From 2e6deee0208aba89fb3ecc7ead62d867e4da20ea Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 9 Jun 2007 00:13:07 +0000 Subject: r23400: Fix lsa crash bug #4683. The "names" enum struct in a lookup_sidX reply isn't optional - like the lookup_sidX query it needs to be defined in the struct. All this will go away with PIDL (thank goodness....). Jerry - I think this is a showstopper to be merged for 3.0.25b. I'll be watching the build farm to see if anything broke. Jeremy. (This used to be commit 9300b92f7a51eb80fdc039d8dad23ea9ce82aa8f) --- source3/include/rpc_lsa.h | 6 +++--- source3/rpc_client/cli_lsarpc.c | 20 +++++++------------- source3/rpc_parse/parse_lsa.c | 6 +++--- source3/rpc_server/srv_lsa_nt.c | 35 ++++++++++------------------------- 4 files changed, 23 insertions(+), 44 deletions(-) (limited to 'source3') diff --git a/source3/include/rpc_lsa.h b/source3/include/rpc_lsa.h index 28dea21977..1d575c8955 100644 --- a/source3/include/rpc_lsa.h +++ b/source3/include/rpc_lsa.h @@ -515,7 +515,7 @@ typedef struct lsa_r_lookup_sids uint32 ptr_dom_ref; DOM_R_REF *dom_ref; /* domain reference info */ - LSA_TRANS_NAME_ENUM *names; + LSA_TRANS_NAME_ENUM names; uint32 mapped_count; NTSTATUS status; /* return code */ @@ -541,7 +541,7 @@ typedef struct lsa_r_lookup_sids2 uint32 ptr_dom_ref; DOM_R_REF *dom_ref; /* domain reference info */ - LSA_TRANS_NAME_ENUM2 *names; + LSA_TRANS_NAME_ENUM2 names; uint32 mapped_count; NTSTATUS status; /* return code */ @@ -566,7 +566,7 @@ typedef struct lsa_r_lookup_sids3 uint32 ptr_dom_ref; DOM_R_REF *dom_ref; /* domain reference info */ - LSA_TRANS_NAME_ENUM2 *names; + LSA_TRANS_NAME_ENUM2 names; uint32 mapped_count; NTSTATUS status; /* return code */ diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index a6410b4954..ed70bc1752 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -145,7 +145,6 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, LSA_Q_LOOKUP_SIDS q; LSA_R_LOOKUP_SIDS r; DOM_R_REF ref; - LSA_TRANS_NAME_ENUM t_names; NTSTATUS result = NT_STATUS_OK; TALLOC_CTX *tmp_ctx = NULL; int i; @@ -163,10 +162,8 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, init_q_lookup_sids(tmp_ctx, &q, pol, num_sids, sids, 1); ZERO_STRUCT(ref); - ZERO_STRUCT(t_names); r.dom_ref = &ref; - r.names = &t_names; CLI_DO_RPC( cli, tmp_ctx, PI_LSARPC, LSA_LOOKUPSIDS, q, r, @@ -192,7 +189,7 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, for (i = 0; i < num_sids; i++) { fstring name, dom_name; - uint32 dom_idx = t_names.name[i].domain_idx; + uint32 dom_idx = r.names.name[i].domain_idx; /* Translate optimised name through domain index array */ @@ -201,14 +198,14 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, rpcstr_pull_unistr2_fstring( dom_name, &ref.ref_dom[dom_idx].uni_dom_name); rpcstr_pull_unistr2_fstring( - name, &t_names.uni_name[i]); + name, &r.names.uni_name[i]); (names)[i] = talloc_strdup(mem_ctx, name); (domains)[i] = talloc_strdup(mem_ctx, dom_name); - (types)[i] = (enum lsa_SidType)t_names.name[i].sid_name_use; + (types)[i] = (enum lsa_SidType)r.names.name[i].sid_name_use; if (((names)[i] == NULL) || ((domains)[i] == NULL)) { - DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n")); + DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n")); result = NT_STATUS_UNSUCCESSFUL; goto done; } @@ -350,7 +347,6 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, LSA_Q_LOOKUP_SIDS q; LSA_R_LOOKUP_SIDS r; DOM_R_REF ref; - LSA_TRANS_NAME_ENUM t_names; NTSTATUS result = NT_STATUS_OK; int i; @@ -360,10 +356,8 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, init_q_lookup_sids(mem_ctx, &q, pol, num_sids, sids, 1); ZERO_STRUCT(ref); - ZERO_STRUCT(t_names); r.dom_ref = &ref; - r.names = &t_names; CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPSIDS, q, r, @@ -414,7 +408,7 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, for (i = 0; i < num_sids; i++) { fstring name, dom_name; - uint32 dom_idx = t_names.name[i].domain_idx; + uint32 dom_idx = r.names.name[i].domain_idx; /* Translate optimised name through domain index array */ @@ -423,11 +417,11 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, rpcstr_pull_unistr2_fstring( dom_name, &ref.ref_dom[dom_idx].uni_dom_name); rpcstr_pull_unistr2_fstring( - name, &t_names.uni_name[i]); + name, &r.names.uni_name[i]); (*names)[i] = talloc_strdup(mem_ctx, name); (*domains)[i] = talloc_strdup(mem_ctx, dom_name); - (*types)[i] = (enum lsa_SidType)t_names.name[i].sid_name_use; + (*types)[i] = (enum lsa_SidType)r.names.name[i].sid_name_use; if (((*names)[i] == NULL) || ((*domains)[i] == NULL)) { DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n")); diff --git a/source3/rpc_parse/parse_lsa.c b/source3/rpc_parse/parse_lsa.c index 0add8b2bb0..0c07e7fe22 100644 --- a/source3/rpc_parse/parse_lsa.c +++ b/source3/rpc_parse/parse_lsa.c @@ -1476,7 +1476,7 @@ BOOL lsa_io_r_lookup_sids(const char *desc, LSA_R_LOOKUP_SIDS *r_s, if(!lsa_io_dom_r_ref ("dom_ref", r_s->dom_ref, ps, depth)) /* domain reference info */ return False; - if(!lsa_io_trans_names("names ", r_s->names, ps, depth)) /* translated names */ + if(!lsa_io_trans_names("names ", &r_s->names, ps, depth)) /* translated names */ return False; if(!prs_align(ps)) @@ -1511,7 +1511,7 @@ BOOL lsa_io_r_lookup_sids2(const char *desc, LSA_R_LOOKUP_SIDS2 *r_s, if(!lsa_io_dom_r_ref ("dom_ref", r_s->dom_ref, ps, depth)) /* domain reference info */ return False; - if(!lsa_io_trans_names2("names ", r_s->names, ps, depth)) /* translated names */ + if(!lsa_io_trans_names2("names ", &r_s->names, ps, depth)) /* translated names */ return False; if(!prs_align(ps)) @@ -1547,7 +1547,7 @@ BOOL lsa_io_r_lookup_sids3(const char *desc, LSA_R_LOOKUP_SIDS3 *r_s, if(!lsa_io_dom_r_ref ("dom_ref", r_s->dom_ref, ps, depth)) /* domain reference info */ return False; - if(!lsa_io_trans_names2("names ", r_s->names, ps, depth)) /* translated names */ + if(!lsa_io_trans_names2("names ", &r_s->names, ps, depth)) /* translated names */ return False; if(!prs_align(ps)) diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index bde1ef81da..f9b86d0c67 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -380,12 +380,10 @@ static void init_reply_lookup_names4(LSA_R_LOOKUP_NAMES4 *r_l, static void init_reply_lookup_sids2(LSA_R_LOOKUP_SIDS2 *r_l, DOM_R_REF *ref, - LSA_TRANS_NAME_ENUM2 *names, uint32 mapped_count) { r_l->ptr_dom_ref = ref ? 1 : 0; r_l->dom_ref = ref; - r_l->names = names; r_l->mapped_count = mapped_count; } @@ -395,12 +393,10 @@ static void init_reply_lookup_sids2(LSA_R_LOOKUP_SIDS2 *r_l, static void init_reply_lookup_sids3(LSA_R_LOOKUP_SIDS3 *r_l, DOM_R_REF *ref, - LSA_TRANS_NAME_ENUM2 *names, uint32 mapped_count) { r_l->ptr_dom_ref = ref ? 1 : 0; r_l->dom_ref = ref; - r_l->names = names; r_l->mapped_count = mapped_count; } @@ -414,11 +410,7 @@ static NTSTATUS init_reply_lookup_sids(TALLOC_CTX *mem_ctx, LSA_TRANS_NAME_ENUM2 *names, uint32 mapped_count) { - LSA_TRANS_NAME_ENUM *oldnames = TALLOC_ZERO_P(mem_ctx, LSA_TRANS_NAME_ENUM); - - if (!oldnames) { - return NT_STATUS_NO_MEMORY; - } + LSA_TRANS_NAME_ENUM *oldnames = &r_l->names; oldnames->num_entries = names->num_entries; oldnames->ptr_trans_names = names->ptr_trans_names; @@ -442,7 +434,6 @@ static NTSTATUS init_reply_lookup_sids(TALLOC_CTX *mem_ctx, r_l->ptr_dom_ref = ref ? 