Changeset 590 for trunk/server/librpc

Timestamp:

Jul 1, 2011, 8:40:10 AM (14 years ago)

Author:

Herwig Bauernfeind

Message:

Samba 3.5: Update trunk to 3.5.6

Location:

trunk/server/librpc

Files:

• gen_ndr/cli_epmapper.c (modified) (4 diffs)
• gen_ndr/cli_ntsvcs.c (modified) (4 diffs)
• gen_ndr/cli_winreg.c (modified) (6 diffs)
• ndr/libndr.h (modified) (1 diff)
• ndr/uuid.c (modified) (2 diffs)

trunk/server/librpc/gen_ndr/cli_epmapper.c

@@ -381 +381 @@
         *state->orig.out.entry_handle = *state->tmp.out.entry_handle;
         *state->orig.out.num_ents = *state->tmp.out.num_ents;
-        memcpy(state->orig.out.entries, state->tmp.out.entries, (state->tmp.in.max_ents) * sizeof(*state->orig.out.entries));
+        if ((*state->tmp.out.num_ents) > (state->tmp.in.max_ents)) {
+                tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                return;
+        }
+        memcpy(state->orig.out.entries, state->tmp.out.entries, (*state->tmp.out.num_ents) * sizeof(*state->orig.out.entries));
 
         /* Copy result */
@@ -454 +458 @@
         *entry_handle = *r.out.entry_handle;
         *num_ents = *r.out.num_ents;
-        memcpy(entries, r.out.entries, (r.in.max_ents) * sizeof(*entries));
+        if ((*r.out.num_ents) > (r.in.max_ents)) {
+                return NT_STATUS_INVALID_NETWORK_RESPONSE;
+        }
+        memcpy(entries, r.out.entries, (*r.out.num_ents) * sizeof(*entries));
 
         /* Return result */
@@ -550 +557 @@
         *state->orig.out.entry_handle = *state->tmp.out.entry_handle;
         *state->orig.out.num_towers = *state->tmp.out.num_towers;
-        memcpy(state->orig.out.towers, state->tmp.out.towers, (state->tmp.in.max_towers) * sizeof(*state->orig.out.towers));
+        if ((*state->tmp.out.num_towers) > (state->tmp.in.max_towers)) {
+                tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                return;
+        }
+        memcpy(state->orig.out.towers, state->tmp.out.towers, (*state->tmp.out.num_towers) * sizeof(*state->orig.out.towers));
 
         /* Copy result */
@@ -619 +630 @@
         *entry_handle = *r.out.entry_handle;
         *num_towers = *r.out.num_towers;
-        memcpy(towers, r.out.towers, (r.in.max_towers) * sizeof(*towers));
+        if ((*r.out.num_towers) > (r.in.max_towers)) {
+                return NT_STATUS_INVALID_NETWORK_RESPONSE;
+        }
+        memcpy(towers, r.out.towers, (*r.out.num_towers) * sizeof(*towers));
 
         /* Return result */

trunk/server/librpc/gen_ndr/cli_ntsvcs.c

@@ -1460 +1460 @@
 
         /* Copy out parameters */
-        memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.length) * sizeof(*state->orig.out.buffer));
+        if ((*state->tmp.out.length) > (*state->tmp.in.length)) {
+                tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                return;
+        }
+        memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.length) * sizeof(*state->orig.out.buffer));
         *state->orig.out.length = *state->tmp.out.length;
 
@@ -1526 +1530 @@
 
         /* Return variables */
-        memcpy(buffer, r.out.buffer, (*r.in.length) * sizeof(*buffer));
+        if ((*r.out.length) > (*r.in.length)) {
+                return NT_STATUS_INVALID_NETWORK_RESPONSE;
+        }
+        memcpy(buffer, r.out.buffer, (*r.out.length) * sizeof(*buffer));
         *length = *r.out.length;
 
@@ -1919 +1926 @@
         /* Copy out parameters */
         *state->orig.out.reg_data_type = *state->tmp.out.reg_data_type;
-        memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.buffer_size) * sizeof(*state->orig.out.buffer));
+        if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) {
+                tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                return;
+        }
+        memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.buffer_size) * sizeof(*state->orig.out.buffer));
         *state->orig.out.buffer_size = *state->tmp.out.buffer_size;
         *state->orig.out.needed = *state->tmp.out.needed;
@@ -1993 +2004 @@
         /* Return variables */
         *reg_data_type = *r.out.reg_data_type;
-        memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer));
+        if ((*r.out.buffer_size) > (*r.in.buffer_size)) {
+                return NT_STATUS_INVALID_NETWORK_RESPONSE;
+        }
+        memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer));
         *buffer_size = *r.out.buffer_size;
         *needed = *r.out.needed;

