diff options
Diffstat (limited to 'source/rpc_parse')
| -rw-r--r-- | source/rpc_parse/parse_dfs.c | 80 | ||||
| -rw-r--r-- | source/rpc_parse/parse_lsa.c | 22 | ||||
| -rw-r--r-- | source/rpc_parse/parse_prs.c | 2 | ||||
| -rw-r--r-- | source/rpc_parse/parse_sec.c | 13 | ||||
| -rw-r--r-- | source/rpc_parse/parse_spoolss.c | 4 |
5 files changed, 83 insertions, 38 deletions
diff --git a/source/rpc_parse/parse_dfs.c b/source/rpc_parse/parse_dfs.c index 118429e7d2f..88d6135a838 100644 --- a/source/rpc_parse/parse_dfs.c +++ b/source/rpc_parse/parse_dfs.c @@ -325,9 +325,13 @@ BOOL netdfs_io_dfs_Info3_d(const char *desc, NETDFS_DFS_INFO3 *v, prs_struct *ps return False; if (UNMARSHALLING(ps)) { - v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores); - if (!v->stores) { - return False; + if (v->num_stores) { + v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores); + if (!v->stores) { + return False; + } + } else { + v->stores = NULL; } } for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) { @@ -450,9 +454,13 @@ BOOL netdfs_io_dfs_Info4_d(const char *desc, NETDFS_DFS_INFO4 *v, prs_struct *ps return False; if (UNMARSHALLING(ps)) { - v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores); - if (!v->stores) { - return False; + if (v->num_stores) { + v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores); + if (!v->stores) { + return False; + } + } else { + v->stores = NULL; } } for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) { @@ -926,9 +934,13 @@ BOOL netdfs_io_dfs_EnumArray1_d(const char *desc, NETDFS_DFS_ENUMARRAY1 *v, prs_ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); - if (!v->s) { - return False; + if (v->count) { + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count); + if (!v->s) { + return False; + } + } else { + v->s = NULL; } } for (i_s_1=0; i_s_1<v->count;i_s_1++) { @@ -995,9 +1007,13 @@ BOOL netdfs_io_dfs_EnumArray2_d(const char *desc, NETDFS_DFS_ENUMARRAY2 *v, prs_ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); - if (!v->s) { - return False; + if (v->count) { + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count); + if (!v->s) { + return False; + } + } else { + v->s = NULL; } } for (i_s_1=0; i_s_1<v->count;i_s_1++) { @@ -1064,9 +1080,13 @@ BOOL netdfs_io_dfs_EnumArray3_d(const char *desc, NETDFS_DFS_ENUMARRAY3 *v, prs_ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); - if (!v->s) { - return False; + if (v->count) { + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count); + if (!v->s) { + return False; + } + } else { + v->s = NULL; } } for (i_s_1=0; i_s_1<v->count;i_s_1++) { @@ -1133,9 +1153,13 @@ BOOL netdfs_io_dfs_EnumArray4_d(const char *desc, NETDFS_DFS_ENUMARRAY4 *v, prs_ return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); - if (!v->s) { - return False; + if (v->count) { + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count); + if (!v->s) { + return False; + } + } else { + v->s = NULL; } } for (i_s_1=0; i_s_1<v->count;i_s_1++) { @@ -1202,9 +1226,13 @@ BOOL netdfs_io_dfs_EnumArray200_d(const char *desc, NETDFS_DFS_ENUMARRAY200 *v, return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); - if (!v->s) { - return False; + if (v->count) { + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count); + if (!v->s) { + return False; + } + } else { + v->s = NULL; } } for (i_s_1=0; i_s_1<v->count;i_s_1++) { @@ -1271,9 +1299,13 @@ BOOL netdfs_io_dfs_EnumArray300_d(const char *desc, NETDFS_DFS_ENUMARRAY300 *v, return False; if (UNMARSHALLING(ps)) { - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); - if (!v->s) { - return False; + if (v->count) { + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count); + if (!v->s) { + return False; + } + } else { + v->s = NULL; } } for (i_s_1=0; i_s_1<v->count;i_s_1++) { diff --git a/source/rpc_parse/parse_lsa.c b/source/rpc_parse/parse_lsa.c index ea249dc5600..06ccec4ab34 100644 --- a/source/rpc_parse/parse_lsa.c +++ b/source/rpc_parse/parse_lsa.c @@ -1356,12 +1356,17 @@ static BOOL lsa_io_trans_names(const char *desc, LSA_TRANS_NAME_ENUM *trn, &trn->num_entries2)) return False; + if (trn->num_entries2 != trn->num_entries) { + /* RPC fault */ + return False; + } + if (UNMARSHALLING(ps)) { - if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) { + if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) { return False; } - if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) { + if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) { return False; } } @@ -1413,12 +1418,17 @@ static BOOL lsa_io_trans_names2(const char *desc, LSA_TRANS_NAME_ENUM2 *trn, &trn->num_entries2)) return False; + if (trn->num_entries2 != trn->num_entries) { + /* RPC fault */ + return False; + } + if (UNMARSHALLING(ps)) { - if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) { + if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) { return False; } - if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) { + if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) { return False; } } @@ -2771,7 +2781,7 @@ static BOOL lsa_io_luid_attr(const char *desc, LUID_ATTR *out, prs_struct *ps, i static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struct *ps, int depth) { - uint32 i; + uint32 i, dummy; prs_debug(ps, depth, desc, "lsa_io_privilege_set"); depth++; @@ -2779,7 +2789,7 @@ static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struc if(!prs_align(ps)) return False; - if(!prs_uint32("count", ps, depth, &out->count)) + if(!prs_uint32("count", ps, depth, &dummy)) return False; if(!prs_uint32("control", ps, depth, &out->control)) return False; diff --git a/source/rpc_parse/parse_prs.c b/source/rpc_parse/parse_prs.c index 2a5daac2e6e..868a604ffe5 100644 --- a/source/rpc_parse/parse_prs.c +++ b/source/rpc_parse/parse_prs.c @@ -644,7 +644,7 @@ BOOL prs_pointer( const char *name, prs_struct *ps, int depth, return True; if (UNMARSHALLING(ps)) { - if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) ) + if ( !(*data = PRS_ALLOC_MEM(ps, char, data_size)) ) return False; } diff --git a/source/rpc_parse/parse_sec.c b/source/rpc_parse/parse_sec.c index 76583605939..15c6d7f1657 100644 --- a/source/rpc_parse/parse_sec.c +++ b/source/rpc_parse/parse_sec.c @@ -147,13 +147,12 @@ BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth) return False; if (UNMARSHALLING(ps)) { - /* - * Even if the num_aces is zero, allocate memory as there's a difference - * between a non-present DACL (allow all access) and a DACL with no ACE's - * (allow no access). - */ - if((psa->aces = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL) - return False; + if (psa->num_aces) { + if((psa->aces = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL) + return False; + } else { + psa->aces = NULL; + } } for (i = 0; i < psa->num_aces; i++) { diff --git a/source/rpc_parse/parse_spoolss.c b/source/rpc_parse/parse_spoolss.c index ae82f9c1164..060b53f44a9 100644 --- a/source/rpc_parse/parse_spoolss.c +++ b/source/rpc_parse/parse_spoolss.c @@ -230,6 +230,10 @@ static BOOL smb_io_notify_option_type_data(const char *desc, SPOOL_NOTIFY_OPTION if (type->count2 != type->count) DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2)); + if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) { + return False; + } + /* parse the option type data */ for(i=0;i<type->count2;i++) if(!prs_uint16("fields",ps,depth,&type->fields[i])) |