From 49b52ec16f8150d71a0ebfdd0a7067981fe5840a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 13 Feb 2009 16:06:17 -0800 Subject: Parameterize in local.h the MAX_RPC_DATA_SIZE, and ensure that "offered" read from the rpc packet in spoolss is under that size. Tidyup from analysis from Veracode. Jeremy. --- source3/rpc_server/srv_pipe_hnd.c | 2 +- source3/rpc_server/srv_spoolss_nt.c | 52 +++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server') diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index 0804af7ca9..6dead2d264 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -426,7 +426,7 @@ static bool process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p) * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002 */ - if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) { + if(prs_offset(&p->in_data.data) + data_len > MAX_RPC_DATA_SIZE) { DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n", (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len )); set_incoming_fault(p); diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index 7199441820..ef02dcfa26 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -4683,6 +4683,10 @@ WERROR _spoolss_enumprinters( pipes_struct *p, SPOOL_Q_ENUMPRINTERS *q_u, SPOOL_ return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -5040,6 +5044,10 @@ WERROR _spoolss_getprinter(pipes_struct *p, SPOOL_Q_GETPRINTER *q_u, SPOOL_R_GET return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -5701,6 +5709,10 @@ WERROR _spoolss_getprinterdriver2(pipes_struct *p, SPOOL_Q_GETPRINTERDRIVER2 *q_ return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -6788,6 +6800,10 @@ WERROR _spoolss_enumjobs( pipes_struct *p, SPOOL_Q_ENUMJOBS *q_u, SPOOL_R_ENUMJO return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -7168,6 +7184,10 @@ WERROR _spoolss_enumprinterdrivers( pipes_struct *p, SPOOL_Q_ENUMPRINTERDRIVERS return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -7256,6 +7276,10 @@ WERROR _spoolss_enumforms(pipes_struct *p, SPOOL_Q_ENUMFORMS *q_u, SPOOL_R_ENUMF return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -7665,6 +7689,10 @@ WERROR _spoolss_enumports( pipes_struct *p, SPOOL_Q_ENUMPORTS *q_u, SPOOL_R_ENUM return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -8076,6 +8104,10 @@ WERROR _spoolss_getprinterdriverdirectory(pipes_struct *p, SPOOL_Q_GETPRINTERDRI return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -8710,6 +8742,10 @@ WERROR _spoolss_enumprintprocessors(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCESSORS return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -8789,6 +8825,10 @@ WERROR _spoolss_enumprintprocdatatypes(pipes_struct *p, SPOOL_Q_ENUMPRINTPROCDAT return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -8917,6 +8957,10 @@ WERROR _spoolss_enumprintmonitors(pipes_struct *p, SPOOL_Q_ENUMPRINTMONITORS *q_ return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -9093,6 +9137,10 @@ WERROR _spoolss_getjob( pipes_struct *p, SPOOL_Q_GETJOB *q_u, SPOOL_R_GETJOB *r_ return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; @@ -9714,6 +9762,10 @@ WERROR _spoolss_getprintprocessordirectory(pipes_struct *p, SPOOL_Q_GETPRINTPROC return WERR_INVALID_PARAM; } + if (offered > MAX_RPC_DATA_SIZE) { + return WERR_INVALID_PARAM; + } + rpcbuf_move(q_u->buffer, &r_u->buffer); buffer = r_u->buffer; -- cgit