sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-05 12:23:50 +03:00
Code Activity

r22852: merge fixes for CVE-2007-2446 and CVE-2007-2447 to all branches

Browse Source
This commit is contained in:
Gerald Carter
2007-05-14 14:23:51 +00:00
committed by Gerald (Jerry) Carter
parent 34f77af02e
commit f65214be68
8 changed files with 218 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
source/rpc_parse/parse_lsa.c
View File

@@ -1356,12 +1356,17 @@ static BOOL lsa_io_trans_names(const char *desc, LSA_TRANS_NAME_ENUM *trn,
&trn->num_entries2))
return False;
if (trn->num_entries2 != trn->num_entries) {
/* RPC fault */
return False;
}
if (UNMARSHALLING(ps)) {
if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
return False;
}
if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
return False;
}
}
@@ -1413,12 +1418,17 @@ static BOOL lsa_io_trans_names2(const char *desc, LSA_TRANS_NAME_ENUM2 *trn,
&trn->num_entries2))
return False;
if (trn->num_entries2 != trn->num_entries) {
/* RPC fault */
return False;
}
if (UNMARSHALLING(ps)) {
if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) {
if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) {
return False;
}
if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
return False;
}
}
@@ -2771,7 +2781,7 @@ static BOOL lsa_io_luid_attr(const char *desc, LUID_ATTR *out, prs_struct *ps, i
static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struct *ps, int depth)
{
uint32 i;
uint32 i, dummy;
prs_debug(ps, depth, desc, "lsa_io_privilege_set");
depth++;
@@ -2779,7 +2789,7 @@ static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struc
if(!prs_align(ps))
return False;
if(!prs_uint32("count", ps, depth, &out->count))
if(!prs_uint32("count", ps, depth, &dummy))
return False;
if(!prs_uint32("control", ps, depth, &out->control))
return False;

2
source/rpc_parse/parse_prs.c
View File

@@ -644,7 +644,7 @@ BOOL prs_pointer( const char *name, prs_struct *ps, int depth,
return True;
if (UNMARSHALLING(ps)) {
if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) )
if ( !(*data = PRS_ALLOC_MEM(ps, char, data_size)) )
return False;
}

13
source/rpc_parse/parse_sec.c
View File

@@ -183,13 +183,12 @@ BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
return False;
if (UNMARSHALLING(ps)) {
/*
* Even if the num_aces is zero, allocate memory as there's a difference
* between a non-present DACL (allow all access) and a DACL with no ACE's
* (allow no access).
*/
if((psa->aces = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
return False;
if (psa->num_aces) {
if((psa->aces = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
return False;
} else {
psa->aces = NULL;
}
}
for (i = 0; i < psa->num_aces; i++) {

4
source/rpc_parse/parse_spoolss.c
View File

@@ -230,6 +230,10 @@ static BOOL smb_io_notify_option_type_data(const char *desc, SPOOL_NOTIFY_OPTION
if (type->count2 != type->count)
DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
return False;
}
/* parse the option type data */
for(i=0;i<type->count2;i++)
if(!prs_uint16("fields",ps,depth,&type->fields[i]))