Fixed memory leak in RPC parsing code.

Problem in prs_set_buffer_size() was Realloc returns a NULL when newsize is zero (equivalent to a free()). We were returning a failure here without resetting the buffer_size or the data_p pointer in the prs_struct. And we weren't checking for a failure from prs_set_buffer_size(). So realloc's to zero size were not reflected in the prs_struct: memory leak.

2 files changed, 9 insertions, 2 deletions

diff --git a/source/rpc_parse/parse_prs.c b/source/rpc_parse/parse_prs.c
index dafff63ad90..422b420a3c2 100644
--- a/source/rpc_parse/parse_prs.c
+++ b/source/rpc_parse/parse_prs.c
@@ -164,9 +164,11 @@ BOOL prs_set_buffer_size(prs_struct *ps, uint32 newsize)
 
 	if (newsize < ps->buffer_size) {
 		char *new_data_p = Realloc(ps->data_p, newsize);
-		if (new_data_p == NULL) {
+		/* if newsize is zero, Realloc acts like free() & returns NULL*/
+		if (new_data_p == NULL && newsize != 0) {
 			DEBUG(0,("prs_set_buffer_size: Realloc failure for size %u.\n",
 				(unsigned int)newsize));
+			DEBUG(0,("prs_set_buffer_size: Reason %s\n",strerror(errno)));
 			return False;
 		}
 		ps->data_p = new_data_p;
diff --git a/source/rpc_server/srv_pipe_hnd.c b/source/rpc_server/srv_pipe_hnd.c
index a349da839a6..e01ecf82a27 100644
--- a/source/rpc_server/srv_pipe_hnd.c
+++ b/source/rpc_server/srv_pipe_hnd.c
@@ -480,7 +480,12 @@ authentication failed. Denying the request.\n", p->name));
 		 * size as the current offset.
 		 */
 
-		prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data));
+ 		if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data)))
+		{
+			DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n"));
+			set_incoming_fault(p);
+			return False;
+		}
 
 		/*
 		 * Set the parse offset to the start of the data and set the