NULL) return False; -- cgit From 12ba88574bf91bdcc4447bfc3d429b799064bfd9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 27 Apr 2007 23:18:41 +0000 Subject: r22542: Move over to using the _strict varients of the talloc calls. No functional changes. Looks bigger than it is :-). Jeremy. (This used to be commit f6fa3080fee1b20df9f1968500840a88cf0ee592) --- source3/rpc_parse/parse_buffer.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index 5643189afe..b66eb9910a 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -401,6 +401,9 @@ BOOL smb_io_relarraystr(const char *desc, RPC_BUFFER *buffer, int depth, uint16 { chaine2[l_chaine2] = '\0'; *string=(uint16 *)TALLOC_MEMDUP(prs_get_mem_context(ps),chaine2,realloc_size); + if (!*string) { + return False; + } SAFE_FREE(chaine2); } -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/rpc_parse/parse_buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index b66eb9910a..52320e6d28 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -10,7 +10,7 @@ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or + * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, -- cgit From 153cfb9c83534b09f15cc16205d7adb19b394928 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 05:23:25 +0000 Subject: r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227) --- source3/rpc_parse/parse_buffer.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index 52320e6d28..b716d0cd47 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -19,8 +19,7 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * along with this program; if not, see . */ #include "includes.h" -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/rpc_parse/parse_buffer.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index b716d0cd47..c30ad487dd 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -42,7 +42,7 @@ void rpcbuf_init(RPC_BUFFER *buffer, uint32 size, TALLOC_CTX *ctx) Read/write a RPC_BUFFER struct. ********************************************************************/ -BOOL prs_rpcbuffer(const char *desc, prs_struct *ps, int depth, RPC_BUFFER *buffer) +bool prs_rpcbuffer(const char *desc, prs_struct *ps, int depth, RPC_BUFFER *buffer) { prs_debug(ps, depth, desc, "prs_rpcbuffer"); depth++; @@ -77,7 +77,7 @@ BOOL prs_rpcbuffer(const char *desc, prs_struct *ps, int depth, RPC_BUFFER *buff return True; } else { - BOOL ret = False; + bool ret = False; if (!prs_uint32("size", ps, depth, &buffer->size)) goto out; @@ -99,7 +99,7 @@ BOOL prs_rpcbuffer(const char *desc, prs_struct *ps, int depth, RPC_BUFFER *buff Read/write an RPC_BUFFER* struct.(allocate memory if unmarshalling) ********************************************************************/ -BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **buffer) +bool prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **buffer) { uint32 data_p; @@ -132,7 +132,7 @@ BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **b Allocate more memory for a RPC_BUFFER. ****************************************************************************/ -BOOL rpcbuf_alloc_size(RPC_BUFFER *buffer, uint32 buffer_size) +bool rpcbuf_alloc_size(RPC_BUFFER *buffer, uint32 buffer_size) { prs_struct *ps; uint32 extra_space; @@ -227,7 +227,7 @@ uint32 rpcbuf_get_size(RPC_BUFFER *buffer) * ********************************************************************/ -BOOL smb_io_relstr(const char *desc, RPC_BUFFER *buffer, int depth, UNISTR *string) +bool smb_io_relstr(const char *desc, RPC_BUFFER *buffer, int depth, UNISTR *string) { prs_struct *ps=&buffer->prs; @@ -289,7 +289,7 @@ BOOL smb_io_relstr(const char *desc, RPC_BUFFER *buffer, int depth, UNISTR *stri * used by 2 RPC structs ********************************************************************/ -BOOL smb_io_relarraystr(const char *desc, RPC_BUFFER *buffer, int depth, uint16 **string) +bool smb_io_relarraystr(const char *desc, RPC_BUFFER *buffer, int