r13989: Fix for Coverity bug #45 and associated spoolss RPC_BUFFER

problems. Ensure that if the parse succeeds on UNMARSHALL
we have a valid (although possibly empty) RPC_BUFFER returned.
Jeremy.
(This used to be commit d319cc9c08bfa865a6431a8631a9c609f589be1f)

1 files changed, 22 insertions, 7 deletions

diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c
index b2208096541..b8b2c2e9ea7 100644
--- a/source3/rpc_parse/parse_buffer.c
+++ b/source3/rpc_parse/parse_buffer.c
@@ -108,19 +108,34 @@ BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **b
 
 	data_p = *buffer ? 0xf000baaa : 0;
 
-	if ( !prs_uint32("ptr", ps, depth, &data_p ))
+	if ( !prs_uint32("ptr", ps, depth, &data_p )) {
 		return False;
+	}
 
-	/* we're done if there is no data */
-
-	if ( !data_p )
-		return True;
-		
+	/* We must always return a valid buffer pointer even if the
+	   client didn't send one - just leave it initialized to null. */
 	if ( UNMARSHALLING(ps) ) {
-		if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) )
+		if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) {
 			return False;
+		}
 	}
 
+	/* we're done if there is no data */
+
+	if (!data_p) {
+		if (UNMARSHALLING(ps)) {
+			RPC_BUFFER *pbuffer = *buffer;
+			/* On unmarshalling we must return a valid,
+			   but zero size value RPC_BUFFER. */
+			pbuffer->size = 0;
+			pbuffer->string_at_end = 0;
+			if (!prs_init(&pbuffer->prs, 0, prs_get_mem_context(ps), UNMARSHALL)) {
+				return False;
+			}
+		}
+		return True;
+	}
+		
 	return prs_rpcbuffer( desc, ps, depth, *buffer);
 }