samba-3.0.24-CVE-2007-2446_v2.patch [plain text]
Index: samba-3.0.24/source/include/smb_macros.h
===================================================================
--- samba-3.0.24.orig/source/include/smb_macros.h 2006-04-19 21:29:39.000000000 -0500
+++ samba-3.0.24/source/include/smb_macros.h 2007-05-25 12:40:05.000000000 -0500
@@ -310,7 +310,6 @@
#if defined(PARANOID_MALLOC_CHECKER)
#define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count))
-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1)
/* Get medieval on our ass about malloc.... */
@@ -354,7 +353,6 @@
#define __location__ __FILE__ ":" __LINESTR__
#define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count))
-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1)
/* Regular malloc code. */
Index: samba-3.0.24/source/rpc_parse/parse_dfs.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_dfs.c 2007-02-04 12:59:22.000000000 -0600
+++ samba-3.0.24/source/rpc_parse/parse_dfs.c 2007-05-25 12:40:05.000000000 -0500
@@ -325,7 +325,9 @@
return False;
if (UNMARSHALLING(ps)) {
- v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores);
+ v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
+ if (!v->stores)
+ return False;
}
for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
@@ -447,7 +449,9 @@
return False;
if (UNMARSHALLING(ps)) {
- v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores);
+ v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
+ if (!v->stores)
+ return False;
}
for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
@@ -920,7 +924,9 @@
return False;
if (UNMARSHALLING(ps)) {
- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count);
+ if (!v->s)
+ return False;
}
for (i_s_1=0; i_s_1<v->count;i_s_1++) {
if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth))
@@ -986,7 +992,9 @@
return False;
if (UNMARSHALLING(ps)) {
- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count);
+ if (!v->s)
+ return False;
}
for (i_s_1=0; i_s_1<v->count;i_s_1++) {
if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth))
@@ -1052,7 +1060,9 @@
return False;
if (UNMARSHALLING(ps)) {
- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count);
+ if (!v->s)
+ return False;
}
for (i_s_1=0; i_s_1<v->count;i_s_1++) {
if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth))
@@ -1118,7 +1128,9 @@
return False;
if (UNMARSHALLING(ps)) {
- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count);
+ if (!v->s)
+ return False;
}
for (i_s_1=0; i_s_1<v->count;i_s_1++) {
if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth))
@@ -1184,7 +1196,9 @@
return False;
if (UNMARSHALLING(ps)) {
- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count);
+ if (!v->s)
+ return False;
}
for (i_s_1=0; i_s_1<v->count;i_s_1++) {
if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth))
@@ -1250,7 +1264,9 @@
return False;
if (UNMARSHALLING(ps)) {
- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
+ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count);
+ if (!v->s)
+ return False;
}
for (i_s_1=0; i_s_1<v->count;i_s_1++) {
if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth))
Index: samba-3.0.24/source/rpc_parse/parse_lsa.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_lsa.c 2007-02-04 12:59:22.000000000 -0600
+++ samba-3.0.24/source/rpc_parse/parse_lsa.c 2007-05-25 12:41:06.000000000 -0500
@@ -1171,7 +1171,7 @@
/* Mallocate memory if we're unpacking from the wire */
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && sen->num_entries) {
if ((sen->ptr_sid = PRS_ALLOC_MEM( ps, uint32, sen->num_entries)) == NULL) {
DEBUG(3, ("init_lsa_sid_enum(): out of memory for "
"ptr_sid\n"));
@@ -1349,12 +1349,17 @@
&trn->num_entries2))
return False;
- if (UNMARSHALLING(ps)) {
- if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
+ if (trn->num_entries2 != trn->num_entries) {
+ /* RPC fault */
+ return False;
+ }
+
+ if (UNMARSHALLING(ps) && trn->num_entries2) {
+ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
return False;
}
- if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
+ if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
return False;
}
}
@@ -1406,12 +1411,17 @@
&trn->num_entries2))
return False;
- if (UNMARSHALLING(ps)) {
- if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) {
+ if (trn->num_entries2 != trn->num_entries) {
+ /* RPC fault */
+ return False;
+ }
+
+ if (UNMARSHALLING(ps) && trn->num_entries2) {
+ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) {
return False;
}
- if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
+ if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
return False;
}
}
@@ -1678,7 +1688,7 @@
return False;
}
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && out->num_entries2) {
if ((out->dom_rid = PRS_ALLOC_MEM(ps, DOM_RID, out->num_entries2))