1 : 0; r_l->dom_ref = ref; - r_l->names = oldnames; r_l->mapped_count = mapped_count; return NT_STATUS_OK; } @@ -810,13 +801,12 @@ static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p, int num_sids, /* input */ const DOM_SID2 *sid, /* input */ DOM_R_REF **pp_ref, /* output */ - LSA_TRANS_NAME_ENUM2 **pp_names, /* output */ + LSA_TRANS_NAME_ENUM2 *names, /* input/output */ uint32 *pp_mapped_count) { NTSTATUS status; int i; const DOM_SID **sids = NULL; - LSA_TRANS_NAME_ENUM2 *names = NULL; DOM_R_REF *ref = NULL; uint32 mapped_count = 0; struct lsa_dom_info *dom_infos = NULL; @@ -824,17 +814,16 @@ static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p, *pp_mapped_count = 0; *pp_ref = NULL; - *pp_names = NULL; + ZERO_STRUCTP(names); if (num_sids == 0) { return NT_STATUS_OK; } - names = TALLOC_ZERO_P(p->mem_ctx, LSA_TRANS_NAME_ENUM2); sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids); ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF); - if (sids == NULL || names == NULL || ref == NULL) { + if (sids == NULL || ref == NULL) { return NT_STATUS_NO_MEMORY; } @@ -907,7 +896,6 @@ static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p, *pp_mapped_count = mapped_count; *pp_ref = ref; - *pp_names = names; return status; } @@ -924,7 +912,7 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p, int num_sids = q_u->sids.num_entries; uint32 mapped_count = 0; DOM_R_REF *ref = NULL; - LSA_TRANS_NAME_ENUM2 *names = NULL; + LSA_TRANS_NAME_ENUM2 names; NTSTATUS status; if ((q_u->level < 1) || (q_u->level > 6)) { @@ -956,7 +944,7 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p, /* Convert from LSA_TRANS_NAME_ENUM2 to LSA_TRANS_NAME_ENUM */ - status = init_reply_lookup_sids(p->mem_ctx, r_u, ref, names, mapped_count); + status = init_reply_lookup_sids(p->mem_ctx, r_u, ref, &names, mapped_count); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -975,7 +963,6 @@ NTSTATUS _lsa_lookup_sids2(pipes_struct *p, int num_sids = q_u->sids.num_entries; uint32 mapped_count = 0; DOM_R_REF *ref = NULL; - LSA_TRANS_NAME_ENUM2 *names = NULL; if ((q_u->level < 1) || (q_u->level > 6)) { return NT_STATUS_INVALID_PARAMETER; @@ -1001,10 +988,10 @@ NTSTATUS _lsa_lookup_sids2(pipes_struct *p, num_sids, q_u->sids.sid, &ref, - &names, + &r_u->names, &mapped_count); - init_reply_lookup_sids2(r_u, ref, names, mapped_count); + init_reply_lookup_sids2(r_u, ref, mapped_count); return r_u->status; } @@ -1022,7 +1009,6 @@ NTSTATUS _lsa_lookup_sids3(pipes_struct *p, { uint32 mapped_count = 0; DOM_R_REF *ref; - LSA_TRANS_NAME_ENUM2 *names; if ((q_u->level < 1) || (q_u->level > 6)) { return NT_STATUS_INVALID_PARAMETER; @@ -1031,15 +1017,14 @@ NTSTATUS _lsa_lookup_sids3(pipes_struct *p, r_u->status = NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED; ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF); - names = TALLOC_ZERO_P(p->mem_ctx, LSA_TRANS_NAME_ENUM2); - if ((ref == NULL) || (names == NULL)) { + if (ref == NULL) { /* We would segfault later on in lsa_io_r_lookup_sids3 anyway, * so do a planned exit here. We NEEEED pidl! */ smb_panic("talloc failed"); } - init_reply_lookup_sids3(r_u, ref, names, mapped_count); + init_reply_lookup_sids3(r_u, ref, mapped_count); return r_u->status; } -- cgit