sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-07-31 20:22:15 +03:00
Code Activity

Fixed bug I introduced last night (sorry). Now truncate incoming prs_struct

Browse Source 
buffer size to exact size of incoming data to prevent read overruns into slop
space.
Jeremy.
This commit is contained in:
Jeremy Allison
-
parent 83b787f57e
commit aa1a4f46da
3 changed files with 34 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
source/include/proto.h
View File

@ -2064,6 +2064,7 @@ BOOL prs_read(prs_struct *ps, int fd, size_t len, int timeout);
void prs_mem_free(prs_struct *ps);
void prs_give_memory(prs_struct *ps, char *buf, uint32 size, BOOL is_dynamic);
char *prs_take_memory(prs_struct *ps, uint32 *psize);
BOOL prs_set_buffer_size(prs_struct *ps, uint32 newsize);
BOOL prs_grow(prs_struct *ps, uint32 extra_space);
BOOL prs_force_grow(prs_struct *ps, uint32 extra_space);
char *prs_data_p(prs_struct *ps);

29
source/rpc_parse/parse_prs.c
View File

@ -153,6 +153,29 @@ char *prs_take_memory(prs_struct *ps, uint32 *psize)
return ret;
}
/*******************************************************************
Set a prs_struct to exactly a given size. Will grow or tuncate if neccessary.
********************************************************************/
BOOL prs_set_buffer_size(prs_struct *ps, uint32 newsize)
{
if (newsize > ps->buffer_size)
return prs_force_grow(ps, newsize - ps->buffer_size);
if (newsize < ps->buffer_size) {
char *new_data_p = Realloc(ps->data_p, newsize);
if (new_data_p == NULL) {
DEBUG(0,("prs_set_buffer_size: Realloc failure for size %u.\n",
(unsigned int)newsize));
return False;
}
ps->data_p = new_data_p;
ps->buffer_size = newsize;
}
return True;
}
/*******************************************************************
Attempt, if needed, to grow a data buffer.
Also depends on the data stream mode (io).
@ -300,7 +323,7 @@ BOOL prs_set_offset(prs_struct *ps, uint32 offset)
BOOL prs_append_prs_data(prs_struct *dst, prs_struct *src)
{
if(!prs_force_grow(dst, prs_offset(src)))
if(!prs_grow(dst, prs_offset(src)))
return False;
memcpy(&dst->data_p[dst->data_offset], prs_data_p(src), (size_t)prs_offset(src));
@ -315,7 +338,7 @@ BOOL prs_append_prs_data(prs_struct *dst, prs_struct *src)
BOOL prs_append_some_prs_data(prs_struct *dst, prs_struct *src, int32 start, uint32 len)
{
if(!prs_force_grow(dst, len))
if(!prs_grow(dst, len))
return False;
memcpy(&dst->data_p[dst->data_offset], prs_data_p(src)+start, (size_t)len);
@ -330,7 +353,7 @@ BOOL prs_append_some_prs_data(prs_struct *dst, prs_struct *src, int32 start, uin
BOOL prs_append_data(prs_struct *dst, char *src, uint32 len)
{
if(!prs_force_grow(dst, len))
if(!prs_grow(dst, len))
return False;
memcpy(&dst->data_p[dst->data_offset], src, (size_t)len);

7
source/rpc_server/srv_pipe_hnd.c
View File

@ -475,6 +475,13 @@ authentication failed. Denying the request.\n", p->name));
* Call the rpc command to process it.
*/
/*
* Ensure the internal prs buffer size is *exactly* the same
* size as the current offset.
*/
prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data));
/*
* Set the parse offset to the start of the data and set the
* prs_struct to UNMARSHALL.