From cd49e2546ecc3d16dc2f89c07d48b98995ec5ff9 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 7 Mar 2006 20:52:43 +0000
Subject: r13989: Fix for Coverity bug #45 and associated spoolss RPC_BUFFER
 problems. Ensure that if the parse succeeds on UNMARSHALL we have a valid
 (although possibly empty) RPC_BUFFER returned. Jeremy. (This used to be
 commit d319cc9c08bfa865a6431a8631a9c609f589be1f)

---
 source3/rpc_parse/parse_buffer.c | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

(limited to 'source3/rpc_parse')

diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c
index b220809654..b8b2c2e9ea 100644
--- a/source3/rpc_parse/parse_buffer.c
+++ b/source3/rpc_parse/parse_buffer.c
@@ -108,19 +108,34 @@ BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **b
 
 	data_p = *buffer ? 0xf000baaa : 0;
 
-	if ( !prs_uint32("ptr", ps, depth, &data_p ))
+	if ( !prs_uint32("ptr", ps, depth, &data_p )) {
 		return False;
+	}
 
-	/* we're done if there is no data */
-
-	if ( !data_p )
-		return True;
-		
+	/* We must always return a valid buffer pointer even if the
+	   client didn't send one - just leave it initialized to null. */
 	if ( UNMARSHALLING(ps) ) {
-		if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) )
+		if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) {
 			return False;
+		}
 	}
 
+	/* we're done if there is no data */
+
+	if (!data_p) {
+		if (UNMARSHALLING(ps)) {
+			RPC_BUFFER *pbuffer = *buffer;
+			/* On unmarshalling we must return a valid,
+			   but zero size value RPC_BUFFER. */
+			pbuffer->size = 0;
+			pbuffer->string_at_end = 0;
+			if (!prs_init(&pbuffer->prs, 0, prs_get_mem_context(ps), UNMARSHALL)) {
+				return False;
+			}
+		}
+		return True;
+	}
+		
 	return prs_rpcbuffer( desc, ps, depth, *buffer);
 }
 
-- 
cgit