From 5d10676b3b726a75e2dabe5e8624a7b95b97c424 Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
Date: Wed, 10 Mar 2010 19:49:25 +0100
Subject: s4:winreg RPC - fix up the "QueryValue" call to work against the
 enhanced torture test

Found out by gd's updated torture test.
---
 source4/rpc_server/winreg/rpc_winreg.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

(limited to 'source4')

diff --git a/source4/rpc_server/winreg/rpc_winreg.c b/source4/rpc_server/winreg/rpc_winreg.c
index c12c0c52e7..7a33a88e0d 100644
--- a/source4/rpc_server/winreg/rpc_winreg.c
+++ b/source4/rpc_server/winreg/rpc_winreg.c
@@ -491,19 +491,23 @@ static WERROR dcesrv_winreg_QueryValue(struct dcesrv_call_state *dce_call,
 	case SECURITY_SYSTEM:
 	case SECURITY_ADMINISTRATOR:
 	case SECURITY_USER:
+		if ((r->in.type == NULL) || (r->in.data_length == NULL) ||
+		    (r->in.data_size == NULL)) {
+			return WERR_INVALID_PARAM;
+		}
+
 		result = reg_key_get_value_by_name(mem_ctx, key, 
 			 r->in.value_name->name, &value_type, &value_data);
 		
 		if (!W_ERROR_IS_OK(result)) {
 			/* if the lookup wasn't successful, send client query back */
-			value_type = 0;
-			if (r->in.type != NULL) {
-				value_type = *r->in.type;
-			}
+			value_type = *r->in.type;
 			value_data.data = r->in.data;
-			value_data.length = 0;
-			if (r->in.data_length != NULL) {
-				value_data.length = *r->in.data_length;
+			value_data.length = *r->in.data_length;
+		} else {
+			if ((r->in.data != NULL)
+			    && (*r->in.data_size < value_data.length)) {
+				return WERR_MORE_DATA;
 			}
 		}
 
-- 
cgit