== NULL) {
DEBUG(3, ("lsa_io_r_lookup_names(): out of memory\n"));
@@ -1803,7 +1813,7 @@
return False;
}
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && out->num_entries2) {
if ((out->dom_rid = PRS_ALLOC_MEM(ps, DOM_RID2, out->num_entries2))
== NULL) {
DEBUG(3, ("lsa_io_r_lookup_names2(): out of memory\n"));
@@ -1956,7 +1966,7 @@
return False;
}
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && out->num_entries2) {
if ((out->trans_sids = PRS_ALLOC_MEM(ps, LSA_TRANSLATED_SID3, out->num_entries2))
== NULL) {
DEBUG(3, ("lsa_io_r_lookup_names3(): out of memory\n"));
@@ -2085,7 +2095,7 @@
return False;
}
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && out->num_entries2) {
if ((out->trans_sids = PRS_ALLOC_MEM(ps, LSA_TRANSLATED_SID3, out->num_entries2))
== NULL) {
DEBUG(3, ("lsa_io_r_lookup_names4(): out of memory\n"));
@@ -2324,7 +2334,7 @@
if(!prs_uint32("count1", ps, depth, &out->count1))
return False;
- if (UNMARSHALLING(ps))
+ if (UNMARSHALLING(ps) && out->count1)
if (!(out->privs = PRS_ALLOC_MEM(ps, LSA_PRIV_ENTRY, out->count1)))
return False;
@@ -2759,7 +2769,7 @@
static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struct *ps, int depth)
{
- uint32 i;
+ uint32 i, dummy;
prs_debug(ps, depth, desc, "lsa_io_privilege_set");
depth++;
@@ -2767,7 +2777,7 @@
if(!prs_align(ps))
return False;
- if(!prs_uint32("count", ps, depth, &out->count))
+ if(!prs_uint32("count", ps, depth, &dummy))
return False;
if(!prs_uint32("control", ps, depth, &out->control))
return False;
@@ -3886,7 +3896,7 @@
prs_debug(ps, depth, desc, "smb_io_lsa_data_buf");
depth++;
- if ( UNMARSHALLING(ps) ) {
+ if ( UNMARSHALLING(ps) && length ) {
if ( !(buf->data = PRS_ALLOC_MEM( ps, uint8, length )) )
return False;
}
@@ -3900,7 +3910,7 @@
if (!prs_uint32("length", ps, depth, &buf->length))
return False;
- if(!prs_uint8s(False, "data", ps, depth, buf->data, size))
+ if(!prs_uint8s(False, "data", ps, depth, buf->data, length))
return False;
return True;
Index: samba-3.0.24/source/rpc_parse/parse_prs.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_prs.c 2007-02-04 12:59:22.000000000 -0600
+++ samba-3.0.24/source/rpc_parse/parse_prs.c 2007-05-25 12:41:06.000000000 -0500
@@ -156,7 +156,7 @@
{
char *ret = NULL;
- if (size) {
+ if (size && count) {
/* We can't call the type-safe version here. */
ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs");
}
@@ -642,9 +642,13 @@
return True;
if (UNMARSHALLING(ps)) {
- if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) )
- return False;
- }
+ if (data_size) {
+ if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) )
+ return False;
+ } else {
+ *data = NULL;
+ }
+ }
return prs_fn(name, ps, depth, *data);
}
@@ -1014,16 +1018,16 @@
if (q == NULL)
return False;
+ /* If the string is empty, we don't have anything to stream */
+ if (str->buf_len==0)
+ return True;
+
if (UNMARSHALLING(ps)) {
str->buffer = PRS_ALLOC_MEM(ps,uint16,str->buf_len);
if (str->buffer == NULL)
return False;
}
- /* If the string is empty, we don't have anything to stream */
- if (str->buf_len==0)
- return True;
-
p = (char *)str->buffer;
dbg_rw_punival(charmode, name, depth, ps, q, p, str->buf_len);
@@ -1053,6 +1057,8 @@
buf->buffer = PRS_ALLOC_MEM(ps, uint16, buf->buf_max_len);
if ( buf->buffer == NULL )
return False;
+ } else {
+ buf->buffer = NULL;
}
}
@@ -1080,9 +1086,13 @@
if (str->str_str_len > str->str_max_len) {
return False;
}
- str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len);
- if (str->buffer == NULL)
- return False;
+ if (str->str_max_len) {
+ str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len);
+ if (str->buffer == NULL)
+ return False;
+ } else {
+ str->buffer = NULL;
+ }
}
if (UNMARSHALLING(ps)) {
@@ -1127,9 +1137,13 @@
if (str->uni_str_len > str->uni_max_len) {
return False;
}
- str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len);
- if (str->buffer == NULL)
- return False;
+ if (str->uni_max_len) {
+ str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len);
+ if (str->buffer == NULL)
+ return False;
+ } else {
+ str->buffer = NULL;
+ }
}
p = (char *)str->buffer;
@@ -1154,9 +1168,13 @@
return False;
if (UNMARSHALLING(ps)) {
- str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len);
- if (str->str.buffer == NULL)
- return False;
+ if (str->uni_str_len) {
+ str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len);
+ if (str->str.buffer == NULL)
+ return False;
+ } else {
+ str->str.buffer = NULL;
+ }
}
p = (char *)str->str.buffer;
Index: samba-3.0.24/source/rpc_parse/parse_sec.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_sec.c 2005-04-18 11:38:20.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_sec.c 2007-05-25 12:40:05.000000000 -0500
@@ -122,7 +122,7 @@
for you as it reads them.
