1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00

Fixed bug where mallocd size of prs_struct could be larger than

incoming packet. Ensure new alloced memory is zeroed before use.
Jeremy.
This commit is contained in:
Jeremy Allison 0001-01-01 00:00:00 +00:00
parent def0da145a
commit 1c3193aa1c
2 changed files with 8 additions and 4 deletions

View File

@ -209,6 +209,8 @@ BOOL prs_grow(prs_struct *ps, uint32 extra_space)
(unsigned int)new_size));
return False;
}
memset(&new_data[ps->buffer_size], '\0', new_size - ps->buffer_size);
}
ps->buffer_size = new_size;
ps->data_p = new_data;
@ -239,6 +241,8 @@ BOOL prs_force_grow(prs_struct *ps, uint32 extra_space)
return False;
}
memset(&new_data[ps->buffer_size], '\0', new_size - ps->buffer_size);
ps->buffer_size = new_size;
ps->data_p = new_data;
@ -296,7 +300,7 @@ BOOL prs_set_offset(prs_struct *ps, uint32 offset)
BOOL prs_append_prs_data(prs_struct *dst, prs_struct *src)
{
if(!prs_grow(dst, prs_offset(src)))
if(!prs_force_grow(dst, prs_offset(src)))
return False;
memcpy(&dst->data_p[dst->data_offset], prs_data_p(src), (size_t)prs_offset(src));
@ -311,7 +315,7 @@ BOOL prs_append_prs_data(prs_struct *dst, prs_struct *src)
BOOL prs_append_some_prs_data(prs_struct *dst, prs_struct *src, int32 start, uint32 len)
{
if(!prs_grow(dst, len))
if(!prs_force_grow(dst, len))
return False;
memcpy(&dst->data_p[dst->data_offset], prs_data_p(src)+start, (size_t)len);
@ -326,7 +330,7 @@ BOOL prs_append_some_prs_data(prs_struct *dst, prs_struct *src, int32 start, uin
BOOL prs_append_data(prs_struct *dst, char *src, uint32 len)
{
if(!prs_grow(dst, len))
if(!prs_force_grow(dst, len))
return False;
memcpy(&dst->data_p[dst->data_offset], src, (size_t)len);

View File

@ -110,7 +110,7 @@ BOOL create_next_pdu(pipes_struct *p)
p->hdr.flags = 0;
/*
* Work out how much we can fit in a sigle PDU.
* Work out how much we can fit in a single PDU.
*/
data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;