Added prs_mem_clear(). Clear memory on buffer reallocation. That way

we're not returning what the client gave us.
Jeremy.
(This used to be commit 9a969069f132019cdd8a11be2b00356a3f09b64d)

2 files changed, 19 insertions, 11 deletions

diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c
index 7b4a5f3181f..725e2e01a5a 100644
--- a/source3/rpc_parse/parse_prs.c
+++ b/source3/rpc_parse/parse_prs.c
@@ -146,6 +146,15 @@ void prs_mem_free(prs_struct *ps)
 }
 
 /*******************************************************************
+ Clear the memory in a parse structure.
+ ********************************************************************/
+
+void prs_mem_clear(prs_struct *ps)
+{
+	memset(ps->data_p, '\0', (size_t)ps->buffer_size);
+}
+
+/*******************************************************************
  Allocate memory when unmarshalling... Always zero clears.
  ********************************************************************/
 
@@ -261,7 +270,7 @@ BOOL prs_grow(prs_struct *ps, uint32 extra_space)
 			DEBUG(0,("prs_grow: Malloc failure for size %u.\n", (unsigned int)new_size));
 			return False;
 		}
-		memset(new_data, '\0', new_size );
+		memset(new_data, '\0', (size_t)new_size );
 	} else {
 		/*
 		 * If the current buffer size is bigger than the space needed, just 
@@ -275,7 +284,7 @@ BOOL prs_grow(prs_struct *ps, uint32 extra_space)
 			return False;
 		}
 
-		memset(&new_data[ps->buffer_size], '\0', new_size - ps->buffer_size);
+		memset(&new_data[ps->buffer_size], '\0', (size_t)(new_size - ps->buffer_size));
 	}
 	ps->buffer_size = new_size;
 	ps->data_p = new_data;
@@ -306,7 +315,7 @@ BOOL prs_force_grow(prs_struct *ps, uint32 extra_space)
 		return False;
 	}
 
-	memset(&new_data[ps->buffer_size], '\0', new_size - ps->buffer_size);
+	memset(&new_data[ps->buffer_size], '\0', (size_t)(new_size - ps->buffer_size));
 
 	ps->buffer_size = new_size;
 	ps->data_p = new_data;
diff --git a/source3/rpc_parse/parse_spoolss.c b/source3/rpc_parse/parse_spoolss.c
index 1006a1bbee1..458aed1fced 100644
--- a/source3/rpc_parse/parse_spoolss.c
+++ b/source3/rpc_parse/parse_spoolss.c
@@ -764,6 +764,7 @@ BOOL make_spoolss_q_open_printer_ex(SPOOL_Q_OPEN_PRINTER_EX *q_u,
 /*******************************************************************
  * init a structure.
  ********************************************************************/
+
 BOOL make_spoolss_q_addprinterex(
 	TALLOC_CTX *mem_ctx,
 	SPOOL_Q_ADDPRINTEREX *q_u, 
@@ -784,12 +785,10 @@ BOOL make_spoolss_q_addprinterex(
 	
 	q_u->info.level = level;
 	q_u->info.info_ptr = (ctr->printers_2!=NULL)?1:0;
-	switch (level)
-	{
+	switch (level) {
 		case 2:
 			/* init q_u->info.info2 from *info */
-			if (!make_spoolss_printer_info_2(mem_ctx, &q_u->info.info_2, ctr->printers_2))
-			{
+			if (!make_spoolss_printer_info_2(mem_ctx, &q_u->info.info_2, ctr->printers_2)) {
 				DEBUG(0,("make_spoolss_q_addprinterex: Unable to fill SPOOL_Q_ADDPRINTEREX struct!\n"));
 				return False;
 			}
@@ -832,8 +831,7 @@ BOOL make_spoolss_printer_info_2(
 	SPOOL_PRINTER_INFO_LEVEL_2 *inf;
 
 	/* allocate the necessary memory */
-	if (!(inf=(SPOOL_PRINTER_INFO_LEVEL_2*)talloc(mem_ctx, sizeof(SPOOL_PRINTER_INFO_LEVEL_2))))
-	{
+	if (!(inf=(SPOOL_PRINTER_INFO_LEVEL_2*)talloc(mem_ctx, sizeof(SPOOL_PRINTER_INFO_LEVEL_2)))) {
 		DEBUG(0,("make_spoolss_printer_info_2: Unable to allocate SPOOL_PRINTER_INFO_LEVEL_2 sruct!\n"));
 		return False;
 	}
@@ -2721,6 +2719,7 @@ static BOOL spoolss_io_buffer(char *desc, prs_struct *ps, int depth, NEW_BUFFER
  move a BUFFER from the query to the reply.
  As the data pointers in NEW_BUFFER are malloc'ed, not talloc'ed,
  this is ok. This is an OPTIMIZATION and is not strictly neccessary.
+ Clears the memory to zero also.
 ********************************************************************/  
 
 void spoolss_move_buffer(NEW_BUFFER *src, NEW_BUFFER **dest)
@@ -2728,8 +2727,8 @@ void spoolss_move_buffer(NEW_BUFFER *src, NEW_BUFFER **dest)
 	prs_switch_type(&src->prs, MARSHALL);
 	if(!prs_set_offset(&src->prs, 0))
 		return;
-	prs_force_dynamic(&(src->prs));
-
+	prs_force_dynamic(&src->prs);
+	prs_mem_clear(&src->prs);
 	*dest=src;
 }