From cd49e2546ecc3d16dc2f89c07d48b98995ec5ff9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Mar 2006 20:52:43 +0000 Subject: r13989: Fix for Coverity bug #45 and associated spoolss RPC_BUFFER problems. Ensure that if the parse succeeds on UNMARSHALL we have a valid (although possibly empty) RPC_BUFFER returned. Jeremy. (This used to be commit d319cc9c08bfa865a6431a8631a9c609f589be1f) --- source3/rpc_parse/parse_buffer.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/source3/rpc_parse/parse_buffer.c b/source3/rpc_parse/parse_buffer.c index b2208096541..b8b2c2e9ea7 100644 --- a/source3/rpc_parse/parse_buffer.c +++ b/source3/rpc_parse/parse_buffer.c @@ -108,19 +108,34 @@ BOOL prs_rpcbuffer_p(const char *desc, prs_struct *ps, int depth, RPC_BUFFER **b data_p = *buffer ? 0xf000baaa : 0; - if ( !prs_uint32("ptr", ps, depth, &data_p )) + if ( !prs_uint32("ptr", ps, depth, &data_p )) { return False; + } - /* we're done if there is no data */ - - if ( !data_p ) - return True; - + /* We must always return a valid buffer pointer even if the + client didn't send one - just leave it initialized to null. */ if ( UNMARSHALLING(ps) ) { - if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) + if ( !(*buffer = PRS_ALLOC_MEM(ps, RPC_BUFFER, 1)) ) { return False; + } } + /* we're done if there is no data */ + + if (!data_p) { + if (UNMARSHALLING(ps)) { + RPC_BUFFER *pbuffer = *buffer; + /* On unmarshalling we must return a valid, + but zero size value RPC_BUFFER. */ + pbuffer->size = 0; + pbuffer->string_at_end = 0; + if (!prs_init(&pbuffer->prs, 0, prs_get_mem_context(ps), UNMARSHALL)) { + return False; + } + } + return True; + } + return prs_rpcbuffer( desc, ps, depth, *buffer); } -- cgit