trunk/server/librpc/gen_ndr/cli_winreg.c

@@ -1669 +1669 @@
         }
         if (state->orig.out.value && state->tmp.out.value) {
-                memcpy(state->orig.out.value, state->tmp.out.value, (*state->tmp.in.size) * sizeof(*state->orig.out.value));
+                if ((*state->tmp.out.size) > (*state->tmp.in.size)) {
+                        tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                        return;
+                }
+                if ((*state->tmp.out.length) > (*state->tmp.out.size)) {
+                        tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                        return;
+                }
+                memcpy(state->orig.out.value, state->tmp.out.value, (*state->tmp.out.length) * sizeof(*state->orig.out.value));
         }
         if (state->orig.out.size && state->tmp.out.size) {
@@ -1753 +1761 @@
         }
         if (value && r.out.value) {
-                memcpy(value, r.out.value, (*r.in.size) * sizeof(*value));
+                if ((*r.out.size) > (*r.in.size)) {
+                        return NT_STATUS_INVALID_NETWORK_RESPONSE;
+                }
+                if ((*r.out.length) > (*r.out.size)) {
+                        return NT_STATUS_INVALID_NETWORK_RESPONSE;
+                }
+                memcpy(value, r.out.value, (*r.out.length) * sizeof(*value));
         }
         if (size && r.out.size) {
@@ -2824 +2838 @@
         }
         if (state->orig.out.data && state->tmp.out.data) {
-                memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.in.data_size?*state->tmp.in.data_size:0) * sizeof(*state->orig.out.data));
+                if ((state->tmp.out.data_size?*state->tmp.out.data_size:0) > (state->tmp.in.data_size?*state->tmp.in.data_size:0)) {
+                        tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                        return;
+                }
+                if ((state->tmp.out.data_length?*state->tmp.out.data_length:0) > (state->tmp.out.data_size?*state->tmp.out.data_size:0)) {
+                        tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                        return;
+                }
+                memcpy(state->orig.out.data, state->tmp.out.data, (state->tmp.out.data_length?*state->tmp.out.data_length:0) * sizeof(*state->orig.out.data));
         }
         if (state->orig.out.data_size && state->tmp.out.data_size) {
@@ -2905 +2927 @@
         }
         if (data && r.out.data) {
-                memcpy(data, r.out.data, (r.in.data_size?*r.in.data_size:0) * sizeof(*data));
+                if ((r.out.data_size?*r.out.data_size:0) > (r.in.data_size?*r.in.data_size:0)) {
+                        return NT_STATUS_INVALID_NETWORK_RESPONSE;
+                }
+                if ((r.out.data_length?*r.out.data_length:0) > (r.out.data_size?*r.out.data_size:0)) {
+                        return NT_STATUS_INVALID_NETWORK_RESPONSE;
+                }
+                memcpy(data, r.out.data, (r.out.data_length?*r.out.data_length:0) * sizeof(*data));
         }
         if (data_size && r.out.data_size) {
@@ -4630 +4658 @@
         memcpy(state->orig.out.values, state->tmp.out.values, (state->tmp.in.num_values) * sizeof(*state->orig.out.values));
         if (state->orig.out.buffer && state->tmp.out.buffer) {
-                memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.in.buffer_size) * sizeof(*state->orig.out.buffer));
+                if ((*state->tmp.out.buffer_size) > (*state->tmp.in.buffer_size)) {
+                        tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                        return;
+                }
+                memcpy(state->orig.out.buffer, state->tmp.out.buffer, (*state->tmp.out.buffer_size) * sizeof(*state->orig.out.buffer));
         }
         *state->orig.out.buffer_size = *state->tmp.out.buffer_size;
@@ -4702 +4734 @@
         memcpy(values, r.out.values, (r.in.num_values) * sizeof(*values));
         if (buffer && r.out.buffer) {
-                memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer));
+                if ((*r.out.buffer_size) > (*r.in.buffer_size)) {
+                        return NT_STATUS_INVALID_NETWORK_RESPONSE;
+                }
+                memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer));
         }
         *buffer_size = *r.out.buffer_size;

trunk/server/librpc/ndr/libndr.h

@@ -544 +544 @@
 /* GUIDs */
 bool GUID_equal(const struct GUID *u1, const struct GUID *u2);
+NTSTATUS GUID_from_ndr_blob(const DATA_BLOB *b, struct GUID *guid);
 NTSTATUS GUID_from_data_blob(const DATA_BLOB *s, struct GUID *guid);
 NTSTATUS GUID_from_string(const char *s, struct GUID *guid);

trunk/server/librpc/ndr/uuid.c

@@ -26 +26 @@
 #include "librpc/gen_ndr/ndr_misc.h"
 
+
+/**
+  build a GUID from a NDR data blob
+*/
+_PUBLIC_ NTSTATUS GUID_from_ndr_blob(const DATA_BLOB *b, struct GUID *guid)
+{
+        enum ndr_err_code ndr_err;
+        TALLOC_CTX *mem_ctx;
+
+        mem_ctx = talloc_new(NULL);
+        NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+        ndr_err = ndr_pull_struct_blob_all(b, mem_ctx, NULL, guid,
+                                           (ndr_pull_flags_fn_t)ndr_pull_GUID);
+        talloc_free(mem_ctx);
+        return ndr_map_error2ntstatus(ndr_err);
+}
+
+
 /**
   build a GUID from a string
@@ -82 +101 @@
                 size_t rlen = strhex_to_str((char *)blob16.data, blob16.length,
                                             (const char *)s->data, s->length);
-                if (rlen == blob16.length) {
-                        /* goto the ndr_pull_struct_blob() path */
-                        status = NT_STATUS_OK;
-                        s = &blob16;
+                if (rlen != blob16.length) {
+                        return NT_STATUS_INVALID_PARAMETER;
                 }
+
+                s = &blob16;
+                return GUID_from_ndr_blob(s, guid);
         }
 
         if (s->length == 16) {
-                enum ndr_err_code ndr_err;
-                struct GUID guid2;
-                TALLOC_CTX *mem_ctx;
-
-                mem_ctx = talloc_new(NULL);
-                NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
-
-                ndr_err = ndr_pull_struct_blob(s, mem_ctx, NULL, &guid2,
-                                               (ndr_pull_flags_fn_t)ndr_pull_GUID);
-                talloc_free(mem_ctx);
-                if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-                        return ndr_map_error2ntstatus(ndr_err);
-                }
-                *guid = guid2;
-                return NT_STATUS_OK;
+                return GUID_from_ndr_blob(s, guid);
         }