From 33e13aabd3825c59d15dc897536e2ccf8c8f6d5e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 21 Feb 2006 03:08:42 +0000 Subject: r13585: Sorry Gunther, had to revert this. It's got a buffer overrun. Spoke to Jerry about the correct fix. Will add this after. Jeremy. --- source/include/authdata.h | 2 +- source/libads/authdata.c | 14 +++++++++++--- source/rpc_parse/parse_prs.c | 43 ------------------------------------------- 3 files changed, 12 insertions(+), 47 deletions(-) diff --git a/source/include/authdata.h b/source/include/authdata.h index 7e047687b7d..194429ab673 100644 --- a/source/include/authdata.h +++ b/source/include/authdata.h @@ -42,7 +42,7 @@ typedef struct pac_logon_name { NTTIME logon_time; uint16 len; - fstring username; + uint16 *username; /* might not be null terminated, so not UNISTR */ } PAC_LOGON_NAME; typedef struct pac_signature_data { diff --git a/source/libads/authdata.c b/source/libads/authdata.c index bb4236c4fcd..55e736ce6ae 100644 --- a/source/libads/authdata.c +++ b/source/libads/authdata.c @@ -42,7 +42,16 @@ static BOOL pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, if (!prs_uint16("len", ps, depth, &logon_name->len)) return False; - if (!prs_string_len("name", ps, depth, logon_name->username, logon_name->len)) + if (UNMARSHALLING(ps) && logon_name->len) { + logon_name->username = PRS_ALLOC_MEM(ps, uint16, logon_name->len); + if (!logon_name->username) { + DEBUG(3, ("No memory available\n")); + return False; + } + } + + if (!prs_uint16s(True, "name", ps, depth, logon_name->username, + (logon_name->len / sizeof(uint16)))) return False; return True; @@ -882,8 +891,7 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { nt_status = NT_STATUS_INVALID_PARAMETER; goto out; } - - rpcstr_pull(username, logon_name->username, sizeof(username), logon_name->len, 0); + rpcstr_pull(username, logon_name->username, sizeof(username), -1, STR_TERMINATE); ret = smb_krb5_parse_name_norealm(context, username, &client_principal_pac); if (ret) { diff --git a/source/rpc_parse/parse_prs.c b/source/rpc_parse/parse_prs.c index 857a24cf0e0..c4f9f512ab7 100644 --- a/source/rpc_parse/parse_prs.c +++ b/source/rpc_parse/parse_prs.c @@ -1332,49 +1332,6 @@ BOOL prs_string_alloc(const char *name, prs_struct *ps, int depth, const char ** return True; } -/******************************************************************* - Stream a null-terminated string of fixed len. - ********************************************************************/ - -BOOL prs_string_len(const char *name, prs_struct *ps, int depth, char *str, int len) -{ - char *q; - int i; - BOOL charmode = True; - - q = prs_mem_get(ps, len+1); - if (q == NULL) - return False; - - for(i = 0; i < len; i++) { - if (UNMARSHALLING(ps)) - str[i] = q[i]; - else - q[i] = str[i]; - } - - /* The terminating null. */ - str[i] = '\0'; - - if (MARSHALLING(ps)) { - q[i] = '\0'; - } - - ps->data_offset += len+1; - - DEBUG(5,("%s%04x %s: ", tab_depth(depth), ps->data_offset, name)); - if (charmode) { - print_asc(5, (unsigned char*)str, len); - } else { - for (i = 0; i < len; i++) - DEBUG(5,("%04x ", str[i])); - } - DEBUG(5,("\n")); - - return True; -} - - /******************************************************************* prs_uint16 wrapper. Call this and it sets up a pointer to where the uint16 should be stored, or gets the size if reading. -- cgit