From f10227958bef70df7609aeec5dcc834a601bd945 Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
Date: Mon, 15 Sep 2008 19:21:38 +0200
Subject: Registry server: Fixes up the patch with "type" != NULL (used in
 "EnumValue" and "QueryValue")

This prevents the server to segfault if the input data type is NULL.
---
 source4/rpc_server/winreg/rpc_winreg.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'source4/rpc_server/winreg/rpc_winreg.c')

diff --git a/source4/rpc_server/winreg/rpc_winreg.c b/source4/rpc_server/winreg/rpc_winreg.c
index 5cabae53a2..69631b3a66 100644
--- a/source4/rpc_server/winreg/rpc_winreg.c
+++ b/source4/rpc_server/winreg/rpc_winreg.c
@@ -278,7 +278,7 @@ static WERROR dcesrv_winreg_EnumValue(struct dcesrv_call_state *dce_call,
 		data.length = *r->in.length;
 	}
 
-	/* and enough room for the name */
+	/* check if there is enough room for the name */
 	if (r->in.name->size < 2*strlen_m_term(data_name)) {
 		return WERR_MORE_DATA;
 	}
@@ -293,7 +293,11 @@ static WERROR dcesrv_winreg_EnumValue(struct dcesrv_call_state *dce_call,
 	}
 	r->out.name->size = r->in.name->size;
 
-	*r->out.value = data_type;
+	r->out.type = talloc(mem_ctx, uint32_t);
+	if (!r->out.type) {
+		return WERR_NOMEM;
+	}
+	*r->out.type = data_type;
 
 	/* check the client has enough room for the value */
 	if (r->in.value != NULL &&
@@ -484,7 +488,6 @@ static WERROR dcesrv_winreg_QueryValue(struct dcesrv_call_state *dce_call,
 			value_data.length = *r->in.length;
 		}
 
-		/* Just asking for the size of the buffer */
 		r->out.type = talloc(mem_ctx, uint32_t);
 		if (!r->out.type) {
 			return WERR_NOMEM;
-- 
cgit