********************************************************************/
-BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
+static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
{
unsigned int i;
uint32 old_offset;
@@ -165,13 +165,10 @@
return False;
if (UNMARSHALLING(ps)) {
- /*
- * Even if the num_aces is zero, allocate memory as there's a difference
- * between a non-present DACL (allow all access) and a DACL with no ACE's
- * (allow no access).
- */
- if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
- return False;
+ if (psa->num_aces) {
+ if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
+ return False;
+ }
}
for (i = 0; i < psa->num_aces; i++) {
Index: samba-3.0.24/source/rpc_parse/parse_spoolss.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c 2007-02-04 12:59:22.000000000 -0600
+++ samba-3.0.24/source/rpc_parse/parse_spoolss.c 2007-05-25 12:41:06.000000000 -0500
@@ -227,8 +227,13 @@
if(!prs_uint32("count2", ps, depth, &type->count2))
return False;
- if (type->count2 != type->count)
+ if (type->count2 != type->count) {
DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
+ return False;
+ }
+ if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
+ return False;
+ }
/* parse the option type data */
for(i=0;i<type->count2;i++)
@@ -252,7 +257,7 @@
return False;
/* reading */
- if (UNMARSHALLING(ps))
+ if (UNMARSHALLING(ps) && ctr->count)
if((ctr->type=PRS_ALLOC_MEM(ps,SPOOL_NOTIFY_OPTION_TYPE,ctr->count)) == NULL)
return False;
@@ -411,7 +416,7 @@
if(!prs_uint32("string length", ps, depth, &data->notify_data.data.length))
return False;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && data->notify_data.data.length) {
data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16,
data->notify_data.data.length);
@@ -430,7 +435,7 @@
case NOTIFY_POINTER:
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && data->notify_data.data.length) {
data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16,
data->notify_data.data.length);
@@ -490,9 +495,13 @@
/* Tallocate memory for string */
- data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, x * 2);
- if (!data->notify_data.data.string)
- return False;
+ if (x) {
+ data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, x * 2);
+ if (!data->notify_data.data.string)
+ return False;
+ } else {
+ data->notify_data.data.string = NULL;
+ }
if(!prs_uint16uni(True,"string",ps,depth,data->notify_data.data.string,x))
return False;
@@ -5931,14 +5940,14 @@
case REG_BINARY:
case REG_DWORD:
case REG_MULTI_SZ:
- if (q_u->max_len) {
- if (UNMARSHALLING(ps))
- q_u->data=PRS_ALLOC_MEM(ps, uint8, q_u->max_len);
- if(q_u->data == NULL)
- return False;
- if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len))
- return False;
- }
+ if (q_u->max_len) {
+ if (UNMARSHALLING(ps))
+ q_u->data=PRS_ALLOC_MEM(ps, uint8, q_u->max_len);
+ if(q_u->data == NULL)
+ return False;
+ if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len))
+ return False;
+ }
if(!prs_align(ps))
return False;
break;
@@ -6956,7 +6965,7 @@
/* first loop to write basic enum_value information */
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && ctr->size_of_array) {
ctr->values = PRS_ALLOC_MEM(ps, PRINTER_ENUM_VALUES, ctr->size_of_array);
if (!ctr->values)
return False;
Index: samba-3.0.24/source/libads/authdata.c
===================================================================
--- samba-3.0.24.orig/source/libads/authdata.c 2006-02-23 10:29:34.000000000 -0600
+++ samba-3.0.24/source/libads/authdata.c 2007-05-25 12:41:06.000000000 -0500
@@ -120,10 +120,14 @@
return False;
if (UNMARSHALLING(ps)) {
- array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num);
- if (!array->krb_sid_and_attrs) {