depth, uint16 **string) { UNISTR chaine; @@ -416,7 +416,7 @@ BOOL smb_io_relarraystr(const char *desc, RPC_BUFFER *buffer, int depth, uint16 Parse a DEVMODE structure and its relative pointer. ********************************************************************/ -BOOL smb_io_relsecdesc(const char *desc, RPC_BUFFER *buffer, int depth, SEC_DESC **secdesc) +bool smb_io_relsecdesc(const char *desc, RPC_BUFFER *buffer, int depth, SEC_DESC **secdesc) { prs_struct *ps= &buffer->prs; -- cgit From 7cbdb48475b0340154fad60cb4b7cc53dc2bbcfd Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 29 Dec 2007 23:00:49 +0100 Subject: Remove tiny code duplication ndr_size_security_descriptor does the same as sec_desc_size (This used to be commit bc3bd7a8e7c6e9e27acb195c86abb92c0f53112f) --- source3/rpc_parse/parse_buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index c30ad487dd..e98822d46e 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -435,7 +435,7 @@ bool smb_io_relsecdesc(const char *desc, RPC_BUFFER *buffer, int depth, SEC_DESC } if (*secdesc != NULL) { - buffer->string_at_end -= sec_desc_size(*secdesc); + buffer->string_at_end -= ndr_size_security_descriptor(*secdesc, 0); if(!prs_set_offset(ps, buffer->string_at_end)) return False; -- cgit From e06aa46b9fab1e107fea8f6453fb13deffa91e96 Mon Sep 17 00:00:00 2001 From: Marc VanHeyningen Date: Fri, 14 Mar 2008 14:26:28 -0800 Subject: Coverity fixes (This used to be commit 3fc85d22590550f0539215d020e4411bf5b14363) --- source3/rpc_parse/parse_buffer.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index e98822d46e..9a68e547a0 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -34,8 +34,10 @@ void rpcbuf_init(RPC_BUFFER *buffer, uint32 size, TALLOC_CTX *ctx) { buffer->size = size; buffer->string_at_end = size; - prs_init(&buffer->prs, size, ctx, MARSHALL); - buffer->struct_start = prs_offset(&buffer->prs); + if (prs_init(&buffer->prs, size, ctx, MARSHALL)) + buffer->struct_start = prs_offset(&buffer->prs); + else + buffer->struct_start = NULL; } /******************************************************************* -- cgit From 31c83b750553d46792102e8afc889da7d99be859 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 19 Mar 2008 17:04:50 +0100 Subject: Fix a warning (This used to be commit c40648ea4d7897c401a5a94703e586acfdaec13b) --- source3/rpc_parse/parse_buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index 9a68e547a0..bb39a58c07 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -37,7 +37,7 @@ void rpcbuf_init(RPC_BUFFER *buffer, uint32 size, TALLOC_CTX *ctx) if (prs_init(&buffer->prs, size, ctx, MARSHALL)) buffer->struct_start = prs_offset(&buffer->prs); else - buffer->struct_start = NULL; + buffer->struct_start = 0; } /******************************************************************* -- cgit From 43554ded6de6cc8e70b6146f245e6a421823f203 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 23 Mar 2008 17:32:46 +0100 Subject: Fix Coverity ID 462 (This used to be commit 9cf1e16a9c3cade9cd905f719de07578b3a91b1e) --- source3/rpc_parse/parse_buffer.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/rpc_parse/parse_buffer.c') diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index bb39a58c07..63a73c4b7c 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -374,8 +374,10 @@ bool smb_io_relarraystr(const char *desc, RPC_BUFFER *buffer, int depth, uint16 return False; do { - if (!smb_io_unistr(desc, &chaine, ps, depth)) + if (!smb_io_unistr(desc, &chaine, ps, depth)) { + SAFE_FREE(chaine2); return False; + } l_chaine=str_len_uni(&chaine); @@ -402,10 +404,10 @@ bool smb_io_relarraystr(const char *desc, RPC_BUFFER *buffer, int depth, uint16 { chaine2[l_chaine2] = '\0'; *string=(uint16 *)TALLOC_MEMDUP(prs_get_mem_context(ps),chaine2,realloc_size); + SAFE_FREE(chaine2); if (!*string) { return False; } - SAFE_FREE(chaine2); } if(!prs_set_offset(ps, old_offset)) -- cgit