- DEBUG(3, ("No memory available\n"));
- return False;
+ if (num) {
+ array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num);
+ if (!array->krb_sid_and_attrs) {
+ DEBUG(3, ("No memory available\n"));
+ return False;
+ }
+ } else {
+ array->krb_sid_and_attrs = NULL;
}
}
@@ -184,10 +188,14 @@
return False;
if (UNMARSHALLING(ps)) {
- array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num);
- if (!array->group_membership) {
- DEBUG(3, ("No memory available\n"));
- return False;
+ if (num) {
+ array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num);
+ if (!array->group_membership) {
+ DEBUG(3, ("No memory available\n"));
+ return False;
+ }
+ } else {
+ array->group_membership = NULL;
}
}
@@ -456,10 +464,14 @@
return False;
if (UNMARSHALLING(ps) && length) {
- data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen);
- if (!data->signature.buffer) {
- DEBUG(3, ("No memory available\n"));
- return False;
+ if (siglen) {
+ data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen);
+ if (!data->signature.buffer) {
+ DEBUG(3, ("No memory available\n"));
+ return False;
+ }
+ } else {
+ data->signature.buffer = NULL;
}
}
Index: samba-3.0.24/source/registry/regfio.c
===================================================================
--- samba-3.0.24.orig/source/registry/regfio.c 2007-02-04 12:59:26.000000000 -0600
+++ samba-3.0.24/source/registry/regfio.c 2007-05-25 12:41:06.000000000 -0500
@@ -642,8 +642,12 @@
return False;
if ( UNMARSHALLING(&hbin->ps) ) {
- if ( !(lf->hashes = PRS_ALLOC_MEM( &hbin->ps, REGF_HASH_REC, lf->num_keys )) )
- return False;
+ if (lf->num_keys) {
+ if ( !(lf->hashes = PRS_ALLOC_MEM( &hbin->ps, REGF_HASH_REC, lf->num_keys )) )
+ return False;
+ } else {
+ lf->hashes = NULL;
+ }
}
for ( i=0; i<lf->num_keys; i++ ) {
Index: samba-3.0.24/source/rpc_parse/parse_net.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_net.c 2007-02-04 12:59:22.000000000 -0600
+++ samba-3.0.24/source/rpc_parse/parse_net.c 2007-05-25 12:41:06.000000000 -0500
@@ -1721,9 +1721,13 @@
}
if (UNMARSHALLING(ps)) {
- usr->gids = PRS_ALLOC_MEM(ps, DOM_GID, usr->num_groups);
- if (usr->gids == NULL)
- return False;
+ if (usr->num_groups) {
+ usr->gids = PRS_ALLOC_MEM(ps, DOM_GID, usr->num_groups);
+ if (usr->gids == NULL)
+ return False;
+ } else {
+ usr->gids = NULL;
+ }
}
for (i = 0; i < usr->num_groups; i++) {
@@ -1756,10 +1760,15 @@
return False;
if (UNMARSHALLING(ps)) {
- usr->other_sids = PRS_ALLOC_MEM(ps, DOM_SID2, usr->num_other_sids);
- usr->other_sids_attrib =
- PRS_ALLOC_MEM(ps, uint32, usr->num_other_sids);
-
+ if (usr->num_other_sids) {
+ usr->other_sids = PRS_ALLOC_MEM(ps, DOM_SID2, usr->num_other_sids);
+ usr->other_sids_attrib =
+ PRS_ALLOC_MEM(ps, uint32, usr->num_other_sids);
+ } else {
+ usr->other_sids = NULL;
+ usr->other_sids_attrib = NULL;
+ }
+
if ((num_other_sids != 0) &&
((usr->other_sids == NULL) ||
(usr->other_sids_attrib == NULL)))
Index: samba-3.0.24/source/rpc_parse/parse_samr.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_samr.c 2007-02-04 12:59:22.000000000 -0600
+++ samba-3.0.24/source/rpc_parse/parse_samr.c 2007-05-25 12:41:06.000000000 -0500
@@ -3337,7 +3337,7 @@
if(!prs_uint32("num_entries3", ps, depth, &r_u->num_entries3))
return False;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && r_u->num_entries2) {
r_u->sam = PRS_ALLOC_MEM(ps,SAM_ENTRY,r_u->num_entries2);
r_u->uni_dom_name = PRS_ALLOC_MEM(ps,UNISTR2,r_u->num_entries2);
}
@@ -3476,7 +3476,7 @@
if(!prs_uint32("num_entries3", ps, depth, &r_u->num_entries3))
return False;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && r_u->num_entries2) {
r_u->sam = PRS_ALLOC_MEM(ps,SAM_ENTRY,r_u->num_entries2);
r_u->uni_grp_name = PRS_ALLOC_MEM(ps,UNISTR2,r_u->num_entries2);
}
@@ -4980,12 +4980,13 @@
return False;
}
- if (UNMARSHALLING(ps))
+ if (UNMARSHALLING(ps) && r_u->num_rids2) {
r_u->rids = PRS_ALLOC_MEM(ps, uint32, r_u->num_rids2);
- if (!r_u->rids) {
- DEBUG(0, ("NULL rids in samr_io_r_lookup_names\n"));
- return False;
+ if (!r_u->rids) {
+ DEBUG(0, ("NULL rids in samr_io_r_lookup_names\n"));
+ return False;
+ }
}
for (i = 0; i < r_u->num_rids2; i++) {
@@ -5009,12 +5010,13 @@
return False;
}
- if (UNMARSHALLING(ps))
+ if (UNMARSHALLING(ps) && r_u->num_types2) {
r_u->types = PRS_ALLOC_MEM(ps, uint32, r_u->num_types2);
- if (!r_u->types) {
- DEBUG(0, ("NULL types in samr_io_r_lookup_names\n"));
- return False;
+ if (!r_u->types) {
+ DEBUG(0, ("NULL types in samr_io_r_lookup_names\n"));
+ return False;
+ }
}
for (i = 0; i < r_u->num_types2; i++) {
Index: samba-3.0.24/source/rpc_parse/parse_srv.c
===================================================================
--- samba-3.0.24.orig/source/rpc_parse/parse_srv.c 2005-04-18 11:38:20.000000000 -0500
+++ samba-3.0.24/source/rpc_parse/parse_srv.c 2007-05-25 12:41:06.000000000 -0500
@@ -782,7 +782,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info0 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_0, num_entries)))
return False;
ctr->share.info0 = info0;
@@ -808,7 +808,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info1 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_1, num_entries)))
return False;
ctr->share.info1 = info1;
@@ -834,7 +834,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info2 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_2,num_entries)))
return False;
ctr->share.info2 = info2;
@@ -859,7 +859,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info501 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_501, num_entries)))
return False;
ctr->share.info501 = info501;
@@ -884,7 +884,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info502 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_502,num_entries)))
return False;
ctr->share.info502 = info502;
@@ -910,7 +910,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info1004 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1004,num_entries)))
return False;
ctr->share.info1004 = info1004;
@@ -936,7 +936,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info1005 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1005,num_entries)))
return False;
ctr->share.info1005 = info1005;
@@ -956,7 +956,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info1006 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1006,num_entries)))
return False;
ctr->share.info1006 = info1006;
@@ -976,7 +976,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info1007 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1007,num_entries)))
return False;
ctr->share.info1007 = info1007;
@@ -1002,7 +1002,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info1501 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1501,num_entries)))
return False;
ctr->share.info1501 = info1501;
@@ -2558,7 +2558,7 @@
int num_entries = ctr->num_entries;
int i;
- if (UNMARSHALLING(ps)) {
+ if (UNMARSHALLING(ps) && num_entries) {
if (!(info3 = PRS_ALLOC_MEM(ps, SRV_FILE_INFO_3, num_entries)))
return False;
ctr->file.info3 = info3;
@@ -3377,7 +3377,7 @@
r_n->disk_enum_ctr.entries_read = entries_read3;
- if(UNMARSHALLING(ps)) {
+ if(UNMARSHALLING(ps) && entries_read3) {
DISK_INFO *dinfo;
@@ -3386,7 +3386,7 @@
r_n->disk_enum_ctr.disk_info = dinfo;
}
- for(i=0; i < r_n->disk_enum_ctr.entries_read; i++) {
+ for(i=0; i < entries_read3; i++) {
if(!prs_uint32("unknown", ps, depth, &r_n->disk_enum_ctr.disk_info[i].unknown))